On one of my first run-throughs of using Chainsaw I mistakenly put the logs I wanted to parse in the root of the program folder on a windows machine and then ran some analysis tasks. It seems it will recursively check subfolders under the main folder for additional event files and add them to the capture. This resulted in me thinking I was seeing signs of compromise in the output .csv files that were actually pulled in from the samples and merged with the results from the actual parsing. May want to add a check or a warning to new users to ensure they don't make the same mistake.

So I am personally of the opinion that chainsaw download should only contain the binary, while the examples, mappings and rules should then be acquired separately. But this needs to discussed with a wider audience.