Added Support for "Query" Field in Definition Files

[rc-csmith]

Changes:

• Updated CbR, CbC, and DFE to support a "query" field in the definition files
  • This query field is EDR-specific so the script will not try to convert the language.
  • No checks are performed to verify the query language but error handling is in place to gracefully fail if language is unsupported.
• Updated DFE query builder to use the same tables for individual queries and definition file searches

To-Do After Merge:

• Update documentation for this new feature
• Update definition file Incident_202103_Exchange_Activity to use new "query" field

Closes #12

[xC0uNt3r7hr34t]

Is there a reason that multiple terms can't be used like was setup with SentinelOne product? These should be able to be joined together with OR in a similar manner. Code looks good otherwise, I don't have any queries prepped to validate this works for these products. I won't be able to validate against CBR product.

[rc-csmith]

@xC0uNt3r7hr34t - I couldn't recall where we landed after our chat if we decided to support chaining queries together or not. But I like the idea of allowing multiple queries to be merged/joined so I've updated the code accordingly