From 230f440f51c0c68a3282bb6cb68b9303adef5017 Mon Sep 17 00:00:00 2001
From: Balazs Czifra <balazs@elastic.co>
Date: Mon, 8 Sep 2025 15:50:21 +0200
Subject: [PATCH 1/2] Update create-detection-rule.md

Explicitly noted that `hits` aren't available in the threshold rule results context, indicated that `context.alerts.kibana.alert.threshold_result.terms` contains fields and values from any group by specified by the rule.
---
 .../security/detect-and-alert/create-detection-rule.md   | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/solutions/security/detect-and-alert/create-detection-rule.md b/solutions/security/detect-and-alert/create-detection-rule.md
index 72dd65c473..2aa05eb19c 100644
--- a/solutions/security/detect-and-alert/create-detection-rule.md
+++ b/solutions/security/detect-and-alert/create-detection-rule.md
@@ -152,7 +152,14 @@ To filter noisy {{ml}} rules, use [rule exceptions](/solutions/security/detect-a
         You can also leave the **Group by** field undefined. The rule then creates an alert when the number of search results is equal to or greater than the threshold value. If you set **Count** to limit the results by `process.name` >= 2, an alert will only be generated for source/destination IP pairs that appear with at least 2 unique process names across all events.
 
         ::::{important}
-        Alerts created by threshold rules are synthetic alerts that do not resemble the source documents. The alert itself only contains data about the fields that were aggregated over (the **Group by** fields). Other fields are omitted, because they can vary across all source documents that were counted toward the threshold. Additionally, you can reference the actual count of documents that exceeded the threshold from the `kibana.alert.threshold_result.count` field.
+        Alerts created by threshold rules are synthetic alerts that do not resemble the source documents. The alert itself only contains data about the fields that were aggregated over (the **Group by** fields). Other fields are omitted, because they can vary across all source documents that were counted toward the threshold. Because of this, it isn’t possible to iterate on the search hits, so those aren’t available in the context. You can reference the actual count of documents that exceeded the threshold from the `kibana.alert.threshold_result.count` field. `context.alerts.kibana.alert.threshold_result.terms` contains fields and values from any group by specified by the rule. For example:
+        ```
+          {{#context.alerts}}
+            {{#kibana.alert.threshold_result.terms}}
+              {{field}}: {{value}}
+            {{/kibana.alert.threshold_result.terms}}
+         {{/context.alerts}}
+       ```
         ::::
 
 3. (Optional) Select **Suppress alerts** to reduce the number of repeated or duplicate alerts created by the rule. Refer to [Suppress detection alerts](/solutions/security/detect-and-alert/suppress-detection-alerts.md) for more information.

From 730581540a58f9eb676ae1987403d52df08cb9e9 Mon Sep 17 00:00:00 2001
From: florent-leborgne <florent.leborgne@elastic.co>
Date: Fri, 26 Sep 2025 12:56:23 +0200
Subject: [PATCH 2/2] Update
 solutions/security/detect-and-alert/create-detection-rule.md

---
 .../security/detect-and-alert/create-detection-rule.md     | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/solutions/security/detect-and-alert/create-detection-rule.md b/solutions/security/detect-and-alert/create-detection-rule.md
index 2aa05eb19c..502098212a 100644
--- a/solutions/security/detect-and-alert/create-detection-rule.md
+++ b/solutions/security/detect-and-alert/create-detection-rule.md
@@ -152,7 +152,12 @@ To filter noisy {{ml}} rules, use [rule exceptions](/solutions/security/detect-a
         You can also leave the **Group by** field undefined. The rule then creates an alert when the number of search results is equal to or greater than the threshold value. If you set **Count** to limit the results by `process.name` >= 2, an alert will only be generated for source/destination IP pairs that appear with at least 2 unique process names across all events.
 
         ::::{important}
-        Alerts created by threshold rules are synthetic alerts that do not resemble the source documents. The alert itself only contains data about the fields that were aggregated over (the **Group by** fields). Other fields are omitted, because they can vary across all source documents that were counted toward the threshold. Because of this, it isn’t possible to iterate on the search hits, so those aren’t available in the context. You can reference the actual count of documents that exceeded the threshold from the `kibana.alert.threshold_result.count` field. `context.alerts.kibana.alert.threshold_result.terms` contains fields and values from any group by specified by the rule. For example:
+        Alerts created by threshold rules are synthetic alerts that do not resemble the source documents:
+        
+          - The alert itself only contains data about the fields that were aggregated over (the **Group by** fields specified in the rule).
+          - All other fields are omitted and aren't available in the alert. This is because these fields can vary across all source documents that were counted toward the threshold. 
+          - You can reference the actual count of documents that exceeded the threshold from the `kibana.alert.threshold_result.count` field. 
+          - `context.alerts.kibana.alert.threshold_result.terms` contains fields and values from any **Group by** fields specified in the rule. For example:
         ```
           {{#context.alerts}}
             {{#kibana.alert.threshold_result.terms}}