This is caused due to a custom property with reserved name, most likely “Count”.
Check under custom property management to see which recently created CEPs are using reserved names, and delete them via PSQL.
select * from ariel_property where propertyname=’Count’; (or any other CEP name)
update ariel_property set propertyname=’Count1′ where propertyname=’Count’;
Detection Pitfalls You Might Be Sleeping On
Practical Cyber Deception — Introduction to “Chaotic Good”
“Invoke-Shadow” — Applying Jungian Psychology to Detection Engineering
My 2025 Detection Philosophy and the Pursuit of Immutable Artifacts
Immutable Artifacts — Enabling RDP Connections
Detecting WiFi dumping via direct WinAPI calls and introduction to “Immutable Artifacts”
Detection of “Evil-WinRM”
Detection of “PSExec.py”
Detection of “EDRSilencer”
My 2nd Udemy course “Detection-as-Code in IBM QRadar” is live. Grab it for free for a limited time!
Detection knowledge repository – by Daniel Koifman