tabledevil
d5f4ba8862
Verifies image present, EVTX corpus available (clones on demand), the container exits cleanly, all four output artefact types are produced non-empty, then prints detection count + MITRE TTP coverage. Default SUBSET=DeepBlueCLI (21 EVTX, ~30s). Documented alternatives: YamatoSecurity, EVTX-ATTACK-SAMPLES, EVTX-to-MITRE-Attack, or empty for the full 599-file bundle. KEEP_DATA=1 keeps the cloned corpus on disk for fast reruns. Validated end-to-end on amd64 Linux: 7/7 PASS, 8,626 detections from DeepBlueCLI subset, 31 distinct MITRE TTPs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>