Skip to content

Core Concepts

This page explains the fundamental concepts in Iris Investigate that form the foundation of your investigation workflow.

Investigations

Investigations are containers that organize a collection of search queries and results, search trails, data pivots, notes, and more. When a search begins, Iris Investigate automatically starts the investigation.

Each investigation maintains:

  • Search history: A graph of all searches and pivots performed
  • Search nodes: Individual search queries with their results
  • Annotations: Notes and importance markers on search nodes
  • Tags: Labels applied to domains for categorization
  • Collaboration settings: Sharing permissions with your group

By default, investigations are private to the originating user. You can share investigations with your group to enable collaboration. For details, see Collaboration.

Pivots

The concept of a "pivot" is fundamental to many investigations: given a starting point, discover connections to one or more related items. For example, if the starting point is a domain lookup, a common pivot is on the email address of the registrant of the domain. This pivot shows all of the other domains in the DomainTools database that are connected to that email address.

Many data points serve as pivots:

  • IP addresses
  • Registrant names
  • Name servers
  • Email addresses
  • SSL certificate hashes
  • Web analytics codes
  • And many more

Most data types shown in Iris Investigate can function as pivot points. The Pivot Engine aggregates search results and displays key data points which can be pivoted on or explored further.

Guided pivots

Iris Investigate highlights any field that can pivot to 500 or fewer domains, a range that typically indicates a useful investigation target. Often, the smaller the number of pivots, the more useful the connection to another domain. For each of the guided pivots, the average risk of the associated domains is shown as a quick indicator of severity.

You can configure the threshold or turn off Guided Pivots in settings.

Data panels

Iris Investigate uses data panels to present domain information in containers. Each panel focuses on a specific aspect of domain intelligence:

  • Pivot Engine: Aggregated search results with pivotable data points
  • Domain Profile: Snapshot of all domain-related data
  • Domain History: Timeline of changes to domain attributes
  • Passive DNS (pDNS): Current and historical DNS resolutions
  • WHOIS History: Historical WHOIS records
  • Screenshot History: Archived website screenshots
  • SSL Profile: SSL/TLS certificate details
  • IP Profile: IP address information
  • IP Tools: Ping, traceroute, and PTR lookup
  • Stats: Statistical analysis of result sets
  • Visualization: Graph-based view of domain connections

Navigate data panels with the data panel tabs, and select which panels are visible through the hamburger menu on the far right of the ribbon. You can resize panels with the resize icon on the far right of the panel's title ribbon.

For detailed information about each panel, see Data Panels.

Search history

Each time you pivot on your results, Iris Investigate moves your investigation forward to a new node in your Search History. Each new node connects to its originating node with a line/edge.

The search history graph uses visual indicators:

  • Green nodes: Your active investigation path
  • Orange nodes: Searches outside of your active investigation path
  • Blue 'document' icon nodes: Passive DNS results
  • Number bubbles: Count of search notes on a node
  • Star icon: Nodes marked as important

Return to any point in your investigation by selecting the node, and Iris Investigate loads your Pivot Engine and data panels for that query. Continue with new pivots, and Iris Investigate creates a new branch of nodes.

For more details, see Search History.

Tags

Tags attach to domains, include an editable description field, and can be modified by the Iris Investigate APIs. Edit, search, and filter by tag. The Tag Manager displays all the domains associated with a single tag, across your group.

You can apply tags to these and other use cases:

  • Attribution labeling
  • Threat profile type
  • Operational status
  • Inclusion in a specific case
  • Triage or other status
  • Programmatic decision-making

Your tags automatically share with other users in your group. Your investigations are private by default, but you can also share them to your group. For more information, see Tagging Domains.

Groups

A Group consists of the other Iris Investigate users at your company. Groups enable:

  • Shared tags: Tags are visible to all group members
  • Shared investigations: Investigations can be shared with view or edit permissions
  • Tag Manager: View all tags used across your group
  • Collaboration: Multiple users can work on the same investigation

For details on sharing and collaboration, see Collaboration.

Next steps