Implementing the fields to be selected

tools/sigma/backends/qradar.py

@@ -175,7 +175,20 @@ class QRadarBackend(SingleTextQueryBackend):
             aql_database = "flows"
         else:
             aql_database = "events"
-        qradarPrefix = "SELECT UTF8(payload) as search_payload from %s where " % (aql_database)
+        
+        qradarPrefix="SELECT "
+        try:
+            for field in sigmaparser.parsedyaml["fields"]:
+                    mapped = sigmaparser.config.get_fieldmapping(field).resolve_fieldname(field)
+                    #if type(mapped) == str:
+                    #    qradarPrefix += mapped +", "
+                    #else:
+                    #    raise TypeError("Field mapping must return string or list")
+            qradarPrefix += str(sigmaparser.parsedyaml["fields"]).strip('[]')
+            qradarPrefix += " from %s where " % (aql_database)
+        except KeyError:    # no 'fields' attribute
+            mapped = None
+            pass
 
         try:
             timeframe = sigmaparser.parsedyaml['detection']['timeframe']