Merge pull request #2614 from Azure/ifeo-fix

Fix CommandLine Issue

Hunting Queries/MultipleDataSources/PersistViaIFEORegistryKey.yaml

@@ -23,9 +23,8 @@ query: |
   (
   SecurityEvent
   | where EventID == 4657
-  | where CommandLine has "Image File Execution Options"
-  | where CommandLine has_any ("reg add", "reg delete")
-  | summarize Count=count() by Computer, CommandLine, Account, NewValue, OldValue
+  | where ObjectName has_all ("\\REGISTRY\\MACHINE", "Image File Execution Options")
+  | summarize Count=count() by Computer, Account, ObjectName
   | top 10 by Count desc 
   | extend AccountCustomEntity = Account, HostCustomEntity = Computer
   ),