Skip to content

Iris Detect User Guide

Introduction

Iris Detect is an Internet infrastructure detection, monitoring, and enforcement tool. It rapidly discovers malicious domains that are engaged in brand impersonation, risk-scores them within minutes, and supports your automation of detection, escalation, and enforcement actions. Read more about Iris Detect and the Iris Platform at https://www.domaintools.com/products/platform/iris-detect/.

Use the Iris Detect web interface to create, edit, and observe monitors. Iris Detect updates monitors in near real-time with lists of domains based on your search terms and fuzzy matching techniques. For each monitor, the web interface provides a range of information for each domain, such as its Domain Risk Score, DNS, WHOIS/RDAP, and web-related data.

Use the Iris Detect API to search and filter within all or individual monitors, and to watchlist or escalate domains (see the API Reference). Test your API queries with the OpenAPI Specification at https://app.swaggerhub.com/apis-docs/DomainToolsLLC/DomainTools_APIs/1.1. Use the API to automate detection, escalation, and enforcement.

Getting Started

Prerequisites

Log in at:

https://iris.domaintools.com/detect

Iris Detect requires the following:

  • An Enterprise Account with DomainTools, which is accessible at https://account.domaintools.com/my-account/
  • Provisioned access for Iris Detect
  • The ability to interact with the web interface and, if required, the REST API

Contact enterprisesupport@domaintools.com for assistance.

User Access Roles

Your organization's administrators provision users with the following access tiers:

User Role Additional Information
Viewer Read access
Manage Iris Detect Monitors Create, edit, delete Iris Detect Monitors
Add to Watchlist and Ignore domains Add domain to watched
Escalate domains Escalate and ignore domains; requires "Add to Watchlist and Ignore domains"

Understanding Iris Detect

This section explains the core concepts and matching algorithms that power Iris Detect. Understanding these concepts helps you create effective monitors and interpret results.

Key Concepts

  • Monitors: Lists of domains that Iris Detect updates in near real-time based on your search terms and fuzzy matching techniques. Monitors track domains that match your specified keywords and patterns.

  • Watchlist: A collection of domains you actively monitor for infrastructure changes. When you add a domain to the watchlist, Iris Detect tracks changes to its IP address, nameservers, registrar, and other infrastructure.

  • Domain Risk Score: DomainTools' proprietary calculation that assesses the risk level of a domain based on multiple factors including registration patterns, infrastructure, and behavioral indicators. See the Risk Score User Guide to learn more.

  • Domain Groups: Iris Detect organizes domains into categories based on their status and lifecycle:

  • New: Domains that passive DNS newly detected in their current lifecycle. Iris Detect populates this list as it discovers domains in near real-time.
  • Watched: Domains you add to the monitor's watchlist. When a change occurs to the domain's infrastructure, the domain moves into the Changed list.
  • Changed: Watched domains that experience infrastructure changes. Changed domains have experienced an infrastructure change in the last 3 days by default. Adjust the Changed Domains Timeframe in Settings.
  • Inactive: Domains you watch that DNS has not observed in the last 10 days.
  • Previous: Domains that fit the monitor's criteria and were active before you created the monitor.
  • Escalated: Domains escalated to Google Web Risk.

  • Ignored: Domains that have been marked to be ignored.

  • Escalation: The process of flagging domains as malicious and optionally submitting them to Google Web Risk (https://cloud.google.com/security/products/web-risk?hl=en) for broader protection.

How Domain Matching Works

Iris Detect uses advanced matching algorithms to find domain variations and spoofs. Understanding these techniques helps you configure monitors effectively and interpret search results. All examples use the hypothetical monitor term domaintools.

Match Variations Setting

The Match Variations setting is a key configuration option that controls how aggressively Iris Detect searches for domain variations. Understanding when to enable this option depends on the structure of the domain you monitor:

Single-term domains: When you monitor a single-term domain (such as domaintools.com), exact substring matching works without Match Variations. For example:

  • Monitoring domaintools finds domaintools.com and hr-domaintools.com (exact substring)
  • It also finds the spoof domaintoois.com (missing 'l') through fuzzy matching

Multi-term domains: When you monitor a multi-term domain (such as domaintoolsglobalservices.com):

  • If the monitored term is an exact substring of the multi-term domain, Iris Detect discovers it without Match Variations. For example, monitoring domaintools finds hr-domaintools.com
  • However, if the term is not an exact substring, you need to enable Match Variations to include fuzzing algorithms. For example, monitoring domaintools only finds the spoof domaintoolglobalservices.com (with character removal of 's') when you enable Match Variations

Practical example with examplecorp:

  • Without Match Variations: Matches examplecorp.com (exact substring) but not account-examp1ecorp.com (variation with "1" substitution)
  • With Match Variations: Matches both examplecorp.com and account-examp1ecorp.com (variation is a substring)

Match Variations is not recommended for terms of 6 characters or less, as it can create many false positives.

Matching Algorithm Types

Iris Detect applies different matching algorithms based on your search terms and configuration:

Exact Matching

Exact matching is the most basic matching and Iris Detect applies it to all terms. It finds:

  • domaintools.cn
  • account-domaintools.com

Full Domain Matches

Full domain matches perform exact matching across the entire domain name for all terms. Examples include:

  • account-domain.tools
  • account-domain.tools.com

Fuzzy Matching

Iris Detect applies fuzzy matching to terms length 5 and greater. Fuzzy matching differs from variation matching. It finds close matches that variation matching does not otherwise pick up, when there is a single character difference in the domain portion (that is, the second-level domain; for example, domaintools in domaintools.com) of the domain name compared to the term. Examples include:

  • domain2ools.com
  • domainetools.com

Internationalized Domain Name Matching

Internationalized Domain Name matching matches domains using Unicode variations of a domain that appear within a domain. Iris Detect applies this to all terms. Examples include:

  • domåintools.com
  • account-domåintools.com

Variation Matching

Iris Detect applies variation exact matches to terms length 4 and greater. It creates specific variations of the term based on algorithms including:

  • Affixes: Append country code TLDs, gTLDs, and common phishing affixes
  • Character Flips: Identify terms with bits/characters flipped to other keyboard characters
  • Character Swaps: Identify terms with swapped adjacent characters
  • Character Substitutions: Substitute ascii and/or unicode lookalike characters (leetspeak)
  • Duplicate Character Reductions: Replace consecutive duplicate characters with a single character
  • Duplicate Characters: Identify duplicate characters
  • Homoglyphs: Identify domains registered using international character sets
  • Homophones: Use common misspellings for words that sound similar
  • Hyphen Addition/Removals: Add a single hyphen or remove existing hyphens
  • Miskeyed Replacements/Additions: Swap characters with nearby keyboard characters
  • Prefix + Suffix combinations: Append and prepend common prefix and suffix combinations
  • Prefixes: Add common prefixes to your term
  • Single Character Removals: Remove a single character
  • Substrings: Return results that have the term as a substring of the domain
  • Suffixes: Affix common domain suffixes to your term

For detailed examples of each algorithm type, see the Reference: Matching Algorithm Details section.

Variation Substring Matches

Variation substring matches is a configurable option (you enable it via the Match Variations setting). It matches the variations that the above algorithms create as substrings that appear within domain names. For shorter terms, this can generate a large number of false positives.

When you monitor single-term domains like domaintools.com:

  • Without Match Variations: Iris Detect finds exact substrings like hr-domaintools.com
  • With Match Variations: Iris Detect also finds variation substrings like hr-domaintoois.com (missing 'l') or domaintools-secure.com

When you monitor multi-term domains like domaintoolsglobalservices.com:

  • Without Match Variations: Iris Detect finds domains where your term is an exact substring (e.g., hr-domaintools.com)
  • With Match Variations: Iris Detect also finds domains where variations of your term appear as substrings in multi-term combinations (e.g., domaintoolglobalservices.com with character removal of 's')

Creating and Managing Monitors

This section guides you through creating, configuring, and managing monitors to track domains of interest.

The Dashboard Overview

The Iris Detect web interface opens to the Dashboard. The Dashboard lets you use the Search tool to perform a search and/or create a new monitor. It displays the monitor list, as well as links to domains with New, Changed, or Watched status.

From the Dashboard, select buttons on the navigation panel to view all domains in each category. Counts for the individual monitor's main 3 lists are also available. To navigate to a Monitor's Dashboard, click on an individual monitor.

Creating a Monitor

Only users with editor access can add and edit monitors.

To create a monitor:

  1. Enter the keyword to monitor, such as a portion of its name, in the search bar
  2. Iris Detect loads the Search and Evaluate page
  3. Select the Refine Results button to see options for enhancing the monitor's effectiveness

Configuring Match Variations

When you enable Match Variations, the monitor includes domains where variations of the term are substrings within matched domains. See How Domain Matching Works for detailed guidance on when to use this setting.

The search results update to show how your refinements impact the results.

Adding Exclusions

Text Exclusions let you remove domains from the results that have a specific string within the domain name. For example, the monitor term election includes domains containing the word selection. Adding selection as an exclusion excludes domains with this string. Using text exclusions can reduce false positives in the results.

Name Server Exclusions exclude a domain, but only when you add all of the domain's nameservers. Exclusions can remove trusted infrastructure from the results. Wildcards (*) are accepted: for example, *.domaintools.com catches ns1.domaintools.com and ns2.domaintools.com.

Saving the Monitor

Select the Add Monitor button to save your monitor to your organization's dashboard, where it will be accessible to all other users in your organization.

Editing Monitors

To edit a monitor, select the Overflow Menu (three vertical dots) on the right side of the Monitor's row. Select Edit to load the monitor's search criteria, and save.

Understanding Monitor Results

After creating a monitor, Iris Detect organizes matching domains into groups based on their status. Using the Iris Detect API, you can return domains from specific lists as needed.

See the Key Concepts section for descriptions of each domain category (New, Watched, Changed, Inactive, Previous, Escalated, Ignored).

Working with Domains

This section describes how to view domain information, take actions on domains, and analyze results.

Viewing Domain Information

Select a Monitor in the Dashboard to view detailed information about domains matching your monitor criteria.

Domain List Information

Iris Detect displays the following domain information for each listed domain:

Domain Information category Description
TLD (Top-Level Domain) The top-level domain, or domain suffix.
Domain Risk Score DomainTools' proprietary risk calculation. See the Iris Investigate User Guide to learn more.
First Seen / Lifecycle First Seen The date and time that DomainTools first observed the current life cycle of the domain in DNS. This may differ from the create date if the domain went through a period of inactivity before becoming active again.
IP Address The Internet Protocol address(es) associated with the domain.
Registrar The Domain Name Registrar that maintains the domain's current registration cycle.
Name Server(s) Name servers associated with the domain.
Mail Server(s) Mail servers associated with the domain.

Domain Card View

Select a domain to open it in a card view with additional information:

Domain Info Panel Description
Phishing The predicted likelihood that a domain was registered with malicious, phishing-related intent, determined with machine learning. See the Risk Score User Guide to learn more.
Malware The predicted likelihood that a domain was registered with malicious, malware-related intent, determined with machine learning. See the Risk Score User Guide to learn more.
Spam The predicted likelihood that a domain was registered with malicious, spam-related intent, determined with machine learning. See the Risk Score User Guide to learn more.
Proximity See the Risk Score User Guide to learn more.
Screenshot (most recent) The most recent screenshot of the web page associated with the domain. Hover on the screenshot to display the date and time of capture.
Subdomains A live and non-persistent list of subdomains, if any, observed with passive DNS. Not returned with Detect API queries.
Domain Change History A sequential list of changes made to the domain's infrastructure, organized by data point. Tracked data points include: Registrant emails, IP address, Name server, Screenshot, other WHOIS/RDAP data. Not available via the Iris Detect API.

Taking Action on Domains

This section describes the actions you can perform on domains in your monitors.

Add to Watchlist

Once you add a domain to the monitor's watchlist, DomainTools tracks the domain for infrastructure changes: hosting IP, MX (mail) records, NS (name server) records, registrar, registrant email, create date, and screenshot. If there are any changes, the domain also appears in the Changed Domains list.

To add a domain to the watchlist:

  1. Hover over the domain row to display action icons on the right side
  2. Select the star icon to add the domain to your organization's shared watchlist

Access the watchlist for individual monitors or all monitors in both the web interface and the API. See the Exporting Domain Data section for more information on bulk updates.

Daily Screenshot Capture

For domains on your watchlist, Iris Detect automatically captures daily screenshots of the website to help you monitor for changes and identify potential weaponization of domains. This feature provides visual evidence of how monitored domains appear over time.

Screenshot capture applies to domains that meet the following criteria:

Requirement Description
Watchlist Status The domain must be on the watchlist for your organization
Domain Activity The domain must be active (currently resolving in DNS)
Ignore Status You must not mark the domain as ignored

Iris Detect captures screenshots once per day for each unique domain. If the same domain appears on watchlists for multiple monitors or customers, the system captures only one screenshot per day to optimize resources.

View the most recent screenshot in the domain card view, where you can hover over the screenshot to see the capture date and time. Access historical screenshots through the Domain Change History to track visual changes over time.

Escalate Domains

Hover over the domain row to display action icons on the right side. Select the lightning icon and choose to either:

  • Block: When you select Block, Iris Detect flags that domain for blocking. Then, if you choose to use the Detect API, you can programmatically make decisions on domains with the value block for the tag attribute.
  • Google Web Risk: Submit to the Google Web Risk team for them to perform their own review of the domain. If Google deems the domain to be malicious, Chrome blocks it. Safari and Firefox also take actions to block the domain in accordance with Google's decision.
  • All: Activates both options.
Tracking Escalation Status

Track the status of your submission to Google Web Risk in the Escalations screen, accessible from the hamburger (≡) menu on the top left of the screen.

  • Pending: Google is processing the request.
  • Completed: Google added the domain to the safe browsing protection list.
  • Closed: Google did not add the domain to safe browsing; Google provides a link to their policy.

Contact your DomainTools representative or enterprisesupport@domaintools.com to learn about the number of free submissions with each pricing tier. Google prices additional submissions at their rate (at cost).

Ignore Domains

Hover over the domain row to display action icons on the right side. Mark the domain as ignored. Track ignored domains for each monitor in the Monitor Dashboard. Use the Iris Detect API to retrieve and act on ignored domains in your own infrastructure.

Exporting Domain Data

From the Monitor Dashboard, select one or more domains, and the bar populates with Export and Update menus.

Export to Iris Investigate

Select Iris Investigate to open the selected domains as a new investigation in Iris Investigate. View full domain information in Iris Investigate with this export option. A subset of this information is available from the API.

Access Iris Investigate from the DomainTools panel on the right side of the web interface.

Download Files

Select CSV or STIX 2.0 to download the file in either format.

Analyzing Domain Changes

Highlight Latest Changes

Highlighting latest changes helps you track changes over time and alerts you to new changes. To easily see which fields most recently changed, select the Latest Changes control. Iris Detect highlights the most recently changed field along with other fields that changed within 24 hours of the most recent change. This lets you quickly scan for changes in domains across your list. When you hover over a highlighted field, Iris Detect shows the date and time the field changed.

When you click on a domain in the list, the card view opens. A Latest Changes link appears at the top; select it to highlight the latest infrastructure changes for the domains. Iris Detect shows a solid blue box and right arrow for new values; a dashed blue box and left arrow for removed values; a solid blue box with left and right arrows for new screenshots.

For a more detailed history of infrastructure changes, visit the History tab in the card view.

Filtering and Sorting Domains

Filter Domains

Select the Filter Results button in the bar, and select filters on the column that appears to the left. Filter by:

  • Domain name
  • Domain ID (described in the Using the Iris Detect API section)
  • Top-Level Domains (TLDs)
  • Risk Score ranges
  • MX records presence
  • Escalations

Sort Domains

Select the Filter Results button in the navigation pane, and navigate to the bottom of the column that appears to the left. Sort by the following categories:

  • Risk Score
  • First seen
  • Last changed

Using the Iris Detect API

This section provides a short overview of the Iris Detect API endpoints. For a complete description of the API with usage examples, see the API Reference at https://www.domaintools.com/resources/api-documentation/iris-detect/ or the OpenAPI Specification at https://app.swaggerhub.com/apis-docs/DomainToolsLLC/DomainTools_APIs.

Authentication

The Iris Detect API requires an API key and password or HMAC authentication. See the Iris Detect API Reference at https://www.domaintools.com/resources/api-documentation/iris-detect/ for more information on login requirements.

Monitor IDs and Domain IDs

Iris Detect assigns a unique ID to each monitor and domain. Use these IDs to denote monitors or domains when you interact with the API. The API responds with full monitor and domain names. To display IDs associated with monitors and domain names, visit the general settings within the web interface and select:

Show API IDs for monitors and domains

Rate Limits

The Iris Detect API has a 1 query per hour rate limit. It may be more advantageous to query all monitors, rather than individually.

For complete details on Iris Detect API rate limits, consult the Iris API Rate Limits documentation.

Additional Resources

See the Iris Detect API Reference at https://www.domaintools.com/resources/api-documentation/iris-detect/ or the OpenAPI Specification at https://app.swaggerhub.com/apis-docs/DomainToolsLLC/DomainTools_APIs for more information.

Configuring Settings

Load the settings menu from the hamburger (≡) menu on the top left side of the web interface.

Changed Domains Timeframe

Under General, edit the Changed Domains Timeframe setting to control the scope of the domains listed as changed.

Email Alert Configuration

Under Alert Configuration, configure email updates for discovered domains. Set the frequency, level of detail, and other options like adding email recipients.

Reference: Matching Algorithm Details

This section provides detailed examples of each matching algorithm type. All examples use the hypothetical monitor term domaintools.

Variation Exact Matching Algorithms

Iris Detect applies variation exact matches to terms length 4 and greater. It creates specific variations of the term based on the following algorithms:

Affixes append country code TLDs, gTLDs, and common phishing affixes:

  • domaintoolscn
  • Domaintools-account

Character Flips (i.e., bitflips) identify terms with some bits/characters flipped to other keyboard characters:

  • domaintoolq (s became q)
  • domainvools (t became v)

Character Swaps identify terms with swapped adjacent characters:

  • domiantools ( a and i characters swapped)
  • dmoaintools (o and m characters swapped)

Character Substitutions substitute ascii and/or unicode lookalike characters, i.e., leetspeak:

  • domaint00ls
  • Domaintoolz

Duplicate Character Reductions replace consecutive duplicate characters with a single character in the term:

  • domaintols (duplicated o removed)

Duplicate Characters identifies duplicate characters:

  • domainttools (t duplicated)
  • dommaintools (m duplicated)

Homoglyphs identify domains registered using international character sets:

  • Ԁomainτools (d and t characters are internationalized)
  • domaintools (o characters are internationalized)

Homophones use common misspellings for words that sound similar:

  • domanetools (main became mane)
  • domaintulles (tools became tulles)

Hyphen Addition and/or Removals adds a single hyphen or removes existing hyphens:

  • domain-tools
  • Domaintool-s

Miskeyed Replacements/Additions swap characters with nearby keyboard characters that could be miskeyed:

  • domainrools
  • domaintrools

Prefix + Suffix combinations (i.e., circumfixes) append and prepend common prefix and suffix combinations:

  • wwwdomaintoolscom
  • www-domaintools-com

Prefixes add common prefixes to your term:

  • imagesdomaintool
  • Wwwdomaintools

Single Character Removals remove a single character:

  • omaintools
  • Dmaintools

Substrings (domain search) return results that have the term as a substring of the domain:

  • secureaccountdomaintoolswebsite
  • Researchdomaintools

Suffixes affix common domain suffixes to your term:

  • domaintoolscom
  • Domaintoolsnet

Variation Substring Match Examples

Examples of variation substring matches:

  • account-domaint00ls.com (character substitution variation with "00" is contained in the domain)
  • domantoolsisgreat.com (single character removal variation is contained in the domain)
  • secure-dommaintools.com (duplicate character variation is contained in the domain)