[DOCS] Threshold Rule actions can target aggregated fields directly

[madirey]

Description

We currently describe a workaround for targeting aggregated fields in Threshold Rule actions (https://github.com/elastic/security-docs/blame/349c716ee595144230ed51869f3d318c220462c1/docs/detections/rules-ui-create.asciidoc#L166-L178), however that workaround is no longer necessary. As of elastic/kibana#94345 that step is no longer necessary, but we never removed the workaround from the docs.

We should remove this section from the docs, as users can more easily access the fields directly from the alert document, rather than use the threshold_result field copies.

Acceptance Test Criteria

As a user, when configuring an action for a Threshold Rule which aggregates on (e.g.) host.name, I can directly reference the host.name field from a generated alert when configuring action templates for the rule.

Notes

• Add all appropriate labels to the issue, especially the version number label.
• Be sure to add any necessary screenshots, code text or console commands for clarity.
• Include any conditions or caveats that may affect customers.

[joepeeples]

Hi @madirey, I'm following up on this issue for the 8.3.0 release docs (PR: #2074). Does this change need to be backported to previous versions of the docs? It looks like the workaround has been unnecessary for quite some time, based on elastic/kibana#94345 being merged in March 2021.