iocDatabaseInfo()

API Stability	`Long-Term`

The iocDatabaseInfo() GraphQL query returns information on the IOC database used by the LogScale instance.

For more information on IOC (indicator of compromise) database from CrowdStrike, see the IOC Configuration configuration page.

Syntax

Below is the syntax for the iocDatabaseInfo() query field:

graphql

iocDatabaseInfo: CrowdStrikeIocStatus!

This is a moderately straightfoward query field. You'd replace CrowdStrikeIocStatus with curly-brackets and a list of parameters you want returned. Below is an example:

Show:

graphql

query {
  iocDatabaseInfo {databaseTables {
    name, status, lastUpdated, count
  }}
}

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
  iocDatabaseInfo {databaseTables {
    name, status, lastUpdated, count
  }}
}"
}
EOF

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
  iocDatabaseInfo {databaseTables {
    name, status, lastUpdated, count
  }}
}"
}
EOF

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "query { ^
  iocDatabaseInfo {databaseTables { ^
    name, status, lastUpdated, count ^
  }} ^
}" ^
} '

powershell

curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "query {
  iocDatabaseInfo {databaseTables {
    name, status, lastUpdated, count
  }}
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"

perl

#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $INGEST_TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $json = '{"query" : "query {
  iocDatabaseInfo {databaseTables {
    name, status, lastUpdated, count
  }}
}"
}';
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";

python

#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "query {
  iocDatabaseInfo {databaseTables {
    name, status, lastUpdated, count
  }}
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)

javascript

const https = require('https');

const data = JSON.stringify(
    {"query" : "query {
  iocDatabaseInfo {databaseTables {
    name, status, lastUpdated, count
  }}
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/graphql',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Example Responses

Show:

json

{
  "data": {
    "iocDatabaseInfo": {
      "databaseTables": [
        {
          "name": "domain",
          "status": "Ok",
          "lastUpdated": 1729781206587,
          "count": 2844669
        },
        {
          "name": "url",
          "status": "Unavailable",
          "lastUpdated": null,
          "count": 0
        },
        {
          "name": "ip_address",
          "status": "Ok",
          "lastUpdated": 1729781206610,
          "count": 913313
        }
      ]
    }
  }
}

Returned Datatypes

For the returned datatype, CrowdStrikeIocStatus, there are a few parameters that may be given. Below is a list of them along with their datatypes and a description of each:

Table: CrowdStrikeIocStatus

Parameter	Type	Required	Stability	Description
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Sep 24, 2024
`databaseTables`	[`IocTableInfo`]	yes	`Long-Term`	The status of Indicators of Compromise (IOC) database tables. See `IocTableInfo`.

GraphQL Queries

GraphQL API Stability

GraphQL Mutations

GraphQL Datatypes