Cx creating a custom query and seeing Access denied message

Question

Hello Team, 
 
 I have a customer who is trying to run a custom live query and noticing access denied messages. Can someone help understand why this error is seen? and also if the query is correct? 
 
 Cx actual concern

Receiving the below error message when querying data lake.

Query: Select * From System_Info

Error Message: 403 : "{"error":"accessDenied","message":"Access is denied: Access denied for: system_info","correlationId":"73a3c5a1-bb5e-4516-9c5f-df1c2f2e6cdf","code":null,"createdAt":"2025-02-20T21:57:59.108Z","requestId":null,"docUrl":null}"Edit Description

Altmash · Answer

Hi PK1 
 Thanks for reaching out to the Sophos Community Forum. 
 You can run this custom query to get a successful login history from the device. 
 SELECT
 STRFTIME('%Y-%m-%dT%H:%M:%SZ', DATETIME(time, 'unixepoch')) AS date_time,
 eventid,
 'Successful Login' AS description,
 COALESCE(
 JSON_EXTRACT(data, '$.UserData.Param1'), 
 JSON_EXTRACT(data, '$.UserData.User'), 
 JSON_EXTRACT(data, '$.EventData.TargetUserName')
 ) AS username,
 COALESCE(
 JSON_EXTRACT(data, '$.UserData.Param3'), 
 JSON_EXTRACT(data, '$.UserData.Address'), 
 JSON_EXTRACT(data, '$.EventData.IpAddress')
 ) AS source_ip,
 COALESCE(
 JSON_EXTRACT(data, '$.EventData.TargetUserSid'), 
 '-'
 ) AS user_sid
FROM sophos_windows_events
WHERE 
 eventid IN (1149, 21, 4624) 
 AND time >= strftime('%s', 'now', '-7 days')

By Default, this query pulls data for the last 7 days, 
 If a post solves your question, please use the " Verify Answer " button. 
 Regards, 
 Altmash