From 0a5aceabdfb1320bd3a3b3925727a26cc8c29687 Mon Sep 17 00:00:00 2001
From: ichiichi11 <takai.wa.hajime@gmail.com>
Date: Sun, 25 Oct 2020 20:16:15 +0900
Subject: [PATCH] implement process created

---
 src/detections/security.rs | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/detections/security.rs b/src/detections/security.rs
index 7818e7c2..44ce23ae 100644
--- a/src/detections/security.rs
+++ b/src/detections/security.rs
@@ -1,3 +1,4 @@
+use crate::detections::utils;
 use crate::models::event;
 use std::collections::HashMap;
 
@@ -114,12 +115,16 @@ impl Security {
         return Option::Some(v);
     }
 
-    fn process_created(&mut self, event_id: &String, _event_data: &HashMap<String, String>) {
+    fn process_created(&mut self, event_id: &String, event_data: &HashMap<String, String>) {
         if event_id != "4688" {
             return;
         }
-        // TODO Check-Commnad
-        return;
+
+        let commandline = event_data.get("CommandLine").unwrap_or(&self.empty_str);
+        let creator = event_data
+            .get("ParentProcessName")
+            .unwrap_or(&self.empty_str);
+        utils::check_command(4688, &commandline, 1000, 0, &self.empty_str, &creator);
     }
 
     //