From 9c5641dbd7d65b2f784c3df9f2e9eeb7a5c40968 Mon Sep 17 00:00:00 2001
From: Madison Caldwell <madison.rey.caldwell@gmail.com>
Date: Thu, 1 Apr 2021 09:58:54 -0400
Subject: [PATCH] [Security Solution][Detections][Threshold Rules] Add
 `threshold_result` to alert notification context (#95354)

* Don't remove threshold_result from _source prematurely

* Fix type error

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
---
 .../server/lib/detection_engine/signals/build_bulk_body.ts | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts
index 3a6cbf5ccd34..0c03c0837e8e 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts
@@ -73,11 +73,12 @@ export const buildBulkBody = ({
     ...buildSignal([doc], rule),
     ...additionalSignalFields(doc),
   };
-  // @ts-expect-error @elastic/elasticsearch _source is optional
-  delete doc._source.threshold_result;
   const event = buildEventTypeSignal(doc);
+  const { threshold_result: thresholdResult, ...filteredSource } = doc._source || {
+    threshold_result: null,
+  };
   const signalHit: SignalHit = {
-    ...doc._source,
+    ...filteredSource,
     '@timestamp': new Date().toISOString(),
     event,
     signal,