Path issue leading to merging sample logs

[BustedSec]

On one of my first run-throughs of using Chainsaw I mistakenly put the logs I wanted to parse in the root of the program folder on a windows machine and then ran some analysis tasks. It seems it will recursively check subfolders under the main folder for additional event files and add them to the capture. This resulted in me thinking I was seeing signs of compromise in the output .csv files that were actually pulled in from the samples and merged with the results from the actual parsing. May want to add a check or a warning to new users to ensure they don't make the same mistake.

[alexkornitzer]

So I am personally of the opinion that chainsaw download should only contain the binary, while the examples, mappings and rules should then be acquired separately. But this needs to discussed with a wider audience.

[AndrewRathbun]

I'll speak for myself in saying that Mappings are a relatively new concept to me (and likely most of us) since documentation just went live this week on how to create new mappings. Separating those from Chainsaw right now would probably be a point of frustration for end-users, including myself. Would you create a repo called ChainsawFiles (or something) where those mappings would be stored? Doesn't this file make Chainsaw run and therefore separating it from Chainsaw would make Chainsaw useless without it? I see the built-in logic in the .rs files so forgive me as I'm still learning how these ancillary files play in to Chainsaw's operation.

In terms of the EVTX Attack Samples, a simple link in the repo's README would be sufficient for sample data to run Chainsaw against.

In terms of Sigma rules, my opinion is the same as above for EVTX Attack Samples. However, I created a PowerShell script originally made to be used in KAPE with the associated Module that automates updating the Sigma rules in Chainsaw. Anyone can use it or modify it for their own needs. I don't know Rust, but maybe a --sync function for Chainsaw could sync the Sigma rules from that repo 🤷

Just my initial thoughts.

[alexkornitzer]

Ah yep so I made a couple of assumptions here that I failed to expand on correctly. My thinking is as follows:

• Link to samples
• Link to rules
• Mappings kept in repo but not part of the binary download
• Binary download on releases
• Mappings download on releases

This would also mean in the future that mapping could be moved to their own repo if ever required.

As for the design of chainsaw's structure I will write that up in the wiki. It still needs a big clean though so that it can be modularised properly.

[alexkornitzer]

I have gone ahead and made these changes in v2. Lets tracking any further discussion for it on that alpha #77.