Skip to content

Search overview

Iris Investigate provides multiple search methods to find domains based on various criteria. This section covers all search capabilities, from simple domain lookups to complex advanced searches with multiple filters.

Query with IrisQL

IrisQL provides a text-based query language for Advanced Search. Build queries as code, copy/paste them between applications, and toggle between IrisQL and the visual interface.

Search methods

Start with simple searches using domains, IP addresses, email addresses, or other identifiers. Iris Investigate automatically detects the data type and returns relevant results.

Learn more: Basic Search

Use filters, operators, and multiple criteria to create precise searches. Advanced search supports logical AND/OR operations and over 50 searchable fields.

Learn more: Advanced Search

Discover domains matching patterns using regular expressions. Ideal for finding related infrastructure when you know naming patterns but not specific domains.

Learn more: Flexible Search

Perform searches from multiple locations:

Search input formats

Iris Investigate accepts various input formats:

  • Domains: domaintools.com, example.com.
  • IP addresses: 4.2.2.2, 192.168.1.1.
  • De-fanged values: example[.]tld, 4[.]2.2.2.
  • Email addresses: admin@example.com.
  • Shortcodes: ip.asn:"209242" for guided searches.

For a complete list of searchable fields and shortcodes, see Search Reference.

Search results

After executing a search, Iris Investigate displays results in the web UI with three major components:

  1. Search Area: Includes a navigable 'breadcrumb' investigation graph.
  2. Panel Navigation: Tabs and selector for navigating and re-ordering Data Panels.
  3. Results Panel: Begins with the Pivot Engine in the leftmost position.

Single domain results

If Iris Investigate provides a single domain for the search, it populates the Data Panels with information for that domain.

Multiple domain results

If the search query returns multiple domains, Iris Investigate:

  • Lists multiple entries in the Pivot Engine.
  • Populates the remaining Data Panels with the selected domain's information.

The Data Panels remain populated with the selected domain's information while creating new branches or performing searches with no results. This means that the active domain remains populated in the Data Panels until you select a different domain.

Viewing results in the web UI
Viewing results in the web UI

Three search parameters support historical search, allowing you to find domains that matched your query at any point in their history:

  • Email: Search historical email addresses associated with domains.
  • Registrant: Search historical registrant information.
  • WHOIS Record: Search the full text of historical WHOIS records.

Important: Historical search results

Historical search can return domains that don't currently match your query. These domains matched your search criteria at some point in their history, but may have different values now.

  • By default, the system enables historical search for the three supported fields.
  • Results may include domains with outdated information that no longer matches your query.
  • To see when a domain matched your query, select See Historical Matches in the domain's WHOIS History.
  • You can override this behavior per-search in Advanced Search settings.

For complete details on configuring this behavior, see Settings.

Next steps