Working with domains¶
This page describes how to view domain information, take actions on domains, and analyze results.
View domain information¶
Select a Monitor in the Dashboard to view detailed information about domains matching your monitor criteria.
Domain list information¶
Iris Detect displays the following domain information for each listed domain:
| Domain information category | Description |
|---|---|
| TLD (Top-Level Domain) | The top-level domain, or domain suffix. |
| Domain Risk Score | DomainTools' proprietary risk calculation. See the Iris Investigate user guide to learn more. |
| First Seen / Lifecycle First Seen | The date and time that DomainTools first observed the current life cycle of the domain in DNS. This may differ from the create date if the domain went through a period of inactivity before becoming active again. |
| IP Address | The Internet Protocol address(es) associated with the domain. |
| Registrar | The Domain Name Registrar that maintains the domain's current registration cycle. |
| Name Server(s) | Name servers associated with the domain. |
| Mail Server(s) | Mail servers associated with the domain. |
Domain card view¶
Select a domain to open it in a card view with additional information:
| Domain Info Panel | Description |
|---|---|
| Phishing | The predicted likelihood that a domain was registered with malicious, phishing-related intent, determined with machine learning. See the Risk Score user guide to learn more. |
| Malware | The predicted likelihood that a domain was registered with malicious, malware-related intent, determined with machine learning. See the Risk Score user guide to learn more. |
| Spam | The predicted likelihood that a domain was registered with malicious, spam-related intent, determined with machine learning. See the Risk Score user guide to learn more. |
| Proximity | See the Risk Score user guide to learn more. |
| Screenshot (most recent) | The most recent screenshot of the web page associated with the domain. Hover on the screenshot to display the date and time of capture. |
| Subdomains | A live and non-persistent list of subdomains, if any, observed with passive DNS. Not returned with Detect API queries. |
| Domain Change History | A sequential list of changes made to the domain's infrastructure, organized by data point. Tracked data points include: Registrant emails, IP address, Name server, Screenshot, other WHOIS/RDAP data. Not available via the Iris Detect API. |
Take action on domains¶
This section describes the actions you can perform on domains in your monitors.
Add to Watchlist¶
Once you add a domain to the monitor's watchlist, DomainTools tracks the domain for infrastructure changes: hosting IP, MX (mail) records, NS (name server) records, registrar, registrant email, create date, and screenshot. If there are any changes, the domain also appears in the Changed Domains list.
To add a domain to the watchlist:
- Hover over the domain row to display action icons on the right side
- Select the star icon to add the domain to your organization's shared watchlist
Access the watchlist for individual monitors or all monitors in both the web interface and the API. See the Export domain data section for more information on bulk updates.
Daily screenshot capture¶
For domains on your watchlist, Iris Detect automatically captures daily screenshots of the website to help you monitor for changes and identify potential weaponization of domains. This feature provides visual evidence of how monitored domains appear over time.
Screenshot capture applies to domains that meet the following criteria:
| Requirement | Description |
|---|---|
| Watchlist Status | The domain must be on the watchlist for your organization |
| Domain Activity | The domain must be active (currently resolving in DNS) |
| Ignore Status | You must not mark the domain as ignored |
Iris Detect captures screenshots once per day for each unique domain. If the same domain appears on watchlists for multiple monitors or customers, the system captures only one screenshot per day to optimize resources.
View the most recent screenshot in the domain card view, where you can hover over the screenshot to see the capture date and time. Access historical screenshots through the Domain Change History to track visual changes over time.
Escalate domains¶
Hover over the domain row to display action icons on the right side. Select the lightning icon and choose to either:
- Block: When you select Block, Iris Detect flags that domain for blocking. Then, if you choose to use the Detect API, you can programmatically make decisions on domains with the value
blockfor thetagattribute. - Google Web Risk: Submit to the Google Web Risk team for them to perform their own review of the domain. If Google deems the domain to be malicious, Chrome blocks it. Safari and Firefox also take actions to block the domain in accordance with Google's decision.
- All: Activates both options.
Track escalation status¶
Track the status of your submission to Google Web Risk in the Escalations screen, accessible from the hamburger (≡) menu on the top left of the screen.
- Pending: Google is processing the request.
- Completed: Google added the domain to the safe browsing protection list.
- Closed: Google did not add the domain to safe browsing; Google provides a link to their policy.
Contact your DomainTools representative or enterprisesupport@domaintools.com to learn about the number of free submissions with each pricing tier. Google prices additional submissions at their rate (at cost).
Ignore domains¶
Hover over the domain row to display action icons on the right side. Mark the domain as ignored. Track ignored domains for each monitor in the Monitor Dashboard. Use the Iris Detect API to retrieve and act on ignored domains in your own infrastructure.
Export domain data¶
From the Monitor Dashboard, select one or more domains, and the bar populates with Export and Update menus.
Export to Iris Investigate¶
Select Iris Investigate to open the selected domains as a new investigation in Iris Investigate. View full domain information in Iris Investigate with this export option. A subset of this information is available from the API.
Access Iris Investigate from the DomainTools panel on the right side of the web interface.
Download files¶
Select CSV or STIX 2.0 to download the file in either format.
Analyze domain changes¶
Highlight latest changes¶
Highlighting latest changes helps you track changes over time and alerts you to new changes. To easily see which fields most recently changed, select the Latest Changes control. Iris Detect highlights the most recently changed field along with other fields that changed within 24 hours of the most recent change. This lets you quickly scan for changes in domains across your list. When you hover over a highlighted field, Iris Detect shows the date and time the field changed.
When you click on a domain in the list, the card view opens. A Latest Changes link appears at the top; select it to highlight the latest infrastructure changes for the domains. Iris Detect shows a solid blue box and right arrow for new values; a dashed blue box and left arrow for removed values; a solid blue box with left and right arrows for new screenshots.
For a more detailed history of infrastructure changes, visit the History tab in the card view.
Filter and sort domains¶
Filter domains¶
Select the Filter Results button in the bar, and select filters on the column that appears to the left. Filter by:
- Domain name
- Domain ID (described in the API usage section)
- Top-Level Domains (TLDs)
- Risk Score ranges
- MX records presence
- Escalations
Sort domains¶
Select the Filter Results button in the navigation pane, and navigate to the bottom of the column that appears to the left. Sort by the following categories:
- Risk Score
- First seen
- Last changed