iocDatabaseInfo()

API Stability Long-Term

The iocDatabaseInfo() GraphQL query returns information on the IOC (indicator of compromise) database used by the LogScale instance.

In addition to this query, there's the enableOrganizationIocAccess() and disableOrganizationIocAccess() mutation fields to enable and disable access to an IOC database for an organization.

For more information on IOC databases from CrowdStrike, see the IOC Configuration page of the main documentation.

Syntax

graphql

iocDatabaseInfo: CrowdStrikeIocStatus!

There's no input for this query field. For the results, through sub-parameters, you can request the name and status of IOC database tables, and related information.

Example

Below is an example of how this query field might be used:

Raw

graphql

query {
  iocDatabaseInfo { 
    databaseTables {
      name, status, 
      lastUpdated, count } }
}

Mac OS or Linux (curl)

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
  iocDatabaseInfo { 
    databaseTables {
      name, status, 
      lastUpdated, count } }
}"
}
EOF

Mac OS or Linux (curl) One-line

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
  iocDatabaseInfo { 
    databaseTables {
      name, status, 
      lastUpdated, count } }
}"
}
EOF

Windows Cmd and curl

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "query { ^
  iocDatabaseInfo {  ^
    databaseTables { ^
      name, status,  ^
      lastUpdated, count } } ^
}" ^
} '

Windows Powershell and curl

powershell

curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "query {
  iocDatabaseInfo { 
    databaseTables {
      name, status, 
      lastUpdated, count } }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"

Perl

perl

#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $query = "query {
  iocDatabaseInfo { 
    databaseTables {
      name, status, 
      lastUpdated, count } }
}";
$query =~ s/\n/ /g;
my $json = sprintf('{"query" : "%s"}',$query);
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";

Python

python

#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "query {
  iocDatabaseInfo { 
    databaseTables {
      name, status, 
      lastUpdated, count } }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)

Node.js

javascript

const https = require('https');

const data = JSON.stringify(
    {"query" : "query {
  iocDatabaseInfo { 
    databaseTables {
      name, status, 
      lastUpdated, count } }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL',
  path: 'graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Example Responses

Success (HTTP Response Code 200 OK)

json

{
  "data": {
    "iocDatabaseInfo": {
      "databaseTables": [
        {
          "name": "domain",
          "status": "Ok",
          "lastUpdated": 1729781206587,
          "count": 2844669
        },
        {
          "name": "url",
          "status": "Unavailable",
          "lastUpdated": null,
          "count": 0
        },
        {
          "name": "ip_address",
          "status": "Ok",
          "lastUpdated": 1729781206610,
          "count": 913313
        }
      ]
    }
  }
}

Returned Datatype

With the returned datatype, you can get a list of IOC database tables. Through the special datatype it uses, you can get the name and status of each. Click on that datatype in the table below to see more.

Table: CrowdStrikeIocStatus

Parameter	Type	Required	Stability	Description
Some arguments may be required, as indicated in the Required column. For return datatypes, this indicates that you must specify which fields you want returned in the results.
Table last updated: Sep 24, 2024
databaseTables	[IocTableInfo]	yes	`Long-Term`	The status of Indicators of Compromise (IOC) database tables. See IocTableInfo.

Versions of this Page

GraphQL Queries

GraphQL API Stability

GraphQL Mutations

GraphQL Datatypes