From 5f6908e1a9a3a239e50b980559be76f8978b75f8 Mon Sep 17 00:00:00 2001
From: Satoshi MIMURA <mimura1133@mimumimu.net>
Date: Sun, 18 Oct 2020 04:43:33 +0900
Subject: [PATCH] add : applocker.rs

---
 src/detections/applocker.rs | 49 +++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 src/detections/applocker.rs

diff --git a/src/detections/applocker.rs b/src/detections/applocker.rs
new file mode 100644
index 00000000..dd67c1a0
--- /dev/null
+++ b/src/detections/applocker.rs
@@ -0,0 +1,49 @@
+use crate::models::event;
+use std::collections::HashMap;
+
+pub struct AppLocker {}
+
+impl AppLocker {
+    pub fn new() -> AppLocker {
+        AppLocker {}
+    }
+
+    pub fn detection(
+        &mut self,
+        event_id: String,
+        AppLocker: &event::AppLocker,
+        event_data: HashMap<String, String>,
+    ) {
+        if event_id == "8003" {
+            &self.AppLocker_log_warning();
+        } else if event_id == "8004" {
+            &self.AppLocker_log_block(event_data);
+        }
+        // -- Not Implemented 8006 and 8007 on DeepBlueCLI, but reserved these ID. -- 
+        //
+        //} else if event_id == "8006" {
+        //    &self.windows_event_log(event_data);
+        //} else if event_id == "8007" {
+        //    &self.windows_event_log(event_data);
+        //}
+    }
+
+    fn AppLocker_log_warning(&mut self, applocker: &event::AppLocker) {
+        let re = Regex::new(r" was .*$").unwrap();
+        let command = re.replace_all(message, "");
+
+        println!("Message Applocker Warning");
+        println!("Command : {}", command);
+        println!("Results : {}", message);
+    }
+
+    fn AppLocker_log_block(&mut self, applocker: &event::AppLocker) {
+        let re = Regex::new(r" was .*$").unwrap();
+        let command = re.replace_all(message, "");
+
+        println!("Message Applocker Block");
+        println!("Command : {}", command);
+        println!("Results : {}", message);
+    }
+
+}