Historical pivots

Historical pivots allow you to discover domains that matched your query at any point in their history, not just currently. This capability is essential for tracking infrastructure changes and identifying historical connections.

Historical search support

Three fields support historical pivoting:

• Email: Search historical email addresses associated with domains
• Registrant: Search historical registrant information
• WHOIS Record: Search the full text of historical WHOIS records

How historical pivots work

When you pivot on a historical-compatible field, Iris Investigate can search both:

• Current data: Domains that currently match the value
• Historical data: Domains that matched the value at any point in their history

By default, historical search is enabled for the three supported fields.

Filter historical results

Viewing current and historical email results

To control historical results when pivoting:

1. Right-click a historical-compatible field that contains pivotable data.
2. Select the magnifying glass icon.
3. The system loads domains that share the value.
4. Toggle between the following options:
5. Current Only: Shows only current matches
6. Historical Only: Shows only historical matches
7. Current & Historical: Shows both current and historical matches (default)

Understanding historical results

Important: Historical search can return domains that don't currently match your query. These domains matched your search criteria at some point in their history, but may have different values now.

Why this matters

When you pivot on an email address like admin@example.com:

• Current matches - Domains currently registered to this email
• Historical matches - Domains that were previously registered to this email but have since changed

Historical matches help you:

• Track infrastructure changes over time
• Identify domains that were part of a campaign but have been abandoned
• Discover connections that would otherwise be invisible

View historical matches

To see when a domain matched your query:

1. Locate the domain in your results.
2. Open the domain's WHOIS History panel.
3. Select See Historical Matches.
4. The panel displays the historical record(s) where the domain matched your search term.

Active and inactive domains

Iris Investigate indicates when a domain is inactive:

• Icon: Near the domain name in the Pivot Engine
• Status column: Shows active/inactive status

A domain is marked inactive when it no longer resolves in DNS to an A, MX, or NS record for at least 10 days.

Historical pivots often return inactive domains, as these domains may have been active when they matched your search criteria but have since expired or been taken down.

Configure historical search

Global settings

To configure default historical search behavior:

1. Open the Product Menu (upper left corner).
2. Select Settings.
3. Navigate to Historical Search Settings.
4. Enable or disable historical search for the three supported fields.

For more details, see Settings.

Per-search override

To override historical search for a specific search:

1. Open the advanced search panel.
2. Locate the history icon next to supported fields.
3. Toggle historical search on or off for that field.
4. Run your query.

This override applies only to the current search and doesn't change your global settings.

Use cases

Track threat actor infrastructure

A threat actor uses malicious@example.com to register domains. Over time, they change email addresses to evade detection. Historical pivots reveal:

• All domains ever registered to this email
• The timeline of their infrastructure
• Patterns in domain registration and abandonment

Investigate abandoned campaigns

A phishing campaign used specific registrant information. The domains are now inactive, but historical pivots show:

• The full scope of the campaign
• Related domains that may still be active
• Infrastructure patterns for attribution

Monitor infrastructure changes

A legitimate organization changes registrars or contact information. Historical pivots help:

• Verify ownership history
• Track infrastructure evolution
• Identify potential impersonation attempts

Best practices

1. Start with current data: Begin with "Current Only" to see active infrastructure.
2. Expand to historical: Add historical data to discover abandoned or changed domains.
3. Check WHOIS History: Use "See Historical Matches" to understand when connections existed.
4. Consider inactive domains: Don't dismiss inactive domains—they provide valuable context.
5. Combine with risk scores: Historical domains with high risk scores may indicate past malicious activity.

Limitations

• Historical search is only available for Email, Registrant, and WHOIS Record fields
• Other fields (IP addresses, name servers, SSL certificates) search current data only
• Historical data availability depends on DomainTools' data collection history
• Very old domains may have incomplete historical records

Next steps

• Pivoting: Learn pivot operations
• Guided Pivots: Understand guided pivot features
• WHOIS History Panel: Explore historical WHOIS records
• Settings: Configure historical search defaults