Skip to content

Guided pivots

Guided pivots help you identify promising investigation leads by highlighting fields that connect to a manageable number of domains. These visual indicators draw attention to data points that often represent meaningful connections.

What are guided pivots?

Iris Investigate highlights any field that can pivot to 500 or fewer domains—a range that typically indicates a useful investigation target. Often, the smaller the number of pivots, the more useful the connection to another domain.

Guided pivots appear with:

  • Visual highlighting: Distinct styling to draw attention
  • Domain count: Number of domains sharing that value
  • Average risk score: Quick indicator of severity for connected domains

Why 500 domains?

The 500-domain threshold balances two factors:

  1. Manageability - Small enough to review and analyze effectively
  2. Significance - Large enough to represent meaningful patterns

Connections with fewer domains often indicate:

  • Shared infrastructure between related domains
  • Common registrants or email addresses
  • Coordinated campaigns or threat actor activity
  • Hosting patterns worth investigating

Configure guided pivots

You can customize guided pivot behavior in settings:

  1. Open the Product Menu (upper left corner).
  2. Select Settings.
  3. Navigate to Pivot Engine Settings > Guided Pivots Settings.
  4. Adjust the threshold or disable guided pivots entirely.

Alternative access: Select the settings icon on the top left of the Pivot Engine.

Configuration options

  • Threshold: Set the maximum number of domains for guided pivot highlighting (default: 500)
  • Enable/Disable: Turn guided pivots on or off
  • Sort order: In the Stats Panel settings, you can order guided pivots first

Use guided pivots effectively

Identify high-value connections

When reviewing Pivot Engine results:

  1. Scan for highlighted guided pivot fields.
  2. Note the domain count and average risk score.
  3. Prioritize pivots with:
  4. Lower domain counts (more specific connections)
  5. Higher average risk scores (potentially malicious infrastructure)

Investigate guided pivots

To explore a guided pivot:

  1. Right-click the highlighted value.
  2. Review the domain count and risk information in the Operations Menu.
  3. Select the magnifying glass icon to view the list of connected domains.
  4. Choose a pivot operation:
  5. New Search: Investigate these domains exclusively
  6. Narrow Search: Add this as a filter to your current search
  7. Expand Search: Include these domains in your results

Side panel inspection

For guided pivots, the Operations Menu provides a side panel that displays:

  • Complete list of domains sharing the value
  • Risk scores for each domain
  • Quick access to domain profiles
  • Option to send results to the Pivot Engine

This allows you to preview connections before committing to a full pivot.

Guided pivots in Stats Panel

The Stats Panel can prioritize guided pivots in its display:

  1. Open the Stats Panel.
  2. Select the settings icon.
  3. Under Sorting, enable "Order guided pivots first".

This moves guided pivot data to the top of statistical visualizations, making patterns easier to spot.

Examples

Example 1: Email address pivot

You search for domains registered in the last 30 days with risk scores above 70. The Pivot Engine shows an email address highlighted as a guided pivot with a count of 47 domains.

This indicates: - 47 domains share this email address - The connection is specific enough to investigate (well under 500) - These domains may be part of a coordinated campaign

Example 2: Name server pivot

While investigating a suspicious domain, you notice its name server is highlighted as a guided pivot with 12 domains.

This suggests: - A small cluster of domains on shared infrastructure - Potentially related domains worth examining - A focused investigation target

Example 3: SSL certificate hash

An SSL certificate hash shows as a guided pivot with 3 domains.

This indicates: - Very specific connection (only 3 domains) - Likely shared infrastructure or related sites - High-priority investigation target

Best practices

  1. Start with lower counts: Investigate guided pivots with fewer domains first.
  2. Consider risk scores: Prioritize pivots with higher average risk scores.
  3. Look for patterns: Multiple guided pivots on the same domain may indicate coordinated activity.
  4. Use side panels: Preview connections before pivoting to avoid dead ends.
  5. Adjust thresholds: If you consistently find 500 too high or low, adjust in settings.

Next steps