diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/patches/update_machine_learning.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/patches/update_machine_learning.json
new file mode 100644
index 0000000000000..638c2a35c2a65
--- /dev/null
+++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/patches/update_machine_learning.json
@@ -0,0 +1,4 @@
+{
+  "rule_id": "machine-learning",
+  "anomaly_threshold": 10
+}
diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_machine_learning.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_machine_learning.json
new file mode 100644
index 0000000000000..db2664978807e
--- /dev/null
+++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_machine_learning.json
@@ -0,0 +1,10 @@
+{
+  "name": "Query with a machine learning job",
+  "description": "Query with a machine learning job",
+  "rule_id": "machine-learning",
+  "risk_score": 1,
+  "severity": "high",
+  "type": "machine_learning",
+  "machine_learning_job_id": "linux_anomalous_network_activity_ecs",
+  "anomaly_threshold": 50
+}
diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/updates/update_machine_learning.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/updates/update_machine_learning.json
new file mode 100644
index 0000000000000..dfa82c337a68b
--- /dev/null
+++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/updates/update_machine_learning.json
@@ -0,0 +1,10 @@
+{
+  "name": "Query with a machine learning job",
+  "description": "Query with a machine learning job",
+  "rule_id": "machine-learning",
+  "risk_score": 1,
+  "severity": "high",
+  "type": "machine_learning",
+  "machine_learning_job_id": "linux_anomalous_network_activity_ecs",
+  "anomaly_threshold": 100
+}