Update documentation for modern detection practices

[TerminalsandCoffee]

Motivation

• Refresh repository documentation to reflect modern detection engineering practices such as detection-as-code, schema normalization, and emulation-based validation.
• Make rule format and workflow guidance consistent with the TOML detection files present in the detections/ directory.
• Expand framework guidance to include defensive standards and portability/testing standards used by current programs.

Description

• Updated top-level README.md to emphasize detection-as-code, telemetry quality, schema normalization (ECS/OCSF), emulation coverage, and to rename the repo path in examples to detection-engineering-lab/.
• Enhanced detections/README.md to require assumptions documentation, call out sub-techniques, and suggest optional emulation validation with Atomic Red Team/CALDERA.
• Reworked theory/detection-engineering-workflow.md to align the workflow with TOML rule format, add a TOML example rule, require normalization/parsing guidance, and recommend emulation coverage and portable fields.
• Expanded theory/frameworks.md and theory/README.md to add MITRE D3FEND and an "Additional Standards" section covering Sigma, MITRE CAR, DeTT&CT, and OCSF/ECS for portability and coverage assessment.

Testing

• No automated tests were run because these are documentation-only changes.
• Validation guidance in docs points to python development/validation.py and python development/mitre.py for automated checks when adding or modifying detections.

---

Codex Task