panther-labs · arielkr256 · Dec 5, 2024 · Dec 2, 2024 · Dec 4, 2024 · Dec 4, 2024
@@ -2439,5 +2439,33 @@ def test_pantherflow_investigation(self):
         self.assertEqual(p_b_h.pantherflow_investigation(event), query)
 
 
+class TestEmailRegex(unittest.TestCase):
+    def test_email_regex(self):
+        email_regex = p_b_h.EMAIL_REGEX
+        valid_emails = [
+            "[email protected]",
+            "[email protected]",
+            "ifjlid%[email protected]",
+            "[email protected]",
+            "[email protected]",
+        ]
+        invalid_emails = [
+            "asfe@acme",
+            "[email protected]",
+            "a@b",
+            "a@b.",
+            "[email protected]",
+            "[email protected].",
+            "[email protected]",
+            "[email protected]",
+            "asdf@",
+            "a.b@g&g.com",
+        ]
+        for email in valid_emails:
+            self.assertTrue(email_regex.match(email))
+        for email in invalid_emails:
+            self.assertFalse(email_regex.match(email))
+
+
 if __name__ == "__main__":
     unittest.main()
@@ -24,6 +24,8 @@ class PantherUnexpectedAlert(Exception):
 #      Generic Helpers    #
 # # # # # # # # # # # # # #
 
+EMAIL_REGEX = re.compile(r"[\w.+%-]+@[\w.-]+\.[a-zA-Z]{2,}")
+
 
 def deep_get(dictionary: dict, *keys, default=None):
     """Safely return the value of an arbitrarily nested map

@@ -9,6 +9,7 @@ PackDefinition:
     - Microsoft365.MFA.Disabled
     - Microsoft365.Exchange.External.Forwarding
     # Globals
+    - panther_base_helpers
     - panther_msft_helpers
     - panther_config
     - panther_config_defaults

@@ -15,7 +15,6 @@ PackDefinition:
     # Data Models used in these detections
     - Standard.Zoom.Operation
     # Globals used in these detections
-
-
+    - panther_base_helpers
     - panther_event_type_helpers
     - panther_zoom_helpers
@@ -1,10 +1,9 @@
 import re
 from fnmatch import fnmatch
 
+from panther_base_helpers import EMAIL_REGEX
 from panther_msft_helpers import m365_alert_context
 
-email_regex = re.compile(r"([A-Za-z0-9]+[.-_])*[A-Za-z0-9]+@[A-Za-z0-9-]+(\.[A-Z|a-z]{2,})+")
-
 ALLOWED_DOMAINS = ["mycompany.com", "alloweddomain.com"]  # should be in lowercase
 
 ALLOWED_USERS = ["[email protected]"]  # should be in lowercase
@@ -28,7 +27,7 @@ def rule(event):
         target = event.get("TargetUserOrGroupName", "")
         if target.lower() in ALLOWED_USERS:
             return False
-        if re.fullmatch(email_regex, target):
+        if re.fullmatch(EMAIL_REGEX, target):
             if target.split("@")[1].lower() not in ALLOWED_DOMAINS:
                 return True
     return False

@@ -1,12 +1,14 @@
 import re
 
+from panther_base_helpers import EMAIL_REGEX
+
 PRIVILEGED_ROLES = ("Admin", "Co-Owner", "Owner", "Billing Admin")
 
 
 def extract_values(event):
     operator = event.get("operator", "<operator-not-found>")
     operation_detail = event.get("operation_detail", "")
-    email = re.search(r"[\w.+-c]+@[\w-]+\.[\w.-]+", operation_detail)[0] or "<email-not-found>"
+    email = re.search(EMAIL_REGEX, operation_detail)[0] or "<email-not-found>"
     fromto = re.findall(r"from ([-\s\w]+) to ([-\s\w]+)", operation_detail) or [
         ("<from-role-not-found>", "<to-role-not-found>")
     ]

@@ -11,7 +11,7 @@ Tests:
       action: Batch Update
       category_type: User
       operation_detail: "Change Role  - [email protected]: from User to Co-Owner"
-      operator: admin@duff.io
+      operator: admin-test%1223+123@duff.dev.co
       time: "2022-07-05 20:28:48"
     Name: Admin Promotion Event
   - ExpectedResult: false
@@ -59,7 +59,7 @@ Tests:
       action: SCIM API - Update
       category_type: User
       operation_detail: "Edit User [email protected]  - Change Type: from Basic to Licensed"
-      operator: [email protected]
+      operator: admin-test%1223+123@duff.dev.co
       time: "2022-07-01 22:05:22"
     Name: Other Event
 DedupPeriodMinutes: 60