Verifies image present, EVTX corpus available (clones on demand), the
container exits cleanly, all four output artefact types are produced
non-empty, then prints detection count + MITRE TTP coverage.
Default SUBSET=DeepBlueCLI (21 EVTX, ~30s). Documented alternatives:
YamatoSecurity, EVTX-ATTACK-SAMPLES, EVTX-to-MITRE-Attack, or empty for
the full 599-file bundle.
KEEP_DATA=1 keeps the cloned corpus on disk for fast reruns.
Validated end-to-end on amd64 Linux: 7/7 PASS, 8,626 detections from
DeepBlueCLI subset, 31 distinct MITRE TTPs.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Bare 'FROM ubuntu' was floating; recent rollover (ubuntu:latest = 25.04
'resolute') dropped libpcre3 in favour of libpcre2 and broke the build
with E: Unable to locate package libpcre3.
Pin to 24.04 (same as docker_kaspersky and docker_sep) so the build is
reproducible across rollovers.
test-data/ is 255 MB of public corpora (Yamato hayabusa-sample-evtx +
local run outputs) — too large to track. fetch-test-data.sh clones the
upstream on demand.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Upstream renamed release assets (linux-intel → lin-x64-gnu,
linux-arm → lin-aarch64-gnu); updated accordingly.
Takajo was silently failing because start.sh invoked it from
WORKDIR=/data — takajo checks for companion files in CWD and
exits with "The Takajo executable does not exist in the current
directory." Wrap the call in (cd /opt/hayabusa && ./takajo ...)
so automagic reports actually land in /output/takajo/.
Also add .dockerignore to keep test-data/ and .git/ out of the
build context.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
tobias