Analytic Enhancements and Fixes

[nasbench]

This PR is an initial effort to address some of the problematic rules referenced in #3809. The TL;DR is that some rules are relying on filtering later which hinders their performance a lot. Some are by design due to usage of lookups or features such as regex that are not available in tstats for example.

From the original list i have fixed what is possible and still working on the some of the rest.

Updated Analytics [8]

• Suspicious Email Attachment Extensions - Added additional output fields in the by clause, as well as updated the RBA message.
• DLLHost with no Command Line Arguments with Network - Added a process filter in the process events search to reduce the sample size, instead of filtering via regex later.
• Rundll32 with no Command Line Arguments with Network -
• SearchProtocolHost with no Command Line with Network -
• Single Letter Process On Endpoint - Removed the usage of the regex instead opted for enumerating all possible values in the tstats. This will improve performance and will not lose any coverage.
• System Processes Run From Unexpected Locations - Added an additional filter location.
• Windows Command and Scripting Interpreter Hunting Path Traversal - Added an additional filter in the search, since it does not make sense to look for all processes and then filter them.
• Windows LOLBAS Executed Outside Expected Path - Added WinSxS as a new filter.

Lookup Updates [3]

• lookups/is_suspicious_file_extension_lookup.csv - Since this lookup is only used in the Suspicious Email Attachment Extensions analytic. I updated it and reduced the search space to only thing that actually matter based on collected stats from our telemetry.
• lookups/is_windows_system_file.csv - Removed a lot of unnecessary filenames and reduced the search space.
• lookups/lolbas_file_path.csv