Skip to content

Iris Investigate User Guide

Iris Investigate helps security professionals conduct deep analysis and map adversary infrastructure using enterprise-grade domain intelligence and risk scoring. For a complete overview of capabilities and use cases, see the Iris Investigate overview.

What you'll learn

This guide covers:

  • Core concepts: Understanding investigations, pivots, and data panels
  • Search: Finding domains with basic, advanced, and flexible search
  • Pivot Engine: Discovering connections between domains
  • Investigations: Managing search history, collaboration, and reporting
  • Data Panels: Exploring detailed domain information
  • RDAP Support: Working with Registration Data Access Protocol
  • Reference: Settings, quotas, and technical details

Getting started

Access Iris Investigate at https://iris.domaintools.com/investigate/.

Provision access

Your organization provisions access in the DomainTools Enterprise account. Contact enterprisesupport@domaintools.com for help.

For information about the Iris Investigate API and the DomainTools API suite, consult the Iris Investigate API documentation.

Quick start

  1. Start a search: Enter a domain, IP address, email, or other identifier in the search bar.
  2. Review results: Examine the Pivot Engine results and select a domain to explore.
  3. Pivot on data: Right-click any data point to narrow, expand, or start a new search.
  4. Explore data panels: View detailed information in Domain Profile, pDNS, WHOIS History, and other panels.
  5. Track your investigation: Use Search History to navigate your investigation path.

Feature highlights

Domain Risk Score

The Domain Risk Score predicts how likely a domain is to be malicious, often before it's weaponized. This predictive capability helps security teams identify threats proactively, often before domains are actively used in attacks.

Learn more: Domain Risk Score documentation

Pivot Engine: Infrastructure mapping

Discover connections between domains through shared infrastructure: IP addresses, registrants, name servers, SSL certificates, and more. The Pivot Engine surfaces relationships that reveal campaigns, threat actors, and malicious networks, enabling you to map adversary infrastructure efficiently.

Learn more: Pivot Engine

Investigation management

Track your investigation path with visual search history, annotate findings, tag domains, and collaborate with your team. You won't lose context as you explore complex threat landscapes. Share investigations, generate reports, and maintain a complete audit trail of your analysis.

Learn more: Investigations

Comprehensive data panels

Access 10+ specialized data panels that provide deep domain intelligence: from passive DNS history to SSL certificates, screenshots to WHOIS records, all in one unified interface. Each panel focuses on a specific aspect of domain data, allowing you to drill down into the details that matter for your investigation.

Learn more: Data Panels

RDAP Support

The suite of Iris products now supports the Registration Data Access Protocol (RDAP). In locations where an Iris UI or API previously served only WHOIS data, Iris now serves registration data. Registration data defaults to the RDAP or WHOIS record that the system infers to be most useful.

The RDAP FAQ and the letter to Iris customers explain how RDAP works in DomainTools products. For RDAP-specific guidance, see RDAP Support.

Need help?