Complete

mismatched input

Hi,

I run the following query and had an error. 

I got the query from GitHub.
What could be wrong?
Invalid sql: SELECT source, eventid, CAST(datetime(time, 'unixepoch') AS TEXT) AS 'Change Made', JSON_EXTRACT(data, '$.EventData.SubjectUserName') AS 'Who Made The Change', JSON_EXTRACT(data, '$.EventData.TargetUserName') AS 'New User' FROM sophos_windows_events WHERE time > STRFTIME('%s','NOW','-% DAYS') AND source = 'Security' AND eventid = 4720;. line 4:49: mismatched input ''Change Made''. Expecting:
Parents Comment Children
  • This is a common mistake we see users make when running queries. To determine if it's possible to turn this into a Data Lake query, you'll first need to find out if the data you're looking for is pulled into the data lake. You can find details on the tables and information that is pulled into the data lake in the following document. 

    Data Lake Schema

    The default query provided for "windows_event_user_account_created" is as follows.

    SELECT
    eventid, subject_username, subject_domain, target_username, target_domain, privilege_list, sam_account_name, display_name, user_principal_name, home_directory, home_path, script_path, profile_path, user_workstations, account_expires, allowed_to_delegate_to, uac, user_parameters, description, provider_name, source
    FROM
    xdr_data
    WHERE
    query_name = 'windows_event_user_account_created'
    limit 10

    There are lots of resources you can find on the Community which will help get you started with query creation. I will link one below.
    Getting Started In Live Discover - From Beginner to Advanced Query Creation

  • Thank you for the answers, Indeed it worked fine in "Live Discovery".

    How did you find it out from the query?

    Also, how can I run a similar query in Data Lake?