Overview
The vast amount of data available in the Iris dataset for domain names makes it ideally suited to enrich proxy and DNS logs at scale across an organization. Typically this would be implemented in a SIEM solution, such as Splunk or QRadar, or a custom-built data analytics platform using open-source solutions like the ELK stack.
Key characteristics of the Iris Enrich API include:
- Enrich at least 6,000 domains per minute with multiple attributes, including:
- Domain risk scores from proximity and threat profile algorithms
- Whois, IP, active DNS, website & SSL data
- Dedicated service levels for customized rate limiting
- Optimized for domain name enrichment – pivot parameters not available
API Endpoint:
The API returns JSON results and supports both POST and GET requests at this endpoint:
https://api.domaintools.com/v1/iris-enrich/
Authentication:
The Iris Enrich API uses the same authentication mechanisms as the Iris Investigate API (open-key or signed). However, unlike the Investigate API, the Iris Enrich API uses an independent service level to define access levels, query caps and rate limits. It does not pull from the same queries as the Iris Investigate UI and can therefore be used at much greater scale and throughput. That means the API endpoint must be explicitly configured on an enterprise account.
Parameters:
Because the Iris Enrich API is optimized for fast responses and high volume lookups, it does not offer most of the search parameters available in the Iris Investigate API. Instead, simply provide a list of up to 100 domains in the domain parameter (comma separated).
For example:
https://api.domaintools.com/v1/iris-enrich/?domain=domaintools.com,domaintools.net
Response Format:
The Iris Enrich API response format differs from the Investigate API in several key ways, including:
- Counts of connected domains are not included
- Most domain attribute values still appear under the “value” subkey for consistency with the Investigate API.
- An additional “missing_domains” key is included which lists any domains submitted in the domains parameter that were not found in the Iris dataset. This makes it easier to know if no data was available for one or more of the domains you requested in a batch query.
- Account Information
- Brand Monitor
- Domain Profile
- Domain Reputation
- Domain Risk Score
- Domain Search
- Hosting History
- IP Monitor
- IP Registrant Monitor
- Iris Detect
- Iris Enrich
- Iris Investigate
- Iris Pivot
- Name Server Monitor
- Parsed Whois
- PhishEye
- Registrant Monitor
- Reverse IP
- Reverse IP Whois
- Reverse Name Server
- Reverse Whois
- Whois History
- Whois Lookup