Skip to content

Search history

Search history provides a visual graph of your investigation, showing all searches, pivots, and branches. Navigate through your investigation, annotate key findings, and organize domains with tags.

Each time you pivot on your results, Iris Investigate moves your investigation forward to a new node in your Search History. Each new node connects to its originating node with a line/edge.

Search history graph showing investigation nodes and connections

Visual indicators

The search history graph uses color coding and icons to convey information:

Indicator Meaning
Green nodes Your active investigation path
Orange nodes Searches outside of your active investigation path
Blue 'document' icon nodes Passive DNS results
Number bubbles Count of search notes on a node
Star icon Nodes marked as important

Keyboard shortcuts

Return to previous searches

  1. Locate the node in the search history graph.
  2. Select the node.
  3. Iris Investigate loads the Pivot Engine and Data Panels for that query.

Create new branches

Continue with new pivots from any node, and Iris Investigate creates a new branch. This allows you to:

  • Explore alternative hypotheses
  • Investigate different aspects of a domain
  • Organize complex investigations

To create a new, empty history branch:

  1. Select the + button near the top right corner of the Pivot Engine.
  2. Your next query becomes the root node of the new branch.

To start a new branch with the current node as the root:

  1. Select Manage History.
  2. Select New History Branch.
  3. Select Start it with the Current Search.

Delete nodes and branches

Warning: Once you delete a node or a branch, you can't recover it.

To delete:

  1. Locate the node or branch in the search history graph.
  2. Select the delete option.
  3. Confirm deletion.

Annotate with the search node drawer

Hovering over a search node invokes the search node drawer, which provides annotation options:

Domain search node drawer showing annotation options

Mark as important

Highlight critical nodes in your investigation:

  1. Hover over a search node.
  2. Select Mark as Important.
  3. The node displays a star icon.

Use this feature to:

  • Flag key findings
  • Mark nodes for follow-up
  • Highlight significant pivots

Export search hash

Share specific searches with others:

  1. Hover over a search node.
  2. Select the export icon.
  3. The search hash copies to your clipboard.

Search hashes reproduce search terms but don't include tags or other investigation-specific information. For more details, see Search Hashes.

Add search notes

Document your analysis and findings:

  1. Hover over a search node.
  2. Select the notes icon or Search Notes section.
  3. Enter your notes.
  4. Save.

When notes exist for a node, a number bubble on the node indicates the note count.

Interactive notes

Enter an IP address, domain name, or email address in your notes, and Iris Investigate enables Operations Menus to search or filter directly from the notes. This allows you to:

  • Pivot on values mentioned in notes
  • Create new searches from documented findings
  • Link notes to investigation actions

Tag domains and share tags

Tags attach to domains, include an editable description field, and can be modified by the Iris Investigate APIs. Edit, search, and filter by tag.

Tag use cases

Apply tags to support:

  • Attribution labeling - Identify threat actors or campaigns
  • Threat profile type - Categorize by malware family, phishing, etc.
  • Operational status - Mark as active, monitoring, resolved
  • Case inclusion - Associate with specific incidents or tickets
  • Triage status - Track investigation progress
  • Programmatic decision-making - Enable automated workflows

Access tags

Tags are available in multiple locations:

Pivot Engine:

  1. Select one or multiple domains.
  2. Select the Tag button.
  3. Add, edit, or remove tags.
  4. Optionally export tags.

Operations Menu:

  1. Right-click a domain.
  2. Select Edit Tags.
  3. Modify tags for that domain.

Tag Manager:

  1. Open the Product Menu.
  2. Select Tag Manager.
  3. View all tags from your investigations and group.

Stats Data Panel:

  • Visualizes tag distribution across your result set
  • Shows tag counts and relationships

Tag sharing

Your tags automatically share with other users in your group. This enables:

  • Consistent categorization across the team
  • Shared threat intelligence
  • Collaborative analysis

Your investigations are private by default, but tags are visible to your group regardless of investigation sharing status.

If you export a Search Hash to a user outside of your group, your tags aren't visible to them.

Tag Manager

Tag Manager interface showing domain tags and descriptions

The Tag Manager displays:

  • All tags you've created
  • Tags used by your group
  • Domains associated with each tag
  • Tag descriptions

Use the Tag Manager to:

  • Review tag usage across investigations
  • Find domains by tag
  • Edit or delete tags
  • Maintain consistent tagging practices

Best practices

Annotation strategy

  1. Mark important nodes - Flag key findings as you discover them
  2. Add context in notes - Document why a node is significant
  3. Use consistent tagging - Establish team tagging conventions
  4. Export key searches - Share search hashes for reproducibility

Organization tips

  1. Create branches for different hypotheses - Keep investigation paths separate
  2. Delete dead ends - Remove unsuccessful branches to reduce clutter
  3. Name investigations descriptively - Make it easy to find later
  4. Regular review - Periodically review and clean up old investigations

Collaboration

  1. Share tags liberally - Help your team benefit from your analysis
  2. Document in notes - Explain your reasoning for future reference
  3. Mark important findings - Draw attention to critical discoveries
  4. Export search hashes - Enable others to reproduce your searches

Next steps