How do I use SummaryAttributes in Panther correlation rules?

Last updated: April 6, 2026

QUESTION

The correlation rule reference docs mention a SummaryAttributes field. Is it actually supported in correlation rules, and if so, how do I reference attributes and how will they be displayed?

ANSWER

Yes, SummaryAttributes is supported in correlation rules and works the same way as in standard Panther rules. For each configured attribute, Panther looks at all the events that contributed to the alert and surfaces the most common values for those fields in the alert's Summary tab.

To use it, add a SummaryAttributes list to your correlation rule YAML with the field names you want to surface. For example:

AnalysisType: correlation_rule
RuleID: "Rule.id"
DisplayName: "My Rule"
Enabled: true
Severity: Medium
Detection:
  - Group:
      ...
    MatchCriteria:
      accountRegion:
          ...
    LookbackWindowMinutes: 2160
    Schedule:
      RateMinutes: 1440
      TimeoutMinutes: 2
SummaryAttributes:
  - p_any_actor_ids
  - p_any_aws_arns
  - p_any_emails
  - p_any_ip_addresses

If the correlation rule spans multiple log types, the summary is still computed across all matching events from all log types involved.