From a306e61a51a707602db4bf3c734e083d9f93d2f4 Mon Sep 17 00:00:00 2001
From: Marshall Main <55718608+marshallmain@users.noreply.github.com>
Date: Wed, 29 Oct 2025 08:18:27 -0400
Subject: [PATCH] [Security Solution][Detection Engine] Fix threshold rule
 logic with no group by fields defined (#241022)

Fixes a regression in threshold rule logic introduced by
https://github.com/elastic/kibana/pull/216887 - threshold rules with no
"group by" fields defined would no longer generate alerts.

(cherry picked from commit fce90071cc1be29b9874d8dc147e6ea0ca8a513b)
---
 .../rule_types/threshold/find_threshold_signals.ts  |  4 +---
 .../trial_license_complete_tier/threshold.ts        | 13 +++++++++++++
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/find_threshold_signals.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/find_threshold_signals.ts
index 4a222b3e89a73..f7751f3df9158 100644
--- a/x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/find_threshold_signals.ts
+++ b/x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/find_threshold_signals.ts
@@ -180,9 +180,7 @@ export const findThresholdSignals = async ({
     searchAfterResults.searchErrors.push(...searchErrors);
     loggedRequests.push(...(thresholdLoggedRequests ?? []));
 
-    if (isEmpty(searchErrors)) {
-      searchAfterResults.searchErrors.push(...searchErrors);
-    } else if (searchResult.aggregations != null) {
+    if (searchResult.aggregations != null) {
       const docCount = searchResult.hits.total.value;
       if (
         docCount >= threshold.value &&
diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/threshold/trial_license_complete_tier/threshold.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/threshold/trial_license_complete_tier/threshold.ts
index 38d2ba5762d78..5d2d248f3233f 100644
--- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/threshold/trial_license_complete_tier/threshold.ts
+++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/threshold/trial_license_complete_tier/threshold.ts
@@ -138,6 +138,19 @@ export default ({ getService }: FtrProviderContext) => {
       expect(logs[0].warnings).not.toContain(getMaxAlertsWarning());
     });
 
+    it('generates alerts from Threshold rules when threshold is met and no field is defined', async () => {
+      const rule: ThresholdRuleCreateProps = {
+        ...getThresholdRuleForAlertTesting(['auditbeat-*']),
+        threshold: {
+          field: [],
+          value: 100,
+        },
+      };
+      const { previewId } = await previewRule({ supertest, rule });
+      const previewAlerts = await getPreviewAlerts({ es, previewId });
+      expect(previewAlerts.length).toEqual(1);
+    });
+
     it('generates 2 alerts from Threshold rules when threshold is met', async () => {
       const rule: ThresholdRuleCreateProps = {
         ...getThresholdRuleForAlertTesting(['auditbeat-*']),