panther-analysis and the Panther Console have the tag "Configuration Required". What does this mean?Some rules and policies provided by Panther require tuning to your environment in order to provide the most value. In some cases, Panther is able to provide reasonable default values for these parameters, allowing you to enable the detection and tune on an as-needed basis. However, there are cases where the detection cannot perform at all without up-front adjustments.
These detections are tagged with Configuration Required and are often disabled by default. Typically, these rules will have comments in the Python code indicating where and how to make the adjustments necessary to tune the alerts.
For example, Panther's AWS IAM Role Trust Relationship for GitHub Actions requires you to explicitly state which repos are allowed to access which roles. Failing to configure the ALLOWED_ORG_REPO_PAIRS mapping will lead to numerous false positives.
Customers who use CI/CD workflows will be able to edit the Python code directly to perform their tuning adjustments, but customers using Packs to manage their content will need to clone the detection before editing, due to Panther's limitations on editing pack-managed detection code.