diff --git a/src/detections/applocker.rs b/src/detections/applocker.rs
new file mode 100644
index 00000000..2862bc3c
--- /dev/null
+++ b/src/detections/applocker.rs
@@ -0,0 +1,53 @@
+extern crate regex;
+
+use crate::models::event;
+use regex::Regex;
+use std::collections::HashMap;
+
+pub struct AppLocker {}
+
+impl AppLocker {
+    pub fn new() -> AppLocker {
+        AppLocker {}
+    }
+
+    pub fn detection(
+        &mut self,
+        event_id: String,
+        _system: &event::System,
+        _event_data: HashMap<String, String>,
+    ) {
+        self.applocker_log_warning(&event_id, &_system);
+        self.applocker_log_block(&event_id, &_system);
+    }
+
+    fn applocker_log_warning(&mut self, event_id: &String, system: &event::System) {
+        if event_id != "8003" {
+            return;
+        }
+
+        let re = Regex::new(r" was .*$").unwrap();
+        let default = "".to_string();
+        let message = &system.message.as_ref().unwrap_or(&default);
+        let command = re.replace_all(&message, "");
+
+        println!("Message Applocker Warning");
+        println!("Command : {}", command);
+        println!("Results : {}", message);
+    }
+
+    fn applocker_log_block(&mut self, event_id: &String, system: &event::System) {
+        if event_id != "8004" {
+            return;
+        }
+
+        let re = Regex::new(r" was .*$").unwrap();
+        let default = "".to_string();
+        let message = &system.message.as_ref().unwrap_or(&default);
+        let command = re.replace_all(&message, "");
+
+        println!("Message Applocker Block");
+        println!("Command : {}", command);
+        println!("Results : {}", message);
+    }
+}
diff --git a/src/detections/detection.rs b/src/detections/detection.rs
index fbb6e111..aec7c3e8 100644
--- a/src/detections/detection.rs
+++ b/src/detections/detection.rs
@@ -2,6 +2,7 @@ extern crate csv;
 extern crate quick_xml;
 
 use crate::detections::application;
+use crate::detections::applocker;
 use crate::detections::common;
 use crate::detections::powershell;
 use crate::detections::security;
@@ -29,6 +30,7 @@ impl Detection {
         let mut security = security::Security::new();
         let mut system = system::System::new();
         let mut application = application::Application::new();
+        let mut applocker = applocker::AppLocker::new();
         let mut sysmon = sysmon::Sysmon::new();
         let mut powershell = powershell::PowerShell::new();
 
@@ -41,7 +43,6 @@ impl Detection {
                     let event_data = event.parse_event_data();
 
                     &common.detection(&event.system, &event_data);
-                    //&common.detection(&event.system, &event_data);
                     if channel == "Security" {
                         &security.detection(event_id, &event.system, &event.user_data, event_data);
                     } else if channel == "System" {
@@ -52,6 +53,8 @@ impl Detection {
                         &powershell.detection(event_id, &event.system, event_data);
                     } else if channel == "Microsoft-Windows-Sysmon/Operational" {
                         &sysmon.detection(event_id, &event.system, event_data);
+                    } else if channel == "Microsoft-Windows-Applocker/Operational" {
+                        &applocker.detection(event_id, &event.system, event_data);
                     } else {
                         //&other.detection();
                     }
diff --git a/src/detections/mod.rs b/src/detections/mod.rs
index 11454f71..ad3011e6 100644
--- a/src/detections/mod.rs
+++ b/src/detections/mod.rs
@@ -1,4 +1,5 @@
 mod application;
+mod applocker;
 mod common;
 mod configs;
 pub mod detection;