From 1ea6d00a3980400716bbda8c9295af0ce90bec17 Mon Sep 17 00:00:00 2001
From: svent <sven.taute@gmail.com>
Date: Mon, 12 Aug 2019 21:39:28 +0200
Subject: [PATCH] Fix QRadar field name escaping and handling

---
 tools/sigma/backends/qradar.py | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/tools/sigma/backends/qradar.py b/tools/sigma/backends/qradar.py
index 6caf8c4eb..a88148808 100644
--- a/tools/sigma/backends/qradar.py
+++ b/tools/sigma/backends/qradar.py
@@ -42,6 +42,8 @@ class QRadarBackend(SingleTextQueryBackend):
     aql_database = "events"
 
     def cleanKey(self, key):
+        if key == None:
+            return ""
         if " " in key:
             key = "\"%s\"" % (key)
             return key
@@ -116,21 +118,21 @@ class QRadarBackend(SingleTextQueryBackend):
         if agg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_NEAR:
             raise NotImplementedError("The 'near' aggregation operator is not yet implemented for this backend")
         if agg.groupfield == None:
-            self.qradarPrefixAgg = "SELECT %s(%s) as agg_val from %s where" % (agg.aggfunc_notrans, agg.aggfield, self.aql_database)
-            self.qradarSuffixAgg = " group by %s having agg_val %s %s" % (agg.aggfield, agg.cond_op, agg.condition)
+            self.qradarPrefixAgg = "SELECT %s(%s) as agg_val from %s where" % (agg.aggfunc_notrans, self.cleanKey(agg.aggfield), self.aql_database)
+            self.qradarSuffixAgg = " group by %s having agg_val %s %s" % (self.cleanKey(agg.aggfield), agg.cond_op, agg.condition)
             return self.qradarPrefixAgg, self.qradarSuffixAgg
         elif agg.groupfield != None and timeframe == '00':
-                self.qradarPrefixAgg = " SELECT %s(%s) as agg_val from %s where " % (agg.aggfunc_notrans, agg.aggfield, self.aql_database)
-                self.qradarSuffixAgg = " group by %s having agg_val %s %s" % (agg.groupfield, agg.cond_op, agg.condition)
+                self.qradarPrefixAgg = " SELECT %s(%s) as agg_val from %s where " % (agg.aggfunc_notrans, self.cleanKey(agg.aggfield), self.aql_database)
+                self.qradarSuffixAgg = " group by %s having agg_val %s %s" % (self.cleanKey(agg.groupfield), agg.cond_op, agg.condition)
                 return self.qradarPrefixAgg, self.qradarSuffixAgg
         elif agg.groupfield != None and timeframe != None:
             for key, duration in self.generateTimeframe(timeframe).items():
-                self.qradarPrefixAgg = " SELECT %s(%s) as agg_val from %s where " % (agg.aggfunc_notrans, agg.aggfield, self.aql_database)
-                self.qradarSuffixAgg = " group by %s having agg_val %s %s LAST %s %s" % (agg.groupfield, agg.cond_op, agg.condition, duration, key)
+                self.qradarPrefixAgg = " SELECT %s(%s) as agg_val from %s where " % (agg.aggfunc_notrans, self.cleanKey(agg.aggfield), self.aql_database)
+                self.qradarSuffixAgg = " group by %s having agg_val %s %s LAST %s %s" % (self.cleanKey(agg.groupfield), agg.cond_op, agg.condition, duration, key)
                 return self.qradarPrefixAgg, self.qradarSuffixAgg
         else:
-            self.qradarPrefixAgg = " SELECT %s(%s) as agg_val from %s where " % (agg.aggfunc_notrans, agg.aggfield, self.aql_database)
-            self.qradarSuffixAgg = " group by %s having agg_val %s %s" % (agg.groupfield, agg.cond_op, agg.condition)
+            self.qradarPrefixAgg = " SELECT %s(%s) as agg_val from %s where " % (agg.aggfunc_notrans, self.cleanKey(agg.aggfield), self.aql_database)
+            self.qradarSuffixAgg = " group by %s having agg_val %s %s" % (self.cleanKey(agg.groupfield), agg.cond_op, agg.condition)
             return self.qradarPrefixAgg, self.qradarSuffixAgg
 
     def generateTimeframe(self, timeframe):