DomainTools Iris Investigate

Map connected infrastructure to get ahead of threats. Iris Investigate delivers dozens of domain-related attributes on every result including Risk Score, DNS, Whois, SSL, and more. It enables easy pivoting through different domain infrastructure and exposes meaningful insights with connection counts on most data fields. The Iris Investigate API is best suited for human-scale interactions, up to 20 lookups per minute. Use the optional Iris Enrich integration for higher volume lookups, up to 6,000 domains per minute.

Available Playbooks

• DomainTools Iris Investigate Domain Playbook - Given a domain or set of domains associated with an incident, return Whois, MX, DNS, SSL and related indicators from Iris Investigate, highlighting fields where fewer than 200-400 domains share an attribute.
  
• DomainTools Iris Investigate Domain Risk Score Playbook - Given a domain or set of domains associated with an incident, return the risk scores and adjust the severity of the incident if a high risk domain is observed. Add the risk scoring details in the comments of the incident.
  
• DomainTools Iris Investigate Guided Pivots Playbook - Given a domain, return Whois, MX, DNS, SSL and related indicators from Iris Investigate, highlighting, and automatically querying for related domains sharing an attribute with the one in the incident.
  
• DomainTools Iris Investigate Malicious Tags Playbook - Track the activities of malicious actors using the Iris Investigate UI, tagging domains of interest. Given a domain or set of domains associated with an incident, query Iris Investigate for information on those domains, and if a specified set of tags is observed, mark the incident as “severe” in Sentinel and add a comment.
  
• DomainTools Iris Enrich Domain Playbook - This playbook uses the DomainTools Iris Enrich API, which we recommend over Iris Investigate for high-volume API lookup activities, up to 6,000 domains per minute. It is able to provide domain infrastructure information for a domain or set of domains associated with an incident. If your account is provisioned for Iris Enrich, use the Iris Enrich endpoint to return Whois, mailserver, DNS, SSL and related indicators from Iris Enrich for a given domain or set of domains.
  
• DomainTools Iris Investigate URL Playbook - Given a URL or set of URLs associated with an incident, return all DomainTools Iris Investigate data for the extracted domains from the URL as comments in the incident.
  
• DomainTools Iris Investigate With Farsight pDNS Playbook - Given a domain or set of domains associated with an incident, enrich the domain using the DomainTools Iris Investigate API, returning Whois and infrastructure details. Subsequently retrieve associated subdomains from passive DNS information seen in DNSDB. A separate Farsight DNSDB API subscription is required
  

Pre-requisites

You will need the following:

• A Microsoft Power Apps or Power Automate plan with custom connector feature
  
• An Azure subscription
  
• DomainTools API Username
  
• DomainTools API Key Provisioned for Iris Investigate and optionally Iris Enrich and Farsight DNSDB if using those playbooks
  

How to Get Credentials

Contact sales@domaintools.com

Support

For all support requests and general inquiries you can contact enterprisesupport@domaintools.com