feat: add Cloud Storage Exfiltration Domain Hits rule, fix ScreenConnect sort
Adds an Exfiltration-category rule that hits on event.dns.request /
url.address against 50 cloud-storage and anonymous file-sharing
domains sourced from the lolexfil tools.json "cloud storage" set
(Backblaze, Dropbox, MEGA, pCloud, MediaFire, 4shared, fex.net,
Bublup, gofile, anonfiles, bashupload, temp.sh, transfer.sh,
catbox.moe, share.riseup.net, oshi.at, send.exploit.in, myftp.*, etc.).
Popular cloud-platform domains (Google, Amazon, Microsoft) are
excluded to keep the rule actionable.
Also fixes the Newly Observed ScreenConnect Host Server rule: the
final "| sort -_FirstSeenMs" ran after "| columns" projected the
output, which dropped _FirstSeenMs from scope and silently no-oped
the sort. Moves the sort step ahead of the columns projection.