A custom Wazuh rule pack and reproducible Docker lab that pairs a stock Wazuh agent with a Tetragon eBPF sidecar to catch what stock Wazuh cannot — short-lived process exec, fileless memfd payloads, sub-second TCP connects, kernel module loads, bpf() syscall use, sensitive-file argv reads, setuid escalation. 1 decoder family, 15 rules, 4 distros, 1.59M events validated.