On one of my first run-throughs of using Chainsaw I mistakenly put the logs I wanted to parse in the root of the program folder on a windows machine and then ran some analysis tasks. It seems it will recursively check subfolders under the main folder for additional event files and add them to the capture. This resulted in me thinking I was seeing signs of compromise in the output .csv files that were actually pulled in from the samples and merged with the results from the actual parsing. May want to add a check or a warning to new users to ensure they don't make the same mistake.
On one of my first run-throughs of using Chainsaw I mistakenly put the logs I wanted to parse in the root of the program folder on a windows machine and then ran some analysis tasks. It seems it will recursively check subfolders under the main folder for additional event files and add them to the capture. This resulted in me thinking I was seeing signs of compromise in the output .csv files that were actually pulled in from the samples and merged with the results from the actual parsing. May want to add a check or a warning to new users to ensure they don't make the same mistake.