Merge pull request #470 from stevengoossensB/master

Mapping the fields in the select statement according to the configuration file
2024-11-08 10:13:57 +00:00 · 2019-10-16 22:34:28 +02:00 · 2019-10-16 22:34:28 +02:00 · 02d193c518
commit 02d193c518
parent deb3ecf404 5f7813f71e
1 changed files with 3 additions and 1 deletions
--- a/tools/sigma/backends/qradar.py
+++ b/tools/sigma/backends/qradar.py
@ -198,9 +198,11 @@ class QRadarBackend(SingleTextQueryBackend):
        
        qradarPrefix="SELECT "
        try:
+            mappedFields = []
            for field in sigmaparser.parsedyaml["fields"]:
                    mapped = sigmaparser.config.get_fieldmapping(field).resolve_fieldname(field, sigmaparser)
-            qradarPrefix += str(sigmaparser.parsedyaml["fields"]).strip('[]')
+                    mappedFields.append(mapped)
+            qradarPrefix += str(mappedFields).strip('[]')
        except KeyError:    # no 'fields' attribute
            mapped = None
            qradarPrefix+="UTF8(payload) as search_payload"