Skip to content

Pivoting

Pivoting enables you to discover connections between domains by creating new searches based on specific data points. Execute advanced searches directly from search results by pivoting on values in the Pivot Engine.

Operations menu

The Operations Menu provides the primary interface for pivoting. Access it by right-clicking any data point in the Pivot Engine or other data panels. Pivots create new advanced searches based on the selected value.

The operations menu
The operations menu

Pivot operations

The Operations Menu offers four main pivot operations:

Operation Description Effect
Narrow Search Creates an AND search combining the original query with this value. Narrows results by requiring both conditions.
Expand Search Creates an OR search combining the original query with this value. Expands results by matching either condition.
New Search Starts a new search using only this value. Replaces current search entirely.
Exclude Excludes results containing this value from the current search. Removes matching domains from results.

These operations mirror the options available in the advanced search panel.

Preview and inspection

In addition to pivot operations, the Operations Menu displays contextual information based on the data type:

For domain values:

  • Links to domain-specific information across multiple data panels.
  • Quick access to Domain Profile, WHOIS History, and other panels.

For non-domain values (IP addresses, email, contact information):

  • Number of domains that share that value.
  • Option to list and investigate those domains from a side panel (for guided pivots).
  • Link to investigate the data point in the pDNS panel.
  • Domain Risk Score.

Field-specific options:

  • IP addresses: IP Profile, Ping, Traceroute, PTR.
  • SSL fields: Link to SSL Profile.
  • Email addresses: Email domain analysis.

Drag and drop pivoting

Quickly build advanced searches by dragging values from the Pivot Engine:

  1. Open the advanced search panel.
  2. Drag a value from the Pivot Engine.
  3. Drop it into the advanced search panel.
  4. Iris Investigate automatically creates a filter with the appropriate field and value.

Pivot from data panels

You can pivot from most data panels, not just the Pivot Engine:

  • Domain Profile: Right-click any field value.
  • WHOIS History: Pivot on historical values.
  • pDNS Panel: Pivot on IP addresses or domains.
  • SSL Profile: Pivot on certificate attributes.
  • IP Profile: Pivot on IP-related data.

The Operations Menu adapts to show relevant options based on the data type and panel context.

RDAP and WHOIS pivots

Right-clicking a registration data point shows the count for the registration data, and below it, the data for each RDAP and WHOIS. By default, either the RDAP or WHOIS value appears normally, and the interface dims the other. This signifies which protocol populates Registration data.

RDAP results appearing normally during a guided pivot, while WHOIS is de-emphasized
RDAP results appearing normally during a guided pivot, while WHOIS is de-emphasized

Registration data, not just WHOIS data, forms the basis for guided pivot counts. As RDAP data populates registration data (when the RDAP record is used over the WHOIS record), RDAP data is included in counts for guided pivots. This means data points like emails and contact information have counts that bridge RDAP and WHOIS—making the transition from WHOIS to RDAP seamless in most cases.

For more details, see RDAP in Pivots.

Best practices

Start broad, then narrow

  1. Begin with a broad search to understand the landscape.
  2. Identify interesting patterns or connections.
  3. Use "Narrow Search" to focus on specific subsets.
  4. Continue narrowing until you reach actionable intelligence.

Use guided pivots

Pay attention to highlighted guided pivots (500 or fewer domains). These often represent:

  • Shared infrastructure.
  • Common registrants or email addresses.
  • Related campaigns or threat actors.

When pivoting on email addresses or registrant information, consider whether you want current or historical matches. Toggle historical search in the Operations Menu or advanced search panel.

For more information, see Historical Pivots.

Next steps