This is most likely caused by the “qidmapid” column having NULL values in the “dsmevent” table.
First, check for NULL values:
psql -U qradar -c “Select * from dsmevent where qidmapid IS NULL and where devicetypeid=XXX;”
If there are NULL values, run the following command:
psql -U qradar -c “delete from dsmevent where qidmapid is NULL and devicetypeid=XXX;”
Detection Pitfalls You Might Be Sleeping On
Practical Cyber Deception — Introduction to “Chaotic Good”
“Invoke-Shadow” — Applying Jungian Psychology to Detection Engineering
My 2025 Detection Philosophy and the Pursuit of Immutable Artifacts
Immutable Artifacts — Enabling RDP Connections
Detecting WiFi dumping via direct WinAPI calls and introduction to “Immutable Artifacts”
Detection of “Evil-WinRM”
Detection of “PSExec.py”
Detection of “EDRSilencer”
My 2nd Udemy course “Detection-as-Code in IBM QRadar” is live. Grab it for free for a limited time!
Detection knowledge repository – by Daniel Koifman