How do I navigate to Iris Investigate from Iris Detect and back?

In Iris Detect, the Action button offers an option to send the selected domain(s) to Iris Investigate. This opens Investigate in a new tab. There is no UI-based path back to Detect; the user simply switches to the tab with Detect open.

What is the main difference between the Iris Investigate API and the Iris Enrich API?

The Iris Enrich API was developed to take advantage of the vast amount of data available in the Iris dataset and is typically implemented in a SIEM solution, such as Splunk , or a custom-built data analytics platform using open-source solutions like the ELK stack. As the primary use case is bulk data enrichment, it is therefore optimized for fast response and high volume lookups, therefore it does not offer most of the search parameters available in the Iris Investigate API. Instead it accepts a list of up to 100 comma separated domains in the domain parameter.

How does historical Reverse Whois searching work in Iris?

There are three query types for which Iris can search back through over 15 years of historical Whois records:
– Email address
– Registrant
– Whois Record Contains
By default, historical searching is enabled on these fields, though it can be turned off via the Settings menu in Pivot Engine.
When you search on an email address or on a word (or more than one word) in the main search box, Iris searches current as well as historical records for domains that do, or did, match the term.
Example: Bob Grommetsworth owns the domain bobsawesomedomain.com and registered it with the email address bob@alicesawesomefreeemailservice.com. Bob also at one time registered bobandalicesweddingregistry.com but let it expire and someone else owns it now. If you search in the Iris search box for bob@alicesawesomefreeemailservice.com, Iris will return both of these domains, because one of them does match the email address, and the other did match it.
Likewise, if you search on Bob Grommetsworth in the search box, you will see both of the domains. And, if Bob registered another domain using the name grommetsworth, bob, this, too, will match and be listed among the results. For the historical searches, order does not matter, and the search is case-insensitive. The technical reason for this is that, “under the hood,” Iris actually makes two simultaneous queries to different data sources. The current records are searched with a “Registrant Matches” operator, while the historical records are searched with a “Whois Record Contains” operator–the latter of which is case- and order-insensitive.

How can a non-registered domain possibly resolve?

These are edge cases, but sinkholed domains sometimes resolve even when not registered. ISPs also sometimes do “tricks” to present a page to users when users search on a non-existent domain.

I see “See Historical Matches” on a current domain. Why is this?

As soon as DomainTools has any history at all for a domain, that domain has historical records that match your search–even if “historical” means “yesterday.” The most common use of the “See Historical Matches” control is for the case where the current domain record does not match the search term, but a record sometime in the past did.

I searched on a name and got some results that don’t correspond to the name I searched on. What causes this?

The historic record matching is based on a “Whois Record Contains” query. This query is broad; it is case-insensitive and order doesn’t matter. If you search on the name “Bob Grommetsworth,” all of the following would match:
– Bob Grommetsworth
– bob grommetsworth
– grommetsworth bob
– Joe Bob Grommestworth III

I did a search using “Registrant Exactly Matches” but now I can’t find the history symbol and I’m not finding an older domain that I believe should match. Is this a bug?

No. “Exactly Matches” is not compatible with our historical database format, so the only way to find historical registrant names is to use “Registrant Matches” or “Whois Record Contains.”

I have Guided Pivots enabled and I see an item that seems like it should be highlighted because the count is below my threshold, but it’s not highlighted. What’s going on?

This usually happens when that term was already part of your search. Guided Pivots is designed to point out new pivots that may help your investigation. Once you have pivoted on a highlighted term, that term won’t be highlighted thereafter.

Where do I find the controls for Guided Pivots?

In the Settings menu at the upper-left corner of the Pivot Engine. Note that this is not the upper-left of the entire Iris screen.

Where did the View control in Pivot Engine go?

Views settings are in the Settings menu at the upper-left corner of the Pivot Engine.