From 935f976337102f557372be80ee6240cf76c1259d Mon Sep 17 00:00:00 2001
From: Thomas Patzke <thomas@patzke.org>
Date: Fri, 25 Oct 2024 01:50:50 +0200
Subject: [PATCH] Fixed chaining of correlation rules

---
 sigma/conversion/base.py | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/sigma/conversion/base.py b/sigma/conversion/base.py
index 769ffd24..5de71179 100644
--- a/sigma/conversion/base.py
+++ b/sigma/conversion/base.py
@@ -581,7 +581,7 @@ def convert_correlation_rule(
         ]
 
         # Apply the finalization step
-        finalized_query = [
+        finalized_queries = [
             self.finalize_query(
                 rule,
                 query,
@@ -591,8 +591,10 @@ def convert_correlation_rule(
             )
             for index, query in enumerate(queries)
         ]
+        rule.set_conversion_result(finalized_queries)
+        rule.set_conversion_states(states)
 
-        return finalized_query
+        return finalized_queries
 
     @abstractmethod
     def convert_correlation_event_count_rule(
@@ -1720,11 +1722,7 @@ def convert_correlation_search(
                             ),
                         )
                         for rule_reference in rule.rules
-                        for query in (
-                            rule_reference.rule.get_conversion_result()
-                            if not isinstance(rule_reference.rule, SigmaCorrelationRule)
-                            else self.convert_correlation_rule(rule_reference.rule)
-                        )
+                        for query in rule_reference.rule.get_conversion_result()
                     )
                 ),
                 **kwargs,