Retrieve Documents in Threshold Signal

Hey @Amorik !

Thanks for your post. So I'm pulling from a past related question regarding threshold rules where my teammate @madi noted the following about threshold rule alerts:

We did update the functionality in 7.11 so that the fields queried in the original events will NOT be reflected in the signals. This was because the fields are not necessarily the same value across all matches, so it was ambiguous (wildcards can occur in the queries, for example)... that functionality is now provided by the timeline (when you click 'investigate in timeline', the original events are pulled back and you can see everything that matched) [...]
The Timeline functionality for threshold rules is a little unreliable currently, but will be tightened up in the upcoming 7.12 release. You should be able to visualize all the events that made up the signal in Timeline out of the box [...]

(Threshold Detection Ignoring Group By Field )

Essentially, you should be able to view each individual event relating to that threshold alert when you pull it into your Timeline. Let us know if that helps!

Best,
Yara