Skip to content

Collaboration

Iris Investigate enables team collaboration through investigation sharing, search hashes, reporting, and data export. Work together to analyze threats, share findings, and coordinate investigations.

Groups

A Group consists of the other Iris Investigate users at your company. Groups enable:

  • Shared tags: Tags are visible to all group members
  • Shared investigations: Investigations can be shared with view or edit permissions
  • Tag Manager: View all tags used across your group
  • Collaboration: Multiple users can work on the same investigation

Share investigations

By default, investigations are private to the originating user. Share investigations with your group to enable collaboration.

Share an investigation

Investigation sharing dialog with access level options

To share an investigation with your group:

  1. Open the Product Menu.
  2. Hover over your active investigation.
  3. Select Edit Investigation.
  4. Choose an access level for group members:
  5. View: Read-only access to the investigation
  6. Add branches: Can add new search nodes
  7. Delete branches: Can delete search nodes
  8. Select Save.

Access shared investigations

Shared investigations appear in your investigation list in the Product Menu under the heading Investigations shared with you.

Collaboration notifications

When another user creates a new search node in your shared investigation:

  • The node appears in Search History with a sharing icon
  • You receive a browser notification

This keeps you informed of team activity in real-time.

Unshare an investigation

To stop sharing an investigation:

  1. Open the Product Menu.
  2. Hover over the investigation.
  3. Select Edit Investigation.
  4. Remove the sharing permissions.
  5. Select Save.

The investigation disappears for other group members immediately.

Search hashes

Search Hashes share a specific search to anyone with Iris Investigate, including people outside of your group.

What search hashes include

Search hashes reproduce:

  • Search terms and filters
  • Advanced search parameters
  • Field selections

What search hashes don't include

Search hashes don't include:

  • Tags
  • Search notes
  • Investigation context
  • User-specific annotations

Export a search hash

  1. Hover over a search node in the search history graph.
  2. Select the export icon.
  3. The search hash copies to your clipboard.
  4. Share the hash with others.

Use search hashes

Recipients can:

  • Paste the search hash into Iris Investigate
  • Reproduce your exact search
  • View the same results (subject to data updates)

The Investigate API can also use search hashes to query for the results of an advanced search first created through the Investigate web UI.

Export Pivot Engine results

Export your Pivot Engine results for analysis in external tools or sharing with stakeholders.

Export formats

To export your Pivot Engine results:

  1. Locate the DOWNLOAD button near the top of the Pivot Engine Data Panel, next to the page navigation controls.
  2. Select DOWNLOAD.
  3. Choose an export format:
  4. CSV: Comma-separated values for spreadsheet applications
  5. STIX 1.2: Structured Threat Information Expression format version 1.2
  6. STIX 2.0: Structured Threat Information Expression format version 2.0

Export contents

The export includes:

  • Your full Pivot Engine table
  • All visible columns
  • Fields containing multiple values have repeated columns to maintain a single value per table element

Generate investigation reports

The Generate Investigation Report button in the Product Menu creates a PDF (Portable Document Format) containing comprehensive investigation details.

Report contents

Reports include:

  • Title and description: Investigation metadata
  • Investigation path: Tabular form with search notes
  • Pivot Engine data: Tabular form matching your column configuration
  • Statistics: Via the Stats Data Panel
  • Visualizations: From the Visualization Data Panel

Report generation

The system generates reports from the viewpoint of the current selected node in your investigation.

For a complete investigation report:

  1. Select the final node in your search history.
  2. Ensure required panels are visible:
  3. Stats Data Panel
  4. Visualization Data Panel
  5. Pivot Engine Data Panel
  6. Select Generate Investigation Report from the Product Menu.

Report limitations

  • Pivot Engine results: For result sets over 500 domains, the report includes only the currently displayed page
  • Visualizations: Large result sets may not display well; download high-res images from the Visualization Data Panel directly
  • Panel visibility: Only visible panels are included in the report

Manually trigger web content updates

Multiple Iris Investigate data panels contain web-related data that the web crawler gathers.

Default web crawler behavior

The web crawler:

  • Gathers data upon first discovery of a domain
  • For domains with a risk score of 70 or higher: Automatically gathers data every 3 months
  • For domains watched in Iris Detect: Gathers data daily

Manual updates

To update web-related data outside of these default settings:

  1. Navigate to one of the following data panels:
  2. Pivot Engine
  3. Screenshot History
  4. Domain Profile
  5. SSL Profile
  6. Select the Update Content button.
  7. The web crawler queues the domain(s) for data collection.

Web crawler data types

The web crawler gathers:

  • Screenshot
  • Website title
  • Website response code
  • Redirect domain
  • Server type
  • Website trackers
  • SSL certificate aspects

Best practices

Investigation sharing

  1. Set appropriate permissions: Use "View" for stakeholders, "Add branches" for analysts.
  2. Document your work: Add notes before sharing so others understand your analysis.
  3. Name investigations clearly: Help team members identify relevant investigations.
  4. Regular cleanup: Unshare completed investigations to reduce clutter.

Search hashes

  1. Export key searches: Share reproducible searches with your team.
  2. Document context: Explain what the search hash represents.
  3. Version control: Note when you exported the hash (data may change over time).

Reporting

  1. Select the right node: Generate reports from the final node for complete coverage.
  2. Verify panel visibility: Ensure all required panels are displayed.
  3. Download visualizations separately: For high-quality images in presentations.
  4. Add context: Include investigation description for report readers.

Data export

  1. Choose the right format: CSV for analysis, STIX for threat intelligence platforms.
  2. Document export date: Note when data was exported for version tracking.
  3. Verify columns: Ensure all needed fields are visible before exporting.

Next steps