This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cx creating a custom query and seeing Access denied message

Hello Team,

I have a customer who is trying to run a custom live query and noticing access denied messages. Can someone help understand why this error is seen? and also if the query is correct?

Cx actual concern

Receiving the below error message when querying data lake.

Query: Select * From System_Info

Error Message: 403 : "{"error":"accessDenied","message":"Access is denied: Access denied for: system_info","correlationId":"73a3c5a1-bb5e-4516-9c5f-df1c2f2e6cdf","code":null,"createdAt":"2025-02-20T21:57:59.108Z","requestId":null,"docUrl":null}"
Edit Description


This thread was automatically locked due to age.
  • Hi PK1,

    Thanks for reaching out to the Sophos Community Forum. 

    It looks like you're trying to pull data from the "System_Info" table. This table is not stored in the Sophos DataLake, but is made accessible on the local device by leveraging osquery.

    You will need to change this from a "Data Lake" query to a "Live Endpoint" query. See:

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
    • I am using this a test but looking for a data lake query for login history of users per machine. Can you help?

      • Hi  

        Thanks for reaching out to the Sophos Community Forum.

        You can run this custom query to get a successful login history from the device.

        Fullscreen
        1
        2
        3
        4
        5
        6
        7
        8
        9
        10
        11
        12
        13
        14
        15
        16
        17
        18
        19
        20
        21
        SELECT
        STRFTIME('%Y-%m-%dT%H:%M:%SZ', DATETIME(time, 'unixepoch')) AS date_time,
        eventid,
        'Successful Login' AS description,
        COALESCE(
        JSON_EXTRACT(data, '$.UserData.Param1'),
        JSON_EXTRACT(data, '$.UserData.User'),
        JSON_EXTRACT(data, '$.EventData.TargetUserName')
        ) AS username,
        COALESCE(
        JSON_EXTRACT(data, '$.UserData.Param3'),
        JSON_EXTRACT(data, '$.UserData.Address'),
        JSON_EXTRACT(data, '$.EventData.IpAddress')
        ) AS source_ip,
        COALESCE(
        JSON_EXTRACT(data, '$.EventData.TargetUserSid'),
        '-'
        ) AS user_sid
        FROM sophos_windows_events
        WHERE
        eventid IN (1149, 21, 4624)
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

        By Default, this query pulls data for the last 7 days, 

        If a post solves your question, please use the "Verify Answer" button.

        Regards,

        Altmash