mismatched input

Hi community.sophos.com/.../sophos-user6831, The query you are running is intended to be run as a "Live Endpoint" query. It's likely that you have selected "Data Lake".

I've moved your post to the Live Discover and Response Query forum. Feel free to post any query request or questions you have in the related pages.

Hi community.sophos.com/.../sophos-user6831, The query you are running is intended to be run as a "Live Endpoint" query. It's likely that you have selected "Data Lake".

I've moved your post to the Live Discover and Response Query forum. Feel free to post any query request or questions you have in the related pages.

Thank you, appreciated.

This is a common mistake we see users make when running queries. To determine if it's possible to turn this into a Data Lake query, you'll first need to find out if the data you're looking for is pulled into the data lake. You can find details on the tables and information that is pulled into the data lake in the following document. 

Data Lake Schema

The default query provided for "windows_event_user_account_created" is as follows.

SELECT
eventid, subject_username, subject_domain, target_username, target_domain, privilege_list, sam_account_name, display_name, user_principal_name, home_directory, home_path, script_path, profile_path, user_workstations, account_expires, allowed_to_delegate_to, uac, user_parameters, description, provider_name, source
FROM
xdr_data
WHERE
query_name = 'windows_event_user_account_created'
limit 10

There are lots of resources you can find on the Community which will help get you started with query creation. I will link one below.
Getting Started In Live Discover - From Beginner to Advanced Query Creation

Thank you for the answers, Indeed it worked fine in "Live Discovery".

How did you find it out from the query?

Also, how can I run a similar query in Data Lake?