[Security Solution][Timeline Templates] Threshold Rule Investigate in Timeline action doesn't use Template Columns

[spong]

Originally discovered in 8.1.2 and raised from the discuss forums, it was noticed that when using the Investigate in Timeline action on a Threshold Rule Alert, the columns from the Timeline Template would not be copied over, e.g.

Upon reviewing the source of this action, there is special logic if the alert was created by a Threshold Rule, and it looks as if the template columns are not provided to the creatTimeline() call when duplicating from the template, and so the default columns are used instead.

kibana/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx

Lines 442 to 463 in eb0ef19

	timeline: {
	...timelineDefaults,
	description: `_id: ${alertDoc._id}`,
	filters: allFilters,
	dataProviders: templateValues.dataProviders ?? dataProviders,
	id: TimelineId.active,
	indexNames,
	dateRange: {
	start: thresholdFrom,
	end: thresholdTo,
	},
	eventType: 'all',
	kqlQuery: {
	filterQuery: {
	kuery: {
	kind: language,
	expression: templateValues.query ?? query,
	},
	serializedQuery: templateValues.query ?? query,
	},
	},
	},

Note: The see this issue for the KQLSyntaxError seen in the above screenshot #129958

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[spong]

If fix is straightforward as it appears (adding columns: templateValues.columns), please backport as far as possible as there are users currently experiencing this issue -- thanks!

[michaelolo24]

Thanks @spong - we have tech debt work in progress around investigate in timeline. Should hopefully be able to help resolve much of this