Monitoring Flow attaches client id to uploads. (Velocidex#32)

artifacts/definitions/Windows/Analysis/EvidenceOfExecution.yaml

@@ -21,7 +21,7 @@ sources:
 
   - name: ShimCache
     queries:
-      - SELECT * FROM Artifact.Windows.Registery.AppCompatCache()
+      - SELECT * FROM Artifact.Windows.Registry.AppCompatCache()
 
   - name: Prefetch
     queries:

artifacts/definitions/Windows/Detection/PsexecService/Kill.yaml

@@ -15,7 +15,8 @@ parameters:
 
 sources:
   - queries:
-      - SELECT * FROM foreach(
+      - |
+        SELECT * FROM foreach(
           row={ SELECT * FROM Artifact.Windows.Detection.PsexecService() },
           query={
              SELECT ServiceName, PathName, Modified, FileSize, Timestamp,

artifacts/definitions/Windows/Packs/LateralMovement.yaml

@@ -17,7 +17,7 @@ sources:
         WHERE Executable =~ "wmic.exe"
   - name: ShimCache
     queries:
-      - SELECT * FROM Artifact.Windows.Registery.AppCompatCache()
+      - SELECT * FROM Artifact.Windows.Registry.AppCompatCache()
         WHERE Name =~ "wmic.exe"
   - name: BAM
     queries:

flows/artifacts.go

@@ -347,6 +347,7 @@ func appendDataToFile(
 
 		row := vfilter.NewDict().
 			Set("Timestamp", time.Now().UTC().Unix()).
+			Set("ClientId", flow_obj.RunnerArgs.ClientId).
 			Set("VFSPath", file_path).
 			Set("UploadName", file_buffer.Pathspec.Path).
 			Set("Accessor", file_buffer.Pathspec.Accessor).
@@ -360,7 +361,7 @@ func appendDataToFile(
 				ClientId:  flow_obj.RunnerArgs.ClientId,
 				QueryName: "System.Upload.Completion",
 				Response:  string(serialized),
-				Columns: []string{"Timestamp",
+				Columns: []string{"Timestamp", "ClientId",
 					"VFSPath", "UploadName",
 					"Accessor", "Size"},
 			}

flows/monitoring.go

@@ -66,6 +66,8 @@ func (self *MonitoringFlow) ProcessMessage(
 		return err
 	}
 
+	flow_obj.RunnerArgs.ClientId = message.Source
+
 	switch message.RequestId {
 	case constants.TransferWellKnownFlowId:
 		return appendDataToFile(