The iocDatabaseInfo() GraphQL query returns information on the IOC database used by the LogScale instance.

For more information on IOC (indicator of compromise) database from CrowdStrike, see the IOC Configuration configuration page.

Syntax

Below is the syntax for the iocDatabaseInfo() query field:

graphql
iocDatabaseInfo: CrowdStrikeIocStatus!

This is a moderately straightfoward query field. You'd replace CrowdStrikeIocStatus with curly-brackets and a list of parameters you want returned. Below is an example:

Raw
graphql
query {
  iocDatabaseInfo {databaseTables {
    name, status, lastUpdated, count
  }}
}
Mac OS or Linux (curl)
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
  iocDatabaseInfo {databaseTables {
    name, status, lastUpdated, count
  }}
}"
}
EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
  iocDatabaseInfo {databaseTables {
    name, status, lastUpdated, count
  }}
}"
}
EOF
Windows Cmd and curl
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "query { ^
  iocDatabaseInfo {databaseTables { ^
    name, status, lastUpdated, count ^
  }} ^
}" ^
} '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "query {
  iocDatabaseInfo {databaseTables {
    name, status, lastUpdated, count
  }}
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $INGEST_TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $json = '{"query" : "query {
  iocDatabaseInfo {databaseTables {
    name, status, lastUpdated, count
  }}
}"
}';
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "query {
  iocDatabaseInfo {databaseTables {
    name, status, lastUpdated, count
  }}
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {"query" : "query {
  iocDatabaseInfo {databaseTables {
    name, status, lastUpdated, count
  }}
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/graphql',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();
Example Responses
Success (HTTP Response Code 200 OK)
json
{
  "data": {
    "iocDatabaseInfo": {
      "databaseTables": [
        {
          "name": "domain",
          "status": "Ok",
          "lastUpdated": 1729781206587,
          "count": 2844669
        },
        {
          "name": "url",
          "status": "Unavailable",
          "lastUpdated": null,
          "count": 0
        },
        {
          "name": "ip_address",
          "status": "Ok",
          "lastUpdated": 1729781206610,
          "count": 913313
        }
      ]
    }
  }
}

Returned Datatypes

For the returned datatype, CrowdStrikeIocStatus, there are a few parameters that may be given. Below is a list of them along with their datatypes and a description of each:

Table: CrowdStrikeIocStatus

ParameterTypeRequiredDefaultDescription
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Sep 24, 2024
databaseTables[IocTableInfo]yes The status of Indicators of Compromise (IOC) database tables. See IocTableInfo.