Hello Team,
I have a customer who is trying to run a custom live query and noticing access denied messages. Can someone help understand why this error is seen? and also if the query is correct?
Cx actual concern
Hi PK1,
Thanks for reaching out to the Sophos Community Forum.
It looks like you're trying to pull data from the "System_Info" table. This table is not stored in the Sophos DataLake, but is made accessible on the local device by leveraging osquery.
You will need to change this from a "Data Lake" query to a "Live Endpoint" query. See:
Hi PK1
Thanks for reaching out to the Sophos Community Forum.
You can run this custom query to get a successful login history from the device.
SELECT STRFTIME('%Y-%m-%dT%H:%M:%SZ', DATETIME(time, 'unixepoch')) AS date_time, eventid, 'Successful Login' AS description, COALESCE( JSON_EXTRACT(data, '$.UserData.Param1'), JSON_EXTRACT(data, '$.UserData.User'), JSON_EXTRACT(data, '$.EventData.TargetUserName') ) AS username, COALESCE( JSON_EXTRACT(data, '$.UserData.Param3'), JSON_EXTRACT(data, '$.UserData.Address'), JSON_EXTRACT(data, '$.EventData.IpAddress') ) AS source_ip, COALESCE( JSON_EXTRACT(data, '$.EventData.TargetUserSid'), '-' ) AS user_sid FROM sophos_windows_events WHERE eventid IN (1149, 21, 4624) AND time >= strftime('%s', 'now', '-7 days')
By Default, this query pulls data for the last 7 days,
Regards,
Altmash