Hi @RylandHerrick - sorry for not replying sooner, completely forgot to so thanks for reminding me!
What I meant by it being a threshold rule is that it only trigger once event.count reach 100, the rule I mentioned is an ES|QL rule so I think we’re referring to the same rule. And looking at the rule definition, host.name is a “kept field” which presumably means it should be visible in the alert, but for some reason it’s not.
However, we haven’t had any new alerts with this issue - we did upgrade to 9.2.5 last week and have installed a number of rule updates, so perhaps any issues in earlier rule versions were resolved? Either way, I think we can close this topic for now, and open another support request should it show itself again.
Thanks // Michael