feat(hackingai): add ai/ml tools EDR detections

[juju4]

AI development tools hunt to ensure align with company guidance:

Quick review to detect some common AI tools with vulnerabilities based on EDR data
Possible false-positive cmdline arguments for mlflow that may want to exclude but not sure if variable for that: "--disable-mlflow", "--skip-mlflow", "--skip_mlflow"
There would be additional patterns for web url path but I don't think there is a variable for it either (ex: "/ajax-api/2.0/preview/mlflow/")

Inspired from
https://protectai.com/blog/hacking-ai-system-takeover-in-mlflow-strikes-again-and-again
https://protectai.com/threat-research/november-vulnerability-report
https://docs.h2o.ai/h2o/latest-stable/h2o-docs/starting-h2o.html#multicast
https://docs.ray.io/en/latest/ray-security/index.html

[rc-csmith]

Nice to see potential coverage for the command lines and network traffic!

There's not a way to exclude false-positive prone items like you called out (--disable-mlflow etc.). I haven't tested these queries, though, to see how FP-prone those flags would be.

Web URL paths would be a cool addition but that's not supported by definition files (at least not yet)

[rc-csmith]

A couple more items that I'd recommend removing to reduce the noise but otherwise looks good!

[rc-csmith]

LGTM! 🎉