Skip to content

Iris Investigate User Guide

Note: This document is legacy documentation. For the current user guide, see Iris Investigate User Guide.

Iris Investigate helps security professionals conduct deep analysis and map adversary infrastructure using enterprise-grade domain intelligence and risk scoring. For a complete overview of capabilities and use cases, see the Iris Investigate overview.

Getting started

Access Iris Investigate at https://iris.domaintools.com/investigate/.

RDAP (Registration Data Access Protocol) support

The suite of Iris products now supports the Registration Data Access Protocol (RDAP). In locations where an Iris UI or API (Application Programming Interface, a programmatic interface for software integration) previously served only WHOIS (a query protocol that provides domain registration information) data, Iris now serves registration data. Registration data defaults to the RDAP or WHOIS record that the system infers to be the most useful:

  • RDAP and WHOIS records gathered for a domain within 3 days of each other surface the record with the most data, with ties going to RDAP.
  • RDAP and WHOIS records gathered more than 3 days apart favor the newer record.

The UI and API can also serve either WHOIS or RDAP data in response to user specification.

The RDAP FAQ (Frequently Asked Questions) and the letter to Iris customers explain how RDAP works in DomainTools products. This guide contains RDAP-specific information in:

Provision access

The organization provisions access in the DomainTools Enterprise account. Contact enterprisesupport@domaintools.com for help.

For information about the Iris Investigate API and the DomainTools API suite, consult the Iris Investigate API documentation.

Investigations overview

Investigations are containers that organize a collection of search queries and results, search trails, data pivots, notes, and more. The Collaboration section explains how to share and export investigations.

When a search begins, Iris Investigate automatically starts the investigation.

Search for domains

Query with IrisQL

IrisQL provides a text-based query language for Advanced Search. Build queries as code, copy/paste them between applications, and toggle between IrisQL and the visual interface.

Advanced search interface with historical search toggle
Adding historical results to an advanced search.

Perform the first search from the DomainTools Research page (), the Iris Investigate landing page (), or from within the search bar or advanced search tab in the web application.

Begin searches with any of the accepted search parameters, and Iris Investigate guesses which type of data was provided: for example, it interprets 4.2.2.2 as an IP (Internet Protocol) address and domaintools.com as a domain name. The Iris Investigate UI accepts 'de-fanged' values for IP and host addresses such as example[.]tld and 4[.]2.2.2. Include shortcodes in the query string to specify the data type, and pass these codes from non-DomainTools applications in the API.

Base search parameters

Filter or expand results through the Advanced button next to the search box. Add additional filters with logical AND (narrow results) and OR (expand results) operators. Each filter can use a match rule available for its specific data type.

Historical search support

Most search parameters query only current data. However, three parameters support historical search, allowing you to find domains that matched your query at any point in their history:

  • Email - Search historical email addresses associated with domains
  • Registrant - Search historical registrant information
  • WHOIS Record - Search the full text of historical WHOIS records

Important: Understanding Historical Search Results

Historical search can return domains that don't currently match your query. These domains matched your search criteria at some point in their history, but may have different values now. This behavior is critical to understand when analyzing search results.

  • By default, historical search is enabled for the three supported fields
  • Results may include domains with outdated information that no longer matches your query
  • To see when a domain matched your query, select See Historical Matches in the domain's WHOIS History
  • You can override this behavior per-search in Advanced Search settings

For complete details on configuring this behavior, see Historical search settings.

Available search parameters

The following table lists all available search parameters organized by category. Each parameter supports specific match operators that determine how your search query compares against stored data.

Category Parameter Shortcode Accepted Operators
Domain Information Domain Name domain Begins With, Contains, Does Not Contain, Does Not Exactly Match, Does Not Match, Ends With, Exactly In, Exactly Match, In, Matches, Not Exactly In, Not In
Create Date cre Does Not Match, Greater Than, Greater Than or Equal To, Less Than, Less Than or Equal To, Matches, Within
Expiration Date exp Greater Than, Greater Than or Equal To, Less Than, Less Than or Equal To, Matches, Within
First Seen current_lifecycle_first_seen Greater Than, Greater Than or Equal To, Less Than, Less Than or Equal To, Matches, Within
Rank popularity_rank Does Not Match, Greater Than, Greater Than or Equal To, Less Than, Less Than or Equal To, Matches
Risk Score cr Does Not Match, Greater Than, Greater Than or Equal To, Less Than, Less Than or Equal To, Matches
Status active Matches
Tags tags Contains, Contains All, Does Not Contain, Does Not Contain All
TLD (Top-Level Domain) tld Begins With, Does Not Match, Exists, In, Matches, Not In
Website Title title Begins With, Contains, Contains All, Does Not Contain, Does Not Contain All, Does Not Exactly Match, Does Not Match, Exactly Matches, Exists, Matches
Server Type server_type Begins With, Contains, Contains All, Does Not Contain, Does Not Contain All, Does Not Exactly Match, Does Not Match, Exactly Matches, Exists, Matches
Redirect Domain rdd Begins With, Does Not Match, Exists, Matches
WHOIS Record whois Contains, Contains All
Contact Information Contact Country Code cons.cc Begins With, Does Not Match, Exists, Matches
Contact Name cons.nm Begins With, Contains, Contains All, Does Not Contain, Does Not Contain All, Does Not Exactly Match, Exactly Matches, Exists
Contact Phone cons.ph Begins With, Does Not Match, Exists, Matches
Contact Street cons.str Begins With, Contains, Contains All, Does Not Contain, Does Not Contain All, Does Not Exactly Match, Exactly Matches, Exists
Registrant r_n Begins With, Contains, Contains All, Does Not Contain, Does Not Contain All, Does Not Exactly Match, Does Not Match, Exactly Matches, Exists, Matches
Registrant Organisation r_o Begins With, Contains, Contains All, Does Not Contain, Does Not Contain All, Does Not Exactly Match, Does Not Match, Exactly Matches, Exists, Matches
Registrar reg Begins With, Contains, Contains All, Does Not Contain, Does Not Contain All, Does Not Exactly Match, Does Not Match, Exactly Matches, Exists, Matches
Email Information Email em Begins With, Does Not Match, Exists, In, Matches, Not In
Email - Administrator empa Begins With, Does Not Match, Exists, Matches
Email - Billing empb Begins With, Does Not Match, Exists, Matches
Email - DNS/SOA ema Begins With, Does Not Match, Exists, Matches
Email - Registrant empr Begins With, Does Not Match, Exists, Matches
Email - Technical empt Begins With, Does Not Match, Exists, Matches
Email - WHOIS emw Begins With, Does Not Match, Exists, Matches
Email Domain emd Begins With, Does Not Match, Exists, In, Matches, Not In
IP Information IP ip.ip Does Not Match, Greater Than, Greater Than or Equal To, In, Less Than, Less Than or Equal To, Matches, Not In
IP ASN ip.asn Does Not Match, Greater Than, Greater Than or Equal To, Less Than, Less Than or Equal To, Matches
IP Country Code ip.cc Begins With, Does Not Match, Exists, Matches
ISP (Internet Service Provider) IP Information ip.isp Contains, Contains All, Does Not Contain, Does Not Contain All, Does Not Exactly Match, Exactly Matches, Exists
DNS Information Name Server ns.ns Does Not Match, Exists, Matches
Name Server Domain ns.nsd Begins With, Does Not Match, Exists, Matches
Name Server IP ns.nip Does Not Match, Greater Than, Greater Than or Equal To, In, Less Than, Less Than or Equal To, Matches, Not In
MX (Mail Exchange) Server mx.mx Begins With, Does Not Match, Exists, Matches
MX Server Domain mx.mxd Begins With, Does Not Match, Exists, Matches
MX Server IP mx.mip Does Not Match, Greater Than, Greater Than or Equal To, In, Less Than, Less Than or Equal To, Matches, Not In
SSL Certificate Information SSL Alt Names ssl.alt_names Begins With, Contains, Does Not Contain, Does Not Match, Exists, Matches
SSL Duration (days) ssl.duration Does Not Match, Greater Than, Greater Than or Equal To, Less Than, Less Than or Equal To, Matches
SSL Email ssl.em Begins With, Does Not Match, Exists, Matches
SSL Hash ssl.sh Begins With, Does Not Match, Exists, Matches
SSL Issuer Common Name ssl.issuer_common_name Begins With, Contains, Does Not Contain, Does Not Match, Ends With, Matches
SSL Not After Date ssl.not_after Does Not Match, Greater Than, Greater Than or Equal To, Less Than, Less Than or Equal To, Matches, Within
SSL Not Before Date ssl.not_before Does Not Match, Greater Than, Greater Than or Equal To, Less Than, Less Than or Equal To, Matches, Within
SSL Subject ssl.s Begins With, Does Not Match, Exists, Matches
SSL Subject Common Name ssl.common_name Begins With, Contains, Does Not Contain, Does Not Match, Ends With, Matches
SSL Subject Org Name ssl.so Begins With, Contains, Contains All, Does Not Contain, Does Not Contain All, Does Not Exactly Match, Does Not Match, Exactly Matches, Exists, Matches
Web Analytics and Trackers Adsense ad Does Not Match, Exists, Matches
Baidu Analytics Does Not Match, Exists, Does Not Exist, Matches
Facebook (Meta Pixel) Does Not Match, Exists, Does Not Exist, Matches
Google Analytics ga Does Not Match, Exists, Does Not Exist, Matches
Google Analytics 4 Does Not Match, Exists, Does Not Exist, Matches
Google Tag Manager Does Not Match, Exists, Does Not Exist, Matches
Hotjar Does Not Match, Exists, Does Not Exist, Matches
Matomo Does Not Match, Exists, Does Not Exist, Matches
Statcounter - Project Codes Does Not Match, Exists, Does Not Exist, Matches
Statcounter - Security Codes Does Not Match, Exists, Does Not Exist, Matches
Yandex Metrica Does Not Match, Exists, Does Not Exist, Matches

Query with IrisQL

IrisQL provides a text-based query language for Advanced Search. Build queries as code, copy/paste them between applications, and toggle between IrisQL and the visual interface.

Match operations determine how the search query compares against the data stored in Iris Investigate. Understanding these operations helps create more precise searches and find relevant domains efficiently.

Understanding tokenization

Many match operations use tokenization to analyze text. When searching for a value like help-facebook.com, the system breaks it into individual tokens: help and facebook.com. Similarly, this is an example becomes tokens: this, is, an, and example.

Some operations use these tokens to match records (such as Matches and Contains), while others perform exact string matching without tokenization (such as Exactly Matches). Understanding whether an operation uses tokenization helps predict and control search results.

Available match operations

The following tables describe all available match operations, organized by category. Understanding these operations helps create precise searches and find relevant domains efficiently.

String matching operations
Operation Tokenization Logic Description Example with help-facebook.com
Begins With No N/A Searches for records where the field value starts with the specified string Matches domains starting with help-facebook.com
Ends With No N/A Searches for records where the field value ends with the specified string Matches domains ending with help-facebook.com
Contains Yes OR Returns records containing any token from the search query. More permissive than Contains All and Matches Returns records with either help OR facebook.com
Contains All Yes AND Returns records containing all tokens. Tokens don't need to be in specific order or adjacent. Equivalent to Matches for text fields Returns records with both help AND facebook.com
Matches Yes AND For text fields, returns records containing all tokens (case-insensitive). Tokens don't need to be in specific order or adjacent. Equivalent to Contains All for text fields. For quantitative fields (numbers, dates), works as "Equal To" Returns records with both help AND facebook.com
Exactly Matches No N/A Performs precise, exact string match without tokenization. Case-insensitive comparison. Opposite of Does Not Exactly Match Returns only records with exact string help-facebook.com
Does Not Contain Yes OR (exclusion) Excludes records containing any token. More restrictive than Does Not Contain All Excludes records with either help OR facebook.com
Does Not Contain All Yes AND (exclusion) Excludes records only if all tokens are present. Returns records missing at least one token. More permissive than Does Not Contain Excludes only records with both help AND facebook.com
Does Not Match Yes AND Returns records where at least one token is missing. Excludes records containing all tokens Returns records without both help AND facebook.com
Does Not Exactly Match No N/A Returns records without exact character-for-character match. Case-insensitive. Opposite of Exactly Matches Returns records without exact string help-facebook.com
List matching operations
Operation Description
In Searches for records where the field value matches any value in a specified list
Not In Searches for records where the field value doesn't match any value in a specified list
Exactly In Searches for records where the field value exactly matches any value in a specified list, using case-sensitive comparison
Not Exactly In Searches for records where the field value doesn't exactly match any value in a specified list
Existence operations
Operation Description
Exists Returns records where the specified field contains any value
Does Not Exist Returns records where the specified field is empty or not present
Comparison operations
Operation Description
Greater Than Returns records where the field value is greater than the specified value
Greater Than or Equal To Returns records where the field value is greater than or equal to the specified value
Less Than Returns records where the field value is less than the specified value
Less Than or Equal To Returns records where the field value is less than or equal to the specified value

To quickly build an advanced search based on values in the Pivot Engine, drag/drop values from the Pivot Engine into the (opened) Advanced Search pane. Iris Investigate supports a maximum of 1024 filters per advanced search.

Guided search parameters, codes, and operators

Guided search inputs are accepted in the Iris Investigate search bar, and by passing the guided search parameters to Iris Investigate via a URL. Guided search uses opcodes.

For example, searching Iris Investigate for 209242 to locate domains on the Autonomous System Number (ASN, a unique identifier for networks on the internet) ASN209242 returns results for the string 209242, including user accounts and email addresses.

However, the search string ip.asn:"209242" instructs Iris Investigate to search only ASNs.

You can also accomplish these two searches with a URL query parameter. A generic search for 209242 is constructed as:

https://iris.domaintools.com/investigate/search/?q="209242"

A guided search for ASN209242, however, uses this format:

https://iris.domaintools.com/investigate/search/?q=ip.asn:"209242"

Supported operators:

Operator Definition
: or = Equal
!= or <> Not equal
> Greater than
>= Greater than or equal to
< Less than
<= Less than or equal to

Viewing results in the web UI

Query with IrisQL

IrisQL provides a text-based query language for Advanced Search. Build queries as code, copy/paste them between applications, and toggle between IrisQL and the visual interface.

The search brings the user to the Iris Investigate web UI, the interface to start at if a recent search was made or if continuing an investigation. Start interacting with search results with three major components of the Iris Investigate web UI:

  1. The Search Area, including a navigable 'breadcrumb' investigation graph.
  2. The Panel Navigation, Tabs, and Selector, for navigating and re-ordering Data Panels.
  3. The Results Panel, which begins with the Pivot Engine in the leftmost spot.
Viewing results in the web UI
Viewing results in the web UI

Review the results of the search query in the Pivot Engine panel:

  • If Iris Investigate provides a single domain for the search, it populates the Data Panels with information for that domain.
  • If the search query returns multiple domains, Iris Investigate lists multiple entries in the Pivot Engine, and populates the remaining Data Panels with the domain selected.

The Data Panels remain populated with the selected domain's information while creating new branches, or performing searches with no results. This means that the active domain remains populated in the Data Panels until a different domain is selected.

From Advanced Search, selecting either RDAP or WHOIS in place of "auto"
From Advanced Search, selecting either RDAP or WHOIS in place of "auto"

Searches by default use registration data. From Advanced Search, a new "auto" mode searches on the registration data for the given field. To search specifically against RDAP or WHOIS, change the "auto" value from "auto" to the protocol-specific option.

Pivot engine

The concept of a "pivot" is fundamental to many investigations—that is, given a starting point, discover connections to one or more related items. For example, if the starting point is a domain lookup, a common pivot is on the email address of the registrant of the domain. This pivot shows all of the other domains in the DomainTools database that are connected to that email address. Many data points serve as pivots—IP addresses, registrant names, name servers, etc. Most data types shown in Iris Investigate can function as pivot points.

Execute advanced searches directly from search results by pivoting on specific data points. Pivots advance the investigation by modifying the search with data selected from search results.

The Pivot Engine aggregates search results, displaying key data points which can be pivoted on or explored further in the relevant associated data panel.

Right-clicking on a data point brings up the Operations Menu, which pivots on or (with many data types) further inspects the data.

The operations menu
The operations menu

Pivoting with the operations menu

To pivot on a data point:

  1. Right-click the data point. The Operations Menu appears.
  2. Select one of the following options:
  3. Narrow Search - Creates an AND search combining the original query with this value (narrows results)
  4. Expand Search - Creates an OR search combining the original query with this value (expands results)
  5. New Search - Starts a new search using only this value
  6. Exclude - Excludes results containing this value from the current search

These operations mirror the options available in the advanced search panel.

Pivoting with RDAP and WHOIS

Right-clicking a registration data point shows the count for the registration data, and below it, the data for each RDAP and WHOIS. By default, either the RDAP or WHOIS value appears normally, and the other is dimmed. This signifies which protocol has been chosen for populating Registration data - the one that isn't dimmed is what is used for Registration data.

RDAP results appearing normally during a guided pivot, while WHOIS is de-emphasized
RDAP results appearing normally during a guided pivot, while WHOIS is de-emphasized

The counts for guided pivots are similarly based on registration data, not just WHOIS data. As RDAP data populates registration data (when the RDAP record is used over the WHOIS record) then RDAP data is included in counts for guided pivots. That means data points like emails and contact information have counts that bridge RDAP and WHOIS - making the transition from WHOIS to RDAP seamless in most cases.

Viewing current and historical email results
Viewing current and historical email results

Pivoting with historical results

To filter for historical results when pivoting:

  1. Right-click a historical-compatible field that contains pivotable data.
  2. Select the magnifying glass icon. The system loads domains that share the value.
  3. Toggle between the following options:
  4. Current Only - Shows only current matches
  5. Historical Only - Shows only historical matches
  6. Current & Historical - Shows both current and historical matches

Previewing and inspecting results with the operations menu

In addition to the filter controls for pivots, the Operations Menu offers preview and inspection information, depending on the type of data selected.

When selecting a domain, the Operations Menu links to domain-specific information across multiple Data Panels.

When selecting a non-domain field (for example, IP address, contact information), the Operations Menu displays:

  • The number of domains that share that value.
  • The option to list and further investigate those domains from a side panel (for guided pivots).
  • A link to investigate the data point in the pDNS panel.
  • The Domain Risk Score.

The Operations Menu also displays information specific to the type of field selected. For example, if right clicking an IP it shows IP Profile, Ping, Traceroute, and PTR. A SSL field provides a link to the SSL Profile.

Guided pivots

Iris Investigate highlights any field that can pivot to 500 or fewer domains, a range that typically indicates a useful investigation target. Often, the smaller the number of pivots, the more useful the connection to another domain. For each of the Guided Pivots, the average risk of the associated domains is shown as a quick indicator of severity.

Configure the threshold or turn off Guided Pivots in settings, accessible from the Product Menu or the settings icon on the top left of the Pivot Engine.

Domain Risk Score

The Domain Risk Score predicts how likely a domain is to be malicious, often before it is weaponized. Consult Domain Risk Score documentation for more information.

Each time you pivot on your results, Iris Investigate moves your investigation forward to a new node in your Search History. Each new node connects to its originating node with a line/edge. Toggle fullscreen mode with h. For a complete list of Iris Investigate UI keyboard shortcuts, consult https://iris.domaintools.com/investigate/help/.

The search history graph codes details about each search node. For example, green nodes indicate your active investigation path, orange nodes indicate searches outside of your active investigation path, and the blue 'document' icon nodes indicate passive DNS (Domain Name System, the internet's address lookup system) results. Consult the Reference section for all Search History indicators.

Return to any point in your investigation by selecting the node, and Iris Investigate loads your Pivot Engine and Data Panels for that query. Continue with new pivots, and Iris Investigate creates a new branch of nodes.

Search history graph showing investigation nodes and connections

Create a new, empty history branch by selecting the + button near the top right corner of the Pivot Engine. Your next query becomes the root node of the new branch. This feature can aid in organizing your investigation. Start a new branch with the current node as the root. To do this, select Manage History > New History Branch > Start it with the Current Search.

Once you delete a node or a branch, you can't recover it.

Annotating in search history with the search node drawer

Hovering over a search node invokes the search node drawer, which can:

  • Highlight nodes with the Mark as Important button.
  • Export this node's search hash to the clipboard.
  • Review and add Search Notes.

Domain search node drawer showing annotation options

When notes exist for a node, a number on the node indicates how many notes it has. The search nodes in your investigation history also indicate (with a number bubble) the Search Notes count, as well as the nodes Marked as Important.

Enter an IP address, domain name, or email address in your notes, and Iris Investigate enables Operations Menus to search or filter directly from the notes.

Tag domains and share tags

Tags attach to domains, include an editable description field, and can be modified by the Iris Investigate APIs. Edit, search, and filter by tag. The Tag Manager displays all the domains associated with a single tag, across your group.

You can apply tags to these and other use cases:

  • Attribution labeling.
  • Threat profile type.
  • Operational status.
  • Inclusion in a specific case.
  • Triage or other status.
  • Programmatic decision-making.

In addition to the API, access tags through the following sections of the Iris Investigate UI:

  • The Pivot Engine lets you modify tags from one or multiple domains by selecting the domains and the Tag button (you can also export tags).
  • The Operations Menu, when opened from a domain, allows you to edit tags for that domain.
  • The Tag Manager (accessible from the Product Menu) displays all tags from your investigations. It also includes tags used in your group: consult the Collaborating section, below.
  • The Stats Data Panel visualizes tags.

Tag Manager interface showing domain tags and descriptions

Your tags automatically share with other users in your group. Your investigations are private by default, but you can also share them to your group.

If you export a Search Hash to a user outside of your group, your tags aren't visible.

Product menu

Create or open investigations, start an ad-hoc search, adjust the layout, or return to the home page from the navigation column. Click "Iris Investigate" in the upper left corner to open it. The Product Menu contains the Settings menu.

Product menu showing investigation management options

Collaboration

Groups

A Group consists of the other Iris Investigate users at your company.

Search hashes

Search Hashes share a specific search to anyone with Iris Investigate, including people outside of your group. Search hashes reproduce search terms, but don't include tags or other investigation-specific information. The Investigate API can also use search hashes to query for the results of an advanced search first created through the Investigate web UI.

Sharing investigations

By default, investigations are private to the originating user.

To share an investigation with your group:

  1. Open the Product Menu.
  2. Hover over your active investigation.
  3. Select Edit Investigation.
  4. Choose an access level for group members:
  5. View - Read-only access to the investigation
  6. Add branches - Can add new search nodes
  7. Delete branches - Can delete search nodes
  8. Select Save.

Investigation sharing dialog with access level options

When another user creates a new search node in your shared investigation, that node appears in Search History with a sharing icon and triggers a browser notification.

Shared investigations appear in your investigation list in the Product Menu under the heading Investigations shared with you.

To unshare an investigation, repeat the steps above and remove the sharing permissions. The investigation disappears for other group members.

Reporting

The Generate Investigation Report button in the Product Menu creates a PDF (Portable Document Format) containing the following information:

  • Title and description.
  • Investigation path in tabular form, and including search notes.
  • Pivot Engine data in tabular form, with columns matching your Pivot Engine Panel columns. For search results numbering over 500, the report includes the page of Pivot Engine results that are displayed at the time of generation.
  • Statistics, via the Stats Data Panel.
  • Visualizations, generated from the current appearance of the Visualization Data Panel (large result sets may not display well in this format; download high-res images from the Visualization Data Panel directly).

The system generates reports from the viewpoint of the current selected node in your investigation. For a report of the full investigation, select the final node before generating the report. The Stats, Visualization, and Pivot Engine Data Panels must be displayed in the investigation UI in order for their contents to be included in the report.

Export pivot engine results

To export your Pivot Engine results:

  1. Locate the DOWNLOAD button near the top of the Pivot Engine Data Panel, next to the page navigation controls.
  2. Select DOWNLOAD.
  3. Choose an export format:
  4. CSV - Comma-separated values for spreadsheet applications
  5. STIX 1.2 - Structured Threat Information Expression format version 1.2
  6. STIX 2.0 - Structured Threat Information Expression format version 2.0

The export includes your full Pivot Engine table. Fields containing multiple values have repeated columns to maintain a single value per table element.

Multiple Iris Investigate data panels contain web-related data that the web crawler gathers.

Default web crawler behavior

  • Gathers data upon first discovery of a domain
  • For domains with a risk score of 70 or higher: Automatically gathers data every 3 months
  • For domains watched in Iris Detect: Gathers data daily

To update web-related data outside of these default settings:

  1. Navigate to one of the following data panels:
  2. Pivot Engine
  3. Screenshot History
  4. Domain Profile
  5. SSL Profile
  6. Select the Update Content button. The web crawler queues the domain(s) for data collection.

The web crawler gathers the following data types:

  • Screenshot
  • Website title
  • Website response code
  • Redirect domain
  • Server type
  • Website trackers
  • SSL certificate aspects

Data panels

Iris Investigate uses Data Panels to present domain information in containers.

Navigate Data Panels with the Data Panel Tabs, and select which Data Panels are visible through the 'hamburger' menu on the far right of the ribbon.

You can resize Data Panels with the 'resize' icon on the far right of the Data Panel's title ribbon. Most panels have settings options, accessible through the settings icon in the panel's title bar.

The Operations Menu and Pivot Engine can invoke context-appropriate Data Panels, as can other Data Panels.

Domain Profile Data Panel

The Domain Profile Data Panel serves as a snapshot of all domain related data in one data panel. It is especially useful for getting an overview of the domain-related data, and choosing the next data panel to review for your investigation.

The Domain Profile panel shows the following information:

  • Domain name.
  • Domain Risk Score.
  • Screenshot.
  • Recent Passive DNS resolutions.
  • Dates: First Seen date/time, WHOIS Create Date, Expiration Date.
  • Email address(es).
  • Registrant Organization.
  • Registrar.
  • Registrar Status.
  • Name Servers.
  • IP addresses.
  • IP location.
  • ASN.
  • WHOIS History summary.
  • Website title and server type.
  • "Raw" WHOIS record.
RDAP record displayed in Domain Profile
RDAP record displayed in Domain Profile

Domain Profile - RDAP Content

A new element at the bottom shows the most recent parsed RDAP record. You can alternatively toggle to view the WHOIS record. You can copy the raw RDAP record's JSON (JavaScript Object Notation, a data format) to the clipboard for viewing in a code editor of your choice. When the Parsed RDAP record uses data from both the registry and registrar, you can choose which record to copy to your clipboard.

Domain history data panel

Domain History shows how a domain has evolved over time. It replaces the legacy Hosting History service, covering many more fields and covering all domains tracked by DomainTools.

The tracked data elements include:

Data Element Description
Status When DomainTools sees a domain as newly active, or when we've successfully resolved a domain to an A, MX, or NS in DNS within the last 10 days
WHOIS data Create/expiration dates, registrar and registrant names, contact emails, and more
DNS data Results of daily DNS resolutions for A, NS, MX and SOA active resolutions
Web content Website title, response code, server type, trackers, and more
Screenshots The date/time when a new screenshot is captured
SSL Certificate updates The SHA 1 hash, validity dates, Issuer Common Name, and up to the first 5 Subject Alt Names

The system tracks each data element for differential changes, and generates records when a value in a tracked field changes. The newly added element is shaded green and also has a short vertical bar. Unchanged elements have no special formatting.

Filter the list by primary and secondary categories in the Domain History: Fields Settings menu, accessible through the gear icon on the left of the Domain History panel title bar. Show and hide the new subset of your results by toggling in the Field button, located in the panel's column rows.

Domain History versus Historical pDNS and WHOIS data

Domain History is available for over 98% of active domains, and for all domains created since 2021. For some domains, additional historical information is available in the legacy Hosting History Data Panel Panel (via the Investigate UX), and in 20+ years of records in the WHOIS History Data Panel.

Screenshot History Data Panel

The Screenshot History data panel provides an index of dates for which DomainTools has an archived screenshot for the domain. If Screenshot History is empty, select the Update Content button to queue the web crawler to gather an updated screenshot for the domain (typically available within five minutes, and up to 24 hours).

When multiple historical screenshots are available, browse through them using < or >.

Stats Data Panel

The Stats Data Panel shows the number of occurrences of data points within the displayed results set, and can help you understand the level of connection of the domains in your pivot engine. In some cases, such as date fields and domain risk score, the system groups domains in the result set in sets, rather than by individual values.

Each of the data types is represented graphically (a map for IP country and pie charts for all others), organized in a table.

In the settings menu within the Stats Panel, under Sorting, you can order guided pivots first.

Stats aggregates data for the first 2,500 records in the results set.

Visualization Data Panel

The Visualization Data Panel is a visual representation of connections between domains in the Pivot Engine. It depicts domains as blue nodes; the legend in the upper left shows the color-coding for the others. A domain can either be a larger or normal sized dot. The larger dots represent domains with high domain risk scores of 70 or higher. The legend also shows how many instances there are for each field in the graph. Select Edit Fields to choose up to 4 fields (plus domain) to view.

Double-clicking a domain or IP address node makes it the current domain and populates all domain-centric panels. When you hover over a node on the graph, that node and those directly connected to it are highlighted. Zoom in and out on the graph, and drag an item in the Force layout to put the most interesting data in the center.

The Link Degree slider in the lower-right lets you filter out data that have too many or too few connections.

Node inspector

Use the Node Inspector on the right of the panel to view the values for each of the fields. You can search for a specific value or filter by field, and perform guided pivots.

This is a great way to see a list of all the different values used by the domains in the pivot engine for a specific field (data point).

Passive DNS (pDNS) Data Panel

Passive DNS (pDNS) shows current and past domain to IP resolutions, as well as date stamps bracketing and relative dates, for when a given resolution was observed.

Query pDNS data from a search, or as a pivot with the Operations Menu. The pDNS data in Iris Investigate include the following record types:

Record Type Description
A IPv4 resolutions for domains and subdomains/hostnames (by default, the pDNS panel shows A records only)
AAAA IPv6 resolutions for domains and subdomains
NS Name server
SOA Start Of Authority email addresses and name servers
MX Mail server host names and IP addresses
CNAME Alias records mapping one hostname to another
TXT Optional catch-all record that may contain arbitrary descriptive information

The pDNS panel includes a Flexible/Regex scope that uses Farsight Compatible Regular Expressions (regex) to match domain, subdomain, and label patterns. Use this search mode to discover related infrastructure and identify naming patterns.

Use Flexible/Regex search to discover domains and subdomains based on patterns rather than exact matches. This search mode excels at exploration when you know general patterns but not specific names.

Flexible/regex search panel
Flexible/regex search panel

For a comprehensive introduction to flexible search concepts and additional examples, consult the Introductory Guide to Flexible Search with DNSDB Scout.

Use flexible/regex search to:

  • Discover domains sharing naming patterns (for example, domains from the same domain generation algorithm campaign).
  • Find domains matching brand or keyword patterns across unknown TLDs
  • Find subdomains containing specific terms: for instance, brand names of interest.
  • Identify related subdomains when you know the pattern but not the complete Fully Qualified Domain Name (FQDN)

Use standard search when:

  • You know specific domains or subdomains to investigate
  • You need complete metadata (timestamps, observation counts, bailiwick information)
Two-stage investigation workflow

Flexible/regex search works best as the first step in a two-stage investigation:

  1. Discovery stage: Use flexible/regex search to find domains and subdomains matching your patterns
  2. Investigation stage: Pivot the discovered domains to standard search, Pivot Engine, or Domain Profile for detailed analysis with complete metadata

Standard search can't match partial labels or patterns. Flexible/regex search prioritizes broad pattern discovery over detailed metadata, making it ideal for the initial exploration phase.

Get started with flexible/regex searches

Note: Flexible/regex searches use only Source D (a pDNS data provider). Unlike standard search, which can query all sources simultaneously, Flexible/Regex searches automatically lock to Source D.

Simple keyword searches

If you're unfamiliar with regex syntax, enter simple keywords directly in the query field with Flexible Search. The system searches for domains containing those terms. For example, the keyword search for cyber will find domains containing "cyber".

Simple keyword searches work well for discovering domains related to specific brands, topics, or themes without constructing complex regex patterns.

Use regex patterns

The Flexible/regex scope accepts Farsight Compatible Regular Expressions. Enter regex patterns directly in the query field to match domain names based on complex patterns.

  • . matches any single character
  • * matches zero or more of the preceding character
  • + matches one or more of the preceding character
  • ? makes the preceding character optional
  • ^ matches the start of the string
  • $ matches the end of the string
  • [abc] matches any character in the brackets
  • [^abc] matches any character not in the brackets
  • {n} matches exactly n occurrences
  • {n,m} matches between n and m occurrences
  • (pattern) groups patterns together
  • | acts as OR between patterns
  • \ escapes special characters

Example regex searches:

Regex pattern Description
rolex Simple keyword match
www\..*-paypal- Matches domains with "www." followed by any characters, then "-paypal-"
wel{3,6}sfargo Matches "wellsfargo" through "welllllsfargo"
^drupal-hosting-web-cluster[0-9]+-prod\.uoregon\.edu\.$ Matches specific hosting cluster pattern
^[[:digit:]]{4}\.news\.$ Returns domains matching a DGA campaign in the .news TLD, such as 0000.news

Important considerations:

  • Escape special characters with a backslash: \. for literal dot
  • Regex patterns are case-sensitive by default
  • Complex patterns may take longer to execute
  • Test patterns with simpler queries first to ensure they match as expected

Flexible/regex search supports only regex mode. If you're familiar with glob mode from other DNSDB tools, glob patterns aren't supported in Iris Investigate's flexible/regex scope. All patterns must use regex syntax.

Understanding the interface

When you select the flexible/regex scope, the pDNS panel interface adapts to support regex pattern matching:

  • The results table differs from a Standard Search by omitting timestamps, observation counts, and bailiwick information. Trigger Standard Searches from the results.
  • The query field displays regex syntax indicators to help you construct valid patterns
  • Visual markers show when your input is being interpreted as a regex pattern
  • Hover tooltips provide inline guidance for regex syntax

Note: This section uses A records as an example. Other record types are also supported.

pDNS data is available from the query and response 'directions':

  • The query direction, also known as rrname, shows historical results for when the domain was queried and IP addresses were returned.
  • The response direction, also known as rdata, shows historical results for when the IP or IP CIDR (Classless Inter-Domain Routing, a method for specifying IP address ranges) range was queried and domain(s) were returned.

Each query returns either query data or response data, not both. When searching by query with ALL record type selected, you receive more results than requested because the system returns all record types for each matching domain.

The response direction often yields fewer or no records. This is because in DNS A records, domain is the query and the IP address is the response. If you enter a domain with the toggle set to response, or an IP address with the toggle set to query, if no results appear, try flipping the toggle and re-running the search.

Technical reference

Supported record types

The following table shows which record types support query and response directions in flexible/regex searches:

Record type By query By response
ALL Yes Yes
A Yes No
AAAA Yes No
CNAME Yes Yes
MX Yes Yes
NS Yes Yes
SOA Yes Yes
TXT Yes Yes

A and AAAA records only support searching by query, not by response.

Understanding results

Flexible/regex search results differ from standard search results:

  • No timestamps
  • No observation counts
  • No bailiwick information
  • Data normalization: The system strips MX record priorities and SOA timing information from the results to match Iris Investigate's data format expectations
  • Export formats: CSV and JSON exports include only the available fields (no timestamp, count, or bailiwick columns), making export files structurally different from standard search exports

After discovering domains with flexible/regex search, pivot them to standard search (using the right-click menu) to access complete historical data, observation counts, and other metadata.

Performance optimization

Flexible/regex searches run slower than standard searches due to pattern matching complexity. Improve performance with these strategies:

  • Narrow results by selecting specific Record Type values instead of ALL
  • Apply Time Fencing to limit the search to specific date ranges
  • Start with more specific patterns and broaden only as needed
  • Test complex patterns with simpler queries first

Time fencing

Filter pDNS results by date using Seen After and Seen Before fields. The Strict mode (enabled by default) controls which observations appear:

  • Strict ON (default): Shows only observations that fall entirely within the specified date range. Aligns with DNSDB Scout behavior.
  • Strict OFF: Shows observations that overlap with the date range, even if they extend beyond it.

Understanding pDNS results

The pDNS panel displays results in columns that provide context about each DNS observation:

Query : The Fully Qualified Domain Name (FQDN), domain, or subdomain that was queried via DNS. Also known as the question, left-hand-side data, or RRNAME.

Source : The pDNS provider that supplied this observation. The pDNS panel in Iris Investigate aggregates data from multiple sources, and this column identifies which source provided each specific observation.

Type : The DNS record type for this observation (A, AAAA, CNAME, MX, NS, SOA, or TXT). Also known as RRTYPE.

Count : The number of times this specific combination of Query, Type, and Response has been observed by the Source. Since pDNS sensors are positioned above the Recursive DNS Server layer and capture "cache misses" (DNS lookups made when the answer isn't already cached locally or in the Recursive DNS Server), the count doesn't represent the total traffic volume to a website or the number of emails sent to/from a mail server.

Response : The answer provided by the authoritative name server to the DNS query. The bailiwick is the DNS zone that has authority to answer queries for a particular domain. The data type shown depends on the DNS record Type: IPv4 addresses for A records, IPv6 addresses for AAAA records, name server hostnames for NS records, and so on. Also known as the answer, right-hand-side data, or RDATA.

First Seen : A timestamp indicating when the pDNS source first captured this observation. When only a date appears without an associated time, the pDNS source doesn't provide time-level granularity.

Last Seen : A timestamp indicating when the pDNS source most recently captured this observation. When only a date appears without an associated time, the pDNS source doesn't provide time-level granularity.

Duration : The time span between First Seen and Last Seen. This is a DomainTools metadata field, not part of DNS itself, that shows at a glance how long the DNS record set (RRSET) has been observed. A tilde (~) indicates an approximate time frame, typically shown when the pDNS source doesn't provide exact timestamps.

Apex domains

The pDNS Panel supports searching by apex domain, subdomain, or both. Consult the note in the Searching section for a definition of apex domain.

Query vs Response

Note: This section uses A records as an example. Other record types are also supported.

pDNS data is available from the query and response 'directions':

  • The query direction, also known as rrname, shows historical results for when the domain was queried and IP addresses were returned.
  • The response direction, also known as rdata, shows historical results for when the IP or IP CIDR (Classless Inter-Domain Routing, a method for specifying IP address ranges) range was queried and domain(s) were returned.

The response direction often yields fewer or no records This is because in DNS A records, domain is the query and the IP address is the response. If you enter a domain with the toggle set to response, or an IP address with the toggle set to query, if no results appear, try flipping the toggle and re-running the search.

Send results to pivot engine

To send pDNS results to the Pivot Engine:

  1. In the pDNS panel, locate the Send domain results to pivot engine button.
  2. Select Send domain results to pivot engine. The domains from your pDNS results populate the Pivot Engine.

You can then modify or restart your search using pivots on the transferred results.

IP profile data panel

IP Profile is analogous to the Domain Profile panel. It provides key data points as well as the raw WHOIS record for the IP address. Pivot on the IP itself to modify or begin a search on that address.

In most places where an IP address is displayed across Iris Investigate, a magnifying glass icon appears just to the right of the address. Selecting the icon brings up the IP Inspect view, which is a fast way to view the IP Profile and IP Tools data for an IP address without losing your place in the UX.

IP tools data panel

The IP Tools panel provides three tools to investigate IP address information:

  • Ping generally tells you whether the IP address is reachable. When you trigger a ping through the interface, the ping originates from DomainTools and includes no record of your involvement.
  • Traceroute provides insights into the hosting, routing, and reachability of the IP address. As with Ping, when you trigger a traceroute through the interface, it originates from DomainTools and includes no record of your involvement.
  • PTR, the DNS Pointer (PTR) record, is commonly used as a form of Reverse DNS lookup. It shows the CNAME of the IP address, which tells you about the actual owner of the address (often a hosting provider) but not necessarily about the domains that may be hosted on that address.

SSL profile data panel

The SSL Profile panel provides SSL (Secure Sockets Layer) / TLS (Transport Layer Security, protocols for secure encrypted connections) certificate details, including additional potential pivots. When DomainTools finds more than one certificate on a domain, Iris Investigate shows the certificates in separate tabs. For additional information on DomainTools collection and validation processes, consult the SSL Certificate Collection reference section.

You can find the additional pivots from an SSL/TLS certificate in the Extensions -> Subject Alt Name section, from which you can open the Operations Menu. To examine all the domains covered by a certificate, use the ADD TO FILTERS button.

Note that when using the contain operator for SSL Alt Names, the search term must exactly match any substring resulting from the domain being split by dots. For example, in example.domain.com, matches would be generated from example, domain, and com.

WHOIS history data panel

The WHOIS History Data Panel shows, by default, the current WHOIS record for the domain, with a vertical timeline of earlier dates for which DomainTools has a historical WHOIS record.

View changes to WHOIS records with three methods: Side by Side and Inline highlight the differing rows in the WHOIS record, while Raw records show the two records together.

The Operations Menu lists unique emails for pivoting.

Settings

The Product Menu contains the Settings panel.

Pivot engine settings

Guided pivots settings

Configure guided pivot ranges for each available data type.

Historical search settings

In addition to current records, Iris Investigate can find historical records matching email address and registrant information queries. Specifically, the three query types supported are email address, registrant, and WHOIS record contains. By default, historical search is enabled.

Per-search override: on an individual search, turn on or turn off historical queries on the three supported fields. To override, open Advanced search, select the history icon, and re-run your query.

Historical searching can return domains that don't match your query. The reason for this is that at some time in the domain's history, it did match the query. To see the record(s) where the domain matched the query, select See Historical Matches. This opens WHOIS History to the most recent record that matched your search term.

Active and Inactive Domains: Iris Investigate indicates when a domain is inactive with an icon near the domain name in Pivot Engine, and in the Status column. To be marked inactive, the domain must no longer resolve in DNS to an A, MX, or NS record for at least 10 days.

Appendix

To create a URL that links directly to a search in Iris Investigate:

  1. Start with the base URL: 

    https://iris.domaintools.com/investigate/search/?q=

  2. Add your search value using one of the following formats:

For simple domain or IP searches: - Append the domain name or IP address directly - Example: https://iris.domaintools.com/investigate/search/?q=domaintools.com

For field-specific searches: - Use the appropriate short code followed by the search value - Format: shortcode:"value" - Example: https://iris.domaintools.com/investigate/search/?q=ip.asn:"209242"

  1. Consult the fields and their corresponding short codes for available search parameters.

Important: Not specifying the short code for field-specific searches returns unpredictable results and may misinterpret the search feature.

To create a URL that links directly to a specific data panel:

  1. Start with the base URL and add the domain or IP address: 

    https://iris.domaintools.com/investigate/search/?q={DOMAIN or IP}

  2. Add the tab parameter with the appropriate panel identifier: 

    &tab=panel-{IDENTIFIER}

  3. Select the appropriate identifier based on your target:

For domain names: - domain-profile - Domain Profile panel - domain-history - Domain History panel - screenshot-history - Screenshot History panel - whois-history - WHOIS History panel - ssl-profile - SSL Profile panel

For IP addresses: - ip-profile - IP Profile panel - ip-tools - IP Tools panel

Examples

Link to domaintools.com Screenshot History panel: 

https://iris.domaintools.com/investigate/search/?q=domaintools.com&tab=panel-screenshot-history

Link to 141.193.213.20 IP Profile panel: 

https://iris.domaintools.com/investigate/search/?q=141.193.213.20&tab=panel-ip-profile

Pivot engine table columns (fields)

By default, the Pivot Engine table includes the following fields:

Field Description
Domain The domain name
Status Active or inactive status
Tags User-defined tags for categorization
Domain Lifecycle First Seen When DomainTools first became aware of the current Domain Lifecycle
Domain Risk Score Calculated risk assessment for the domain
Email Registrant email address
Email domain Domain portion of the registrant email
Contact Information Registrant, administrator, tech, billing, SOA contact details
Registrant Registrant name
Registrant Organization Organization name of the registrant
Registrar Domain registrar
Registrar Status Current registration status
Create Date Domain creation date
Expiration Date Domain expiration date
Name Server Name servers associated with the domain
IP IP address, ISP (Internet Service Provider), ASN, Country
Trackers Web trackers detected via screenshots: Google Adsense, Google Universal Analytics, Google Analytics 4, Google Tag Manager, Baidu, Facebook, Hotjar, Matomo, Statcounter, Yandex
Rank Domain popularity rank
Website Response HTTP response code
Website Title Title of the website
Server Type Web server software type
Redirect Whether the domain redirects
Redirect Domain Target domain for redirects
MX Information Mail Exchanger information
SSL certificate Hash SSL certificate hash value
SSL certificate Organization Organization listed in SSL certificate
SSL certificate Subject Alt Names Alternative names in SSL certificate
SSL Certificate Issuer Certificate authority that issued the SSL certificate
TLD Top-level domain (e.g., .com, .org) for sorting/filtering in large result sets

SSL certificate collection criteria

Collect SSL certificate data

DomainTools employs three separate methods to gather certificate data:

  1. Certificate Transparency Log Certificates. DomainTools constantly monitors industry-known certificate transparency logs to find newly published certificates. The system collects these in parallel with our web crawler and active collection sources and won't replace certificates gathered through the other methods.

  2. Web Crawler. When gathering web-related data on a domain, the web crawler also attempts to collect a certificate from both the apex domain and www subdomain. This certificate can replace the certificate gathered through active collection if it is more recent.

  3. Active certificate crawls. DomainTools attempts to gather certificates for domains identified on a weekly basis. Found certificates replace the certificate gathered through web crawl if they are more recent.

Validate certificates

  • For certificates the weekly crawl gathers, we check that the requested hostname is in either the cert's Common Name or Subject Alt Names fields. If the hostname isn't present, the system doesn't collect the certificate.

  • The system gathers certificates regardless of the trustworthiness of the issuing Certificate Authority so the broadest set of certificates is available for analysis.

  • The system gathers all certificates, even when their validity dates are outside of the gathering date.

  • There is no support for certificate revocation in current certificate processing.
  • The quality and security of the checked server's SSL/TLS configuration isn't checked: a server may have a valid certificate, but still have a weak SSL/TLS configuration.

For example, consider the self-signed certificates from the SSL Organization "Internet Widgits Pty Ltd".

The certs are self-signed, and can't be trusted publicly, but Iris Investigate still collects and returns them. Some may find certificates of this sort to be useful indicators, notwithstanding their non-public-trust status.

Iris query quotas and duplicate queries

The system measures quotas at the group level and resets them each month. Understanding what counts as quota consumption helps you optimize your usage of Iris Investigate.

For complete details on quota consumption policies, including duplicate query policies, search hash reloading, and revisiting search nodes, consult the Iris API Rate Limits documentation.

Pivot engine queries in the Iris Investigate UI

The following activities consume your quota:

  • Executing an omnisearch (from landing or search pages) that returns results
  • Executing an advanced search that returns results
  • Sending a result to the Pivot Engine (including narrow, expand, new, and exclude functions)
  • Revisiting a search node more than 30 days since it was created
  • Loading new pages in the Pivot Engine
  • Sorting Pivot Engine results

The following activities don't consume your quota (duplicate queries):

  • Queries with identical filter, sorting, and page parameters made within 30 days of a previous query that counted toward quota
  • Reloading a search hash within 30 days of its creation

Passive DNS (pDNS) queries in the Iris Investigate UI

The following activities consume your quota:

  • Executing a search query that returns results (from either the search field or popovers throughout the UI)
  • Executing/triggering the load more (infinite scroll) function in search results
  • Revisiting a search node more than 30 days since it was created

The following activities don't consume your quota (duplicate queries):

  • Queries with identical parameters (filters, sorting, pagination) made within 30 days of a previous query that counted toward quota

Queries in the Iris Investigate API

The following activities consume your quota:

  • Executing a query
  • Loading additional pages of results

The following activities don't consume your quota (duplicate queries):

  • Identical queries made within 1 hour of a previous query that counted toward quota