diff --git a/x-pack/platform/plugins/private/translations/translations/fr-FR.json b/x-pack/platform/plugins/private/translations/translations/fr-FR.json
index 82df2e0b71b51..69d2c6e81b4aa 100644
--- a/x-pack/platform/plugins/private/translations/translations/fr-FR.json
+++ b/x-pack/platform/plugins/private/translations/translations/fr-FR.json
@@ -37684,7 +37684,6 @@
     "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.fieldThresholdCardinalityFieldLabel": "Compte",
     "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.fieldThresholdCardinalityValueFieldLabel": "Valeurs uniques",
     "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.fieldThresholdFieldCardinalityFieldHelpText": "Sélectionner un champ pour vérifier la cardinalité",
-    "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.fieldThresholdLabel": "Seuil",
     "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.ga.enableThresholdSuppressionForFieldsLabel": "Supprimer les alertes par champs sélectionnés : {fieldsString}",
     "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.ga.enableThresholdSuppressionLabel": "Supprimer les alertes",
     "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.groupByDurationValueLabel": "Supprimer les alertes pour",
diff --git a/x-pack/platform/plugins/private/translations/translations/ja-JP.json b/x-pack/platform/plugins/private/translations/translations/ja-JP.json
index 225937ebae1b4..869a312c8b5e6 100644
--- a/x-pack/platform/plugins/private/translations/translations/ja-JP.json
+++ b/x-pack/platform/plugins/private/translations/translations/ja-JP.json
@@ -37542,7 +37542,6 @@
     "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.fieldThresholdCardinalityFieldLabel": "カウント",
     "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.fieldThresholdCardinalityValueFieldLabel": "一意の値",
     "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.fieldThresholdFieldCardinalityFieldHelpText": "カーディナリティを確認するフィールドを選択します",
-    "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.fieldThresholdLabel": "しきい値",
     "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.ga.enableThresholdSuppressionForFieldsLabel": "選択したフィールドでアラートを非表示：{fieldsString}",
     "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.ga.enableThresholdSuppressionLabel": "アラートを非表示",
     "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.groupByDurationValueLabel": "アラートを非表示",
diff --git a/x-pack/platform/plugins/private/translations/translations/zh-CN.json b/x-pack/platform/plugins/private/translations/translations/zh-CN.json
index 1de6205358242..6aa6ced5cbc4d 100644
--- a/x-pack/platform/plugins/private/translations/translations/zh-CN.json
+++ b/x-pack/platform/plugins/private/translations/translations/zh-CN.json
@@ -36974,7 +36974,6 @@
     "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.fieldThresholdCardinalityFieldLabel": "计数",
     "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.fieldThresholdCardinalityValueFieldLabel": "唯一值",
     "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.fieldThresholdFieldCardinalityFieldHelpText": "选择字段以检查基数",
-    "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.fieldThresholdLabel": "阈值",
     "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.ga.enableThresholdSuppressionForFieldsLabel": "对选定字段阻止告警：{fieldsString}",
     "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.ga.enableThresholdSuppressionLabel": "阻止告警",
     "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.groupByDurationValueLabel": "阻止以下项的告警",
diff --git a/x-pack/solutions/security/plugins/security_solution/public/common/utils/normalize_machine_learning_job_id.ts b/x-pack/solutions/security/plugins/security_solution/public/common/utils/normalize_machine_learning_job_id.ts
new file mode 100644
index 0000000000000..7733e2be08c97
--- /dev/null
+++ b/x-pack/solutions/security/plugins/security_solution/public/common/utils/normalize_machine_learning_job_id.ts
@@ -0,0 +1,12 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { MachineLearningJobId } from '../../../common/api/detection_engine';
+
+export function normalizeMachineLearningJobId(jobId: MachineLearningJobId): string[] {
+  return typeof jobId === 'string' ? [jobId] : jobId;
+}
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/anomaly_threshold_edit/anomaly_threshold_edit.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/anomaly_threshold_edit/anomaly_threshold_edit.tsx
new file mode 100644
index 0000000000000..d2fa7bdfba9ee
--- /dev/null
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/anomaly_threshold_edit/anomaly_threshold_edit.tsx
@@ -0,0 +1,34 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+import { UseField } from '../../../../shared_imports';
+import { AnomalyThresholdSlider } from '../../../rule_creation_ui/components/anomaly_threshold_slider';
+import * as i18n from './translations';
+
+const componentProps = {
+  describedByIds: ['anomalyThreshold'],
+};
+
+interface AnomalyThresholdEditProps {
+  path: string;
+}
+
+export function AnomalyThresholdEdit({ path }: AnomalyThresholdEditProps): JSX.Element {
+  return (
+    <UseField
+      path={path}
+      config={ANOMALY_THRESHOLD_FIELD_CONFIG}
+      component={AnomalyThresholdSlider}
+      componentProps={componentProps}
+    />
+  );
+}
+
+const ANOMALY_THRESHOLD_FIELD_CONFIG = {
+  label: i18n.ANOMALY_THRESHOLD_LABEL,
+};
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/anomaly_threshold_edit/index.ts b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/anomaly_threshold_edit/index.ts
new file mode 100644
index 0000000000000..406e555795656
--- /dev/null
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/anomaly_threshold_edit/index.ts
@@ -0,0 +1,8 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export { AnomalyThresholdEdit } from './anomaly_threshold_edit';
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/anomaly_threshold_edit/translations.ts b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/anomaly_threshold_edit/translations.ts
new file mode 100644
index 0000000000000..dc22c04f45055
--- /dev/null
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/anomaly_threshold_edit/translations.ts
@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { i18n } from '@kbn/i18n';
+
+export const ANOMALY_THRESHOLD_LABEL = i18n.translate(
+  'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.fieldAnomalyThresholdLabel',
+  {
+    defaultMessage: 'Anomaly score threshold',
+  }
+);
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/create_ml_job_button/create_ml_job_button.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/create_ml_job_button/create_ml_job_button.tsx
new file mode 100644
index 0000000000000..23ced049a5290
--- /dev/null
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/create_ml_job_button/create_ml_job_button.tsx
@@ -0,0 +1,25 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+import { EuiButton } from '@elastic/eui';
+import { useKibana } from '../../../../common/lib/kibana';
+import * as i18n from './translations';
+
+export function CreateCustomMlJobButton(): JSX.Element {
+  const { navigateToApp } = useKibana().services.application;
+
+  return (
+    <EuiButton
+      iconType="popout"
+      iconSide="right"
+      onClick={() => navigateToApp('ml', { openInNewTab: true })}
+    >
+      {i18n.CREATE_CUSTOM_JOB_BUTTON_TITLE}
+    </EuiButton>
+  );
+}
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/create_ml_job_button/translations.ts b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/create_ml_job_button/translations.ts
new file mode 100644
index 0000000000000..470f0a9b66394
--- /dev/null
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/create_ml_job_button/translations.ts
@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { i18n } from '@kbn/i18n';
+
+export const CREATE_CUSTOM_JOB_BUTTON_TITLE = i18n.translate(
+  'xpack.securitySolution.detectionEngine.mlSelectJob.createCustomJobButtonTitle',
+  {
+    defaultMessage: 'Create custom job',
+  }
+);
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/machine_learning_job_id_edit/index.ts b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/machine_learning_job_id_edit/index.ts
new file mode 100644
index 0000000000000..0e1f05a9e7a1b
--- /dev/null
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/machine_learning_job_id_edit/index.ts
@@ -0,0 +1,8 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export { MachineLearningJobIdEdit } from './machine_learning_job_id_edit';
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/machine_learning_job_id_edit/machine_learning_job_id_edit.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/machine_learning_job_id_edit/machine_learning_job_id_edit.tsx
new file mode 100644
index 0000000000000..299e2c8dd87e6
--- /dev/null
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/machine_learning_job_id_edit/machine_learning_job_id_edit.tsx
@@ -0,0 +1,53 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React, { useMemo } from 'react';
+import { UseField, fieldValidators } from '../../../../shared_imports';
+import { MlJobSelect } from '../ml_job_select';
+import { useSecurityJobs } from '../../../../common/components/ml_popover/hooks/use_security_jobs';
+import * as i18n from './translations';
+
+interface MachineLearningJobIdEditProps {
+  path: string;
+  shouldShowHelpText?: boolean;
+}
+
+export function MachineLearningJobIdEdit({
+  path,
+  shouldShowHelpText,
+}: MachineLearningJobIdEditProps): JSX.Element {
+  const { loading, jobs } = useSecurityJobs();
+
+  const componentProps = useMemo(
+    () => ({
+      jobs,
+      loading,
+      shouldShowHelpText,
+    }),
+    [jobs, loading, shouldShowHelpText]
+  );
+
+  return (
+    <UseField
+      path={path}
+      config={MACHINE_LEARNING_JOB_ID_FIELD_CONFIG}
+      component={MlJobSelect}
+      componentProps={componentProps}
+    />
+  );
+}
+
+const MACHINE_LEARNING_JOB_ID_FIELD_CONFIG = {
+  label: i18n.MACHINE_LEARNING_JOB_ID_LABEL,
+  validations: [
+    {
+      validator: fieldValidators.emptyField(
+        i18n.MACHINE_LEARNING_JOB_ID_EMPTY_FIELD_VALIDATION_ERROR
+      ),
+    },
+  ],
+};
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/machine_learning_job_id_edit/translations.ts b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/machine_learning_job_id_edit/translations.ts
new file mode 100644
index 0000000000000..ceb1bd6335549
--- /dev/null
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/machine_learning_job_id_edit/translations.ts
@@ -0,0 +1,22 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { i18n } from '@kbn/i18n';
+
+export const MACHINE_LEARNING_JOB_ID_LABEL = i18n.translate(
+  'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.fieldMachineLearningJobIdLabel',
+  {
+    defaultMessage: 'Machine Learning job',
+  }
+);
+
+export const MACHINE_LEARNING_JOB_ID_EMPTY_FIELD_VALIDATION_ERROR = i18n.translate(
+  'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.machineLearningJobIdRequired',
+  {
+    defaultMessage: 'A Machine Learning job is required.',
+  }
+);
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/help_text.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/help_text.test.tsx
index 3db1beb5bb743..716d9e1411608 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/help_text.test.tsx
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/help_text.test.tsx
@@ -8,15 +8,46 @@
 import React from 'react';
 import { shallow } from 'enzyme';
 import { HelpText } from './help_text';
+import type { SecurityJob } from '../../../../common/components/ml_popover/types';
+
+jest.mock('../../../../common/lib/kibana', () => {
+  return {
+    useKibana: jest.fn().mockReturnValue({
+      services: {
+        application: {
+          getUrlForApp: () => '/app/ml',
+        },
+      },
+    }),
+  };
+});
 
 describe('MlJobSelect help text', () => {
   it('does not show warning if all jobs are running', () => {
-    const wrapper = shallow(<HelpText href={'https://test.com'} notRunningJobIds={[]} />);
+    const jobs = [
+      {
+        id: 'test-id',
+        jobState: 'opened',
+        datafeedState: 'opened',
+      },
+    ] as SecurityJob[];
+    const selectedJobIds = ['test-id'];
+
+    const wrapper = shallow(<HelpText jobs={jobs} selectedJobIds={selectedJobIds} />);
     expect(wrapper.find('[data-test-subj="ml-warning-not-running-jobs"]')).toHaveLength(0);
   });
 
   it('shows warning if there are jobs not running', () => {
-    const wrapper = shallow(<HelpText href={'https://test.com'} notRunningJobIds={['id']} />);
+    const jobs = [
+      {
+        id: 'test-id',
+        jobState: 'closed',
+        datafeedState: 'stopped',
+      },
+    ] as SecurityJob[];
+    const selectedJobIds = ['test-id'];
+
+    const wrapper = shallow(<HelpText jobs={jobs} selectedJobIds={selectedJobIds} />);
     expect(wrapper.find('[data-test-subj="ml-warning-not-running-jobs"]')).toHaveLength(1);
   });
 });
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/help_text.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/help_text.tsx
index 17d869183f96e..e53a8f251850c 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/help_text.tsx
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/help_text.tsx
@@ -5,63 +5,84 @@
  * 2.0.
  */
 
-import React from 'react';
+import React, { memo, useMemo } from 'react';
 import { EuiLink, EuiText } from '@elastic/eui';
-import styled from 'styled-components';
+import { css } from '@emotion/css';
 
 import { FormattedMessage } from '@kbn/i18n-react';
+import { isJobStarted } from '../../../../../common/machine_learning/helpers';
+import type { SecurityJob } from '../../../../common/components/ml_popover/types';
+import { useKibana } from '../../../../common/lib/kibana';
+interface HelpTextProps {
+  jobs: SecurityJob[];
+  selectedJobIds: string[];
+}
 
-const HelpTextWarningContainer = styled.div`
-  margin-top: 10px;
-`;
+export const HelpText = memo(function HelpText({
+  jobs,
+  selectedJobIds,
+}: HelpTextProps): JSX.Element {
+  const { getUrlForApp } = useKibana().services.application;
+  const mlUrl = getUrlForApp('ml');
 
-const HelpTextComponent: React.FC<{ href: string; notRunningJobIds: string[] }> = ({
-  href,
-  notRunningJobIds,
-}) => (
-  <>
-    <FormattedMessage
-      id="xpack.securitySolution.detectionEngine.createRule.stepDefineRule.machineLearningJobIdHelpText"
-      defaultMessage="We've provided a few common jobs to get you started. To add your own custom jobs, assign a group of 'security' to those jobs in the {machineLearning} application to make them appear here."
-      values={{
-        machineLearning: (
-          <EuiLink href={href} target="_blank">
-            <FormattedMessage
-              id="xpack.securitySolution.components.mlJobSelect.machineLearningLink"
-              defaultMessage="Machine Learning"
-            />
-          </EuiLink>
-        ),
-      }}
-    />
-    {notRunningJobIds.length > 0 && (
-      <HelpTextWarningContainer data-test-subj="ml-warning-not-running-jobs">
-        <EuiText size="xs">
-          <span>
-            {notRunningJobIds.length === 1 ? (
-              <FormattedMessage
-                id="xpack.securitySolution.detectionEngine.createRule.stepDefineRule.mlEnableJobSingle"
-                defaultMessage="The selected ML job, {jobName}, is not currently running. We will start {jobName} when you enable this rule."
-                values={{
-                  jobName: notRunningJobIds[0],
-                }}
-              />
-            ) : (
+  const notRunningJobIds = useMemo<string[]>(() => {
+    const selectedJobs = jobs.filter(({ id }) => selectedJobIds.includes(id));
+    return selectedJobs.reduce((acc, job) => {
+      if (!isJobStarted(job.jobState, job.datafeedState)) {
+        acc.push(job.id);
+      }
+      return acc;
+    }, [] as string[]);
+  }, [jobs, selectedJobIds]);
+
+  return (
+    <>
+      <FormattedMessage
+        id="xpack.securitySolution.detectionEngine.createRule.stepDefineRule.machineLearningJobIdHelpText"
+        defaultMessage="We've provided a few common jobs to get you started. To add your own custom jobs, assign a group of 'security' to those jobs in the {machineLearning} application to make them appear here."
+        values={{
+          machineLearning: (
+            <EuiLink href={mlUrl} target="_blank">
               <FormattedMessage
-                id="xpack.securitySolution.detectionEngine.createRule.stepDefineRule.mlEnableJobMulti"
-                defaultMessage="The selected ML jobs, {jobNames}, are not currently running. We will start all of these jobs when you enable this rule."
-                values={{
-                  jobNames: notRunningJobIds.reduce(
-                    (acc, value, i, array) => acc + (i < array.length - 1 ? ', ' : ', and ') + value
-                  ),
-                }}
+                id="xpack.securitySolution.components.mlJobSelect.machineLearningLink"
+                defaultMessage="Machine Learning"
               />
-            )}
-          </span>
-        </EuiText>
-      </HelpTextWarningContainer>
-    )}
-  </>
-);
+            </EuiLink>
+          ),
+        }}
+      />
+      {notRunningJobIds.length > 0 && (
+        <div className={warningContainerClassName} data-test-subj="ml-warning-not-running-jobs">
+          <EuiText size="xs">
+            <span>
+              {notRunningJobIds.length === 1 ? (
+                <FormattedMessage
+                  id="xpack.securitySolution.detectionEngine.createRule.stepDefineRule.mlEnableJobSingle"
+                  defaultMessage="The selected ML job, {jobName}, is not currently running. We will start {jobName} when you enable this rule."
+                  values={{
+                    jobName: notRunningJobIds[0],
+                  }}
+                />
+              ) : (
+                <FormattedMessage
+                  id="xpack.securitySolution.detectionEngine.createRule.stepDefineRule.mlEnableJobMulti"
+                  defaultMessage="The selected ML jobs, {jobNames}, are not currently running. We will start all of these jobs when you enable this rule."
+                  values={{
+                    jobNames: notRunningJobIds.reduce(
+                      (acc, value, i, array) =>
+                        acc + (i < array.length - 1 ? ', ' : ', and ') + value
+                    ),
+                  }}
+                />
+              )}
+            </span>
+          </EuiText>
+        </div>
+      )}
+    </>
+  );
+});
 
-export const HelpText = React.memo(HelpTextComponent);
+const warningContainerClassName = css`
+  margin-top: 10px;
+`;
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/index.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/index.tsx
index e9c22457d7465..187f72db3562e 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/index.tsx
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/index.tsx
@@ -5,153 +5,4 @@
  * 2.0.
  */
 
-import React, { useCallback, useMemo } from 'react';
-import type { EuiComboBoxOptionOption } from '@elastic/eui';
-import {
-  EuiButton,
-  EuiComboBox,
-  EuiFlexGroup,
-  EuiFlexItem,
-  EuiFormRow,
-  EuiToolTip,
-  EuiText,
-} from '@elastic/eui';
-
-import styled from 'styled-components';
-import { isJobStarted } from '../../../../../common/machine_learning/helpers';
-import type { FieldHook } from '../../../../shared_imports';
-import { getFieldValidityAndErrorMessage } from '../../../../shared_imports';
-import { useSecurityJobs } from '../../../../common/components/ml_popover/hooks/use_security_jobs';
-import { useKibana } from '../../../../common/lib/kibana';
-import { HelpText } from './help_text';
-
-import * as i18n from './translations';
-
-interface MlJobValue {
-  id: string;
-  description: string;
-  name?: string;
-}
-
-const JobDisplayContainer = styled.div`
-  width: 100%;
-  height: 100%;
-  display: flex;
-  flex-direction: column;
-`;
-
-type MlJobOption = EuiComboBoxOptionOption<MlJobValue>;
-
-const MlJobSelectEuiFlexGroup = styled(EuiFlexGroup)`
-  margin-bottom: 5px;
-`;
-
-const MlJobEuiButton = styled(EuiButton)`
-  margin-top: 20px;
-`;
-
-const JobDisplay: React.FC<MlJobValue> = ({ description, name, id }) => (
-  <JobDisplayContainer>
-    <strong>{name ?? id}</strong>
-    <EuiToolTip content={description}>
-      <EuiText size="xs" color="subdued">
-        <p>{description}</p>
-      </EuiText>
-    </EuiToolTip>
-  </JobDisplayContainer>
-);
-
-interface MlJobSelectProps {
-  describedByIds: string[];
-  field: FieldHook;
-}
-
-const renderJobOption = (option: MlJobOption) => (
-  <JobDisplay
-    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-    id={option.value!.id}
-    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-    description={option.value!.description}
-    name={option.value?.name}
-  />
-);
-
-export const MlJobSelect: React.FC<MlJobSelectProps> = ({ describedByIds = [], field }) => {
-  const jobIds = field.value as string[];
-  const { isInvalid, errorMessage } = getFieldValidityAndErrorMessage(field);
-  const { loading, jobs } = useSecurityJobs();
-  const { getUrlForApp, navigateToApp } = useKibana().services.application;
-  const mlUrl = getUrlForApp('ml');
-  const handleJobSelect = useCallback(
-    (selectedJobOptions: MlJobOption[]): void => {
-      // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-      const selectedJobIds = selectedJobOptions.map((option) => option.value!.id);
-      field.setValue(selectedJobIds);
-    },
-    [field]
-  );
-
-  const jobOptions = jobs.map((job) => ({
-    value: {
-      id: job.id,
-      description: job.description,
-      name: job.customSettings?.security_app_display_name,
-    },
-    // Make sure users can search for id or name.
-    // The label contains the name and id because EuiComboBox uses it for the textual search.
-    label: `${job.customSettings?.security_app_display_name} ${job.id}`,
-  }));
-
-  const selectedJobOptions = jobOptions
-    .filter((option) => jobIds.includes(option.value.id))
-    // 'label' defines what is rendered inside the selected ComboBoxPill
-    .map((options) => ({ ...options, label: options.value.name ?? options.value.id }));
-
-  const notRunningJobIds = useMemo<string[]>(() => {
-    const selectedJobs = jobs.filter(({ id }) => jobIds.includes(id));
-    return selectedJobs.reduce((acc, job) => {
-      if (!isJobStarted(job.jobState, job.datafeedState)) {
-        acc.push(job.id);
-      }
-      return acc;
-    }, [] as string[]);
-  }, [jobs, jobIds]);
-
-  return (
-    <MlJobSelectEuiFlexGroup justifyContent="flexStart">
-      <EuiFlexItem grow={false}>
-        <EuiFormRow
-          label={field.label}
-          helpText={<HelpText href={mlUrl} notRunningJobIds={notRunningJobIds} />}
-          isInvalid={isInvalid}
-          error={errorMessage}
-          data-test-subj="mlJobSelect"
-          describedByIds={describedByIds}
-        >
-          <EuiFlexGroup>
-            <EuiFlexItem>
-              <EuiComboBox
-                isLoading={loading}
-                onChange={handleJobSelect}
-                options={jobOptions}
-                placeholder={i18n.ML_JOB_SELECT_PLACEHOLDER_TEXT}
-                renderOption={renderJobOption}
-                rowHeight={50}
-                selectedOptions={selectedJobOptions}
-              />
-            </EuiFlexItem>
-          </EuiFlexGroup>
-        </EuiFormRow>
-      </EuiFlexItem>
-      <EuiFlexItem grow={false}>
-        <MlJobEuiButton
-          iconType="popout"
-          iconSide="right"
-          onClick={() => navigateToApp('ml', { openInNewTab: true })}
-        >
-          {i18n.CREATE_CUSTOM_JOB_BUTTON_TITLE}
-        </MlJobEuiButton>
-      </EuiFlexItem>
-    </MlJobSelectEuiFlexGroup>
-  );
-};
+export { MlJobSelect } from './ml_job_select';
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/index.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/ml_job_select.test.tsx
similarity index 89%
rename from x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/index.test.tsx
rename to x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/ml_job_select.test.tsx
index 5323ac16bff4f..ddbb6c8b70708 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/index.test.tsx
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/ml_job_select.test.tsx
@@ -21,9 +21,9 @@ describe('MlJobSelect', () => {
 
   it('renders correctly', () => {
     const Component = () => {
-      const field = useFormFieldMock();
+      const field = useFormFieldMock<string[]>();
 
-      return <MlJobSelect describedByIds={[]} field={field} />;
+      return <MlJobSelect field={field} loading={false} jobs={[]} />;
     };
     const wrapper = shallow(<Component />);
 
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/ml_job_select.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/ml_job_select.tsx
new file mode 100644
index 0000000000000..160178a5b782d
--- /dev/null
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/ml_job_select.tsx
@@ -0,0 +1,113 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+import {
+  EuiComboBox,
+  EuiFlexGroup,
+  EuiFlexItem,
+  EuiFormRow,
+  EuiText,
+  EuiToolTip,
+} from '@elastic/eui';
+
+import type { FieldHook } from '../../../../shared_imports';
+import { getFieldValidityAndErrorMessage } from '../../../../shared_imports';
+import { HelpText } from './help_text';
+import * as i18n from './translations';
+import type { SecurityJob } from '../../../../common/components/ml_popover/types';
+import type { MlJobOption, MlJobValue } from './types';
+import * as styles from './styles';
+
+interface MlJobSelectProps {
+  field: FieldHook<string[]>;
+  shouldShowHelpText?: boolean;
+  loading: boolean;
+  jobs: SecurityJob[];
+}
+
+export const MlJobSelect: React.FC<MlJobSelectProps> = ({
+  field,
+  shouldShowHelpText = true,
+  loading,
+  jobs,
+}) => {
+  const { isInvalid, errorMessage } = getFieldValidityAndErrorMessage(field);
+
+  const selectedJobIds = field.value;
+
+  const handleJobSelect = (selectedJobOptions: MlJobOption[]): void => {
+    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+    const newlySelectedJobIds = selectedJobOptions.map((option) => option.value!.id);
+    field.setValue(newlySelectedJobIds);
+  };
+
+  const jobOptions = jobs.map((job) => ({
+    value: {
+      id: job.id,
+      description: job.description,
+      name: job.customSettings?.security_app_display_name,
+    },
+    // Make sure users can search for id or name.
+    // The label contains the name and id because EuiComboBox uses it for the textual search.
+    label: `${job.customSettings?.security_app_display_name} ${job.id}`,
+  }));
+
+  const selectedJobOptions = jobOptions
+    .filter((option) => selectedJobIds.includes(option.value.id))
+    // 'label' defines what is rendered inside the selected ComboBoxPill
+    .map((options) => ({ ...options, label: options.value.name ?? options.value.id }));
+
+  return (
+    <EuiFlexGroup justifyContent="flexStart" className={styles.mlJobSelectClassName}>
+      <EuiFlexItem>
+        <EuiFormRow
+          label={field.label}
+          helpText={shouldShowHelpText && <HelpText jobs={jobs} selectedJobIds={selectedJobIds} />}
+          isInvalid={isInvalid}
+          error={errorMessage}
+          data-test-subj="mlJobSelect"
+        >
+          <EuiFlexGroup>
+            <EuiFlexItem>
+              <EuiComboBox
+                isLoading={loading}
+                onChange={handleJobSelect}
+                options={jobOptions}
+                placeholder={i18n.ML_JOB_SELECT_PLACEHOLDER_TEXT}
+                renderOption={renderJobOption}
+                rowHeight={50}
+                selectedOptions={selectedJobOptions}
+              />
+            </EuiFlexItem>
+          </EuiFlexGroup>
+        </EuiFormRow>
+      </EuiFlexItem>
+    </EuiFlexGroup>
+  );
+};
+
+const renderJobOption = (option: MlJobOption) => (
+  <JobDisplay
+    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+    id={option.value!.id}
+    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+    description={option.value!.description}
+    name={option.value?.name}
+  />
+);
+
+const JobDisplay: React.FC<MlJobValue> = ({ description, name, id }) => (
+  <div className={styles.jobDisplayClassName}>
+    <strong>{name ?? id}</strong>
+    <EuiToolTip content={description}>
+      <EuiText size="xs" color="subdued">
+        <p>{description}</p>
+      </EuiText>
+    </EuiToolTip>
+  </div>
+);
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/styles.ts b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/styles.ts
new file mode 100644
index 0000000000000..ffc6d7738fa6a
--- /dev/null
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/styles.ts
@@ -0,0 +1,19 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { css } from '@emotion/css';
+
+export const mlJobSelectClassName = css`
+  margin-bottom: 5px;
+`;
+
+export const jobDisplayClassName = css`
+  width: 100%;
+  height: 100%;
+  display: flex;
+  flex-direction: column;
+`;
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/translations.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/translations.tsx
index e0beadc019b4f..2d089fea04dfc 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/translations.tsx
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/translations.tsx
@@ -7,13 +7,6 @@
 
 import { i18n } from '@kbn/i18n';
 
-export const CREATE_CUSTOM_JOB_BUTTON_TITLE = i18n.translate(
-  'xpack.securitySolution.detectionEngine.mlSelectJob.createCustomJobButtonTitle',
-  {
-    defaultMessage: 'Create custom job',
-  }
-);
-
 export const ML_JOB_SELECT_PLACEHOLDER_TEXT = i18n.translate(
   'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.mlJobSelectPlaceholderText',
   {
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/types.ts b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/types.ts
new file mode 100644
index 0000000000000..a10a9da862d2c
--- /dev/null
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/ml_job_select/types.ts
@@ -0,0 +1,16 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { EuiComboBoxOptionOption } from '@elastic/eui';
+
+export interface MlJobValue {
+  id: string;
+  description: string;
+  name?: string;
+}
+
+export type MlJobOption = EuiComboBoxOptionOption<MlJobValue>;
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/threshold_edit/field_configs.ts b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/threshold_edit/field_configs.ts
new file mode 100644
index 0000000000000..5bf7500ea1164
--- /dev/null
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/threshold_edit/field_configs.ts
@@ -0,0 +1,91 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { ValidationFunc } from '@kbn/es-ui-shared-plugin/static/forms/hook_form_lib';
+import { FIELD_TYPES } from '@kbn/es-ui-shared-plugin/static/forms/hook_form_lib';
+import type { ERROR_CODE } from '@kbn/es-ui-shared-plugin/static/forms/helpers/field_validators/types';
+import { isEmpty } from 'lodash';
+import { fieldValidators } from '../../../../shared_imports';
+import * as i18n from './translations';
+
+export const THRESHOLD_FIELD_CONFIG = {
+  type: FIELD_TYPES.COMBO_BOX,
+  label: i18n.THRESHOLD_FIELD_LABEL,
+  helpText: i18n.THRESHOLD_FIELD_HELP_TEXT,
+  validations: [
+    {
+      validator: fieldValidators.maxLengthField({
+        length: 3,
+        message: i18n.THRESHOLD_FIELD_COUNT_VALIDATION_ERROR,
+      }),
+    },
+  ],
+};
+
+export const THRESHOLD_VALUE_CONFIG = {
+  type: FIELD_TYPES.NUMBER,
+  label: i18n.THRESHOLD_VALUE_LABEL,
+  validations: [
+    {
+      validator: fieldValidators.numberGreaterThanField({
+        than: 1,
+        message: i18n.THRESHOLD_VALUE_VALIDATION_ERROR,
+        allowEquality: true,
+      }),
+    },
+  ],
+};
+
+export function getCardinalityFieldConfig(path: string) {
+  return {
+    defaultValue: [] as unknown,
+    fieldsToValidateOnChange: [`${path}.cardinality.field`, `${path}.cardinality.value`],
+    type: FIELD_TYPES.COMBO_BOX,
+    label: i18n.CARDINALITY_FIELD_LABEL,
+    validations: [
+      {
+        validator: (
+          ...args: Parameters<ValidationFunc>
+        ): ReturnType<ValidationFunc<{}, ERROR_CODE>> | undefined => {
+          const [{ formData }] = args;
+
+          if (!isEmpty(formData[`${path}.cardinality.value`])) {
+            return fieldValidators.emptyField(i18n.CARDINALITY_FIELD_MISSING_VALIDATION_ERROR)(
+              ...args
+            );
+          }
+        },
+      },
+    ],
+    helpText: i18n.CARDINALITY_FIELD_HELP_TEXT,
+  };
+}
+
+export function getCardinalityValueConfig(path: string) {
+  return {
+    fieldsToValidateOnChange: [`${path}.cardinality.field`, `${path}.cardinality.value`],
+    type: FIELD_TYPES.NUMBER,
+    label: i18n.CARDINALITY_VALUE_LABEL,
+    validations: [
+      {
+        validator: (
+          ...args: Parameters<ValidationFunc>
+        ): ReturnType<ValidationFunc<{}, ERROR_CODE>> | undefined => {
+          const [{ formData }] = args;
+
+          if (!isEmpty(formData[`${path}.cardinality.field`])) {
+            return fieldValidators.numberGreaterThanField({
+              than: 1,
+              message: i18n.CARDINALITY_VALUE_VALIDATION_ERROR,
+              allowEquality: true,
+            })(...args);
+          }
+        },
+      },
+    ],
+  };
+}
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/threshold_edit/index.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/threshold_edit/index.tsx
new file mode 100644
index 0000000000000..aad44c4a8b842
--- /dev/null
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/threshold_edit/index.tsx
@@ -0,0 +1,8 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export { ThresholdEdit } from './threshold_edit';
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/threshold_edit/threshold_edit.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/threshold_edit/threshold_edit.tsx
new file mode 100644
index 0000000000000..3545bc120f95e
--- /dev/null
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/threshold_edit/threshold_edit.tsx
@@ -0,0 +1,75 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React, { useCallback, useMemo } from 'react';
+import { type FieldSpec } from '@kbn/data-views-plugin/common';
+import { type FieldHook, UseMultiFields } from '../../../../shared_imports';
+import { ThresholdInput } from '../../../rule_creation_ui/components/threshold_input';
+import {
+  THRESHOLD_FIELD_CONFIG,
+  THRESHOLD_VALUE_CONFIG,
+  getCardinalityFieldConfig,
+  getCardinalityValueConfig,
+} from './field_configs';
+
+interface ThresholdEditProps {
+  path: string;
+  esFields: FieldSpec[];
+}
+
+export function ThresholdEdit({ path, esFields }: ThresholdEditProps): JSX.Element {
+  const aggregatableFields = useMemo(
+    () => esFields.filter((field) => field.aggregatable === true),
+    [esFields]
+  );
+
+  const ThresholdInputChildren = useCallback(
+    ({
+      thresholdField,
+      thresholdValue,
+      thresholdCardinalityField,
+      thresholdCardinalityValue,
+    }: Record<string, FieldHook>) => (
+      <ThresholdInput
+        browserFields={aggregatableFields}
+        thresholdField={thresholdField}
+        thresholdValue={thresholdValue}
+        thresholdCardinalityField={thresholdCardinalityField}
+        thresholdCardinalityValue={thresholdCardinalityValue}
+      />
+    ),
+    [aggregatableFields]
+  );
+
+  const cardinalityFieldConfig = useMemo(() => getCardinalityFieldConfig(path), [path]);
+  const cardinalityValueConfig = useMemo(() => getCardinalityValueConfig(path), [path]);
+
+  return (
+    <UseMultiFields
+      fields={{
+        thresholdField: {
+          path: `${path}.field`,
+          config: THRESHOLD_FIELD_CONFIG,
+        },
+        thresholdValue: {
+          path: `${path}.value`,
+          config: THRESHOLD_VALUE_CONFIG,
+        },
+        thresholdCardinalityField: {
+          path: `${path}.cardinality.field`,
+          config: cardinalityFieldConfig,
+        },
+        thresholdCardinalityValue: {
+          path: `${path}.cardinality.value`,
+          config: cardinalityValueConfig,
+        },
+      }}
+    >
+      {ThresholdInputChildren}
+    </UseMultiFields>
+  );
+}
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/threshold_edit/translations.ts b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/threshold_edit/translations.ts
new file mode 100644
index 0000000000000..26981afd15e3a
--- /dev/null
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/threshold_edit/translations.ts
@@ -0,0 +1,78 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { i18n } from '@kbn/i18n';
+
+export const THRESHOLD_FIELD_LABEL = i18n.translate(
+  'xpack.securitySolution.detectionEngine.createRule.stepAboutRule.fieldThresholdFieldLabel',
+  {
+    defaultMessage: 'Group by',
+  }
+);
+
+export const THRESHOLD_FIELD_HELP_TEXT = i18n.translate(
+  'xpack.securitySolution.detectionEngine.createRule.stepAboutRule.fieldThresholdFieldHelpText',
+  {
+    defaultMessage: "Select fields to group by. Fields are joined together with 'AND'",
+  }
+);
+
+export const THRESHOLD_FIELD_COUNT_VALIDATION_ERROR = i18n.translate(
+  'xpack.securitySolution.detectionEngine.validations.thresholdFieldFieldData.arrayLengthGreaterThanMaxErrorMessage',
+  {
+    defaultMessage: 'Number of fields must be 3 or less.',
+  }
+);
+
+export const THRESHOLD_VALUE_LABEL = i18n.translate(
+  'xpack.securitySolution.detectionEngine.createRule.stepAboutRule.fieldThresholdValueLabel',
+  {
+    defaultMessage: 'Threshold',
+  }
+);
+
+export const THRESHOLD_VALUE_VALIDATION_ERROR = i18n.translate(
+  'xpack.securitySolution.detectionEngine.validations.thresholdValueFieldData.numberGreaterThanOrEqualOneErrorMessage',
+  {
+    defaultMessage: 'Value must be greater than or equal to one.',
+  }
+);
+
+export const CARDINALITY_FIELD_LABEL = i18n.translate(
+  'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.fieldThresholdCardinalityFieldLabel',
+  {
+    defaultMessage: 'Count',
+  }
+);
+
+export const CARDINALITY_FIELD_MISSING_VALIDATION_ERROR = i18n.translate(
+  'xpack.securitySolution.detectionEngine.validations.thresholdCardinalityFieldFieldData.thresholdCardinalityFieldNotSuppliedMessage',
+  {
+    defaultMessage: 'A Cardinality Field is required.',
+  }
+);
+
+export const CARDINALITY_FIELD_HELP_TEXT = i18n.translate(
+  'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.fieldThresholdFieldCardinalityFieldHelpText',
+  {
+    defaultMessage: 'Select a field to check cardinality',
+  }
+);
+
+export const CARDINALITY_VALUE_LABEL = i18n.translate(
+  'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.fieldThresholdCardinalityValueFieldLabel',
+  {
+    defaultMessage: 'Unique values',
+  }
+);
+
+export const CARDINALITY_VALUE_VALIDATION_ERROR = i18n.translate(
+  'xpack.securitySolution.detectionEngine.validations.thresholdCardinalityValueFieldData.numberGreaterThanOrEqualOneErrorMessage',
+  {
+    defaultMessage: 'Value must be greater than or equal to one.',
+  }
+);
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/description_step/index.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/description_step/index.test.tsx
index b45f1a50414ac..90afe8d95fa37 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/description_step/index.test.tsx
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/description_step/index.test.tsx
@@ -412,6 +412,8 @@ describe('description_step', () => {
     });
 
     describe('threshold', () => {
+      const thresholdLabel = 'Threshold';
+
       test('returns threshold description when threshold exist and field is empty', () => {
         const mockThreshold = {
           threshold: {
@@ -421,13 +423,13 @@ describe('description_step', () => {
         };
         const result: ListItems[] = getDescriptionItem(
           'threshold',
-          'Threshold label',
+          thresholdLabel,
           mockThreshold,
           mockFilterManager,
           mockLicenseService
         );
 
-        expect(result[0].title).toEqual('Threshold label');
+        expect(result[0].title).toEqual(thresholdLabel);
         expect(React.isValidElement(result[0].description)).toBeTruthy();
         expect(mount(result[0].description as React.ReactElement).html()).toContain(
           'All results >= 100'
@@ -443,13 +445,13 @@ describe('description_step', () => {
         };
         const result: ListItems[] = getDescriptionItem(
           'threshold',
-          'Threshold label',
+          thresholdLabel,
           mockThreshold,
           mockFilterManager,
           mockLicenseService
         );
 
-        expect(result[0].title).toEqual('Threshold label');
+        expect(result[0].title).toEqual(thresholdLabel);
         expect(React.isValidElement(result[0].description)).toBeTruthy();
         expect(mount(result[0].description as React.ReactElement).html()).toEqual(
           'Results aggregated by user.name >= 100'
@@ -469,13 +471,13 @@ describe('description_step', () => {
         };
         const result: ListItems[] = getDescriptionItem(
           'threshold',
-          'Threshold label',
+          thresholdLabel,
           mockThreshold,
           mockFilterManager,
           mockLicenseService
         );
 
-        expect(result[0].title).toEqual('Threshold label');
+        expect(result[0].title).toEqual(thresholdLabel);
         expect(React.isValidElement(result[0].description)).toBeTruthy();
         expect(mount(result[0].description as React.ReactElement).html()).toEqual(
           'Results aggregated by user.name >= 100'
@@ -495,13 +497,13 @@ describe('description_step', () => {
         };
         const result: ListItems[] = getDescriptionItem(
           'threshold',
-          'Threshold label',
+          thresholdLabel,
           mockThreshold,
           mockFilterManager,
           mockLicenseService
         );
 
-        expect(result[0].title).toEqual('Threshold label');
+        expect(result[0].title).toEqual(thresholdLabel);
         expect(React.isValidElement(result[0].description)).toBeTruthy();
         expect(mount(result[0].description as React.ReactElement).html()).toContain(
           'Results aggregated by user.name >= 100 when unique values count of host.test_value >= 10'
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/description_step/index.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/description_step/index.tsx
index a91487afc4486..46ed1f18f70ac 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/description_step/index.tsx
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/description_step/index.tsx
@@ -72,8 +72,11 @@ import {
   ALERT_SUPPRESSION_MISSING_FIELDS_FIELD_NAME,
 } from '../../../rule_creation/components/alert_suppression_edit';
 import { THRESHOLD_ALERT_SUPPRESSION_ENABLED } from '../../../rule_creation/components/threshold_alert_suppression_edit';
+import { THRESHOLD_VALUE_LABEL } from '../../../rule_creation/components/threshold_edit/translations';
 import { NEW_TERMS_FIELDS_LABEL } from '../../../rule_creation/components/new_terms_fields_edit/translations';
 import { HISTORY_WINDOW_START_LABEL } from '../../../rule_creation/components/history_window_start_edit/translations';
+import { MACHINE_LEARNING_JOB_ID_LABEL } from '../../../rule_creation/components/machine_learning_job_id_edit/translations';
+import { ANOMALY_THRESHOLD_LABEL } from '../../../rule_creation/components/anomaly_threshold_edit/translations';
 import type { FieldValueQueryBar } from '../query_bar_field';
 
 const DescriptionListContainer = styled(EuiDescriptionList)`
@@ -108,10 +111,7 @@ export const StepRuleDescriptionComponent = <T,>({
     if (key === 'machineLearningJobId') {
       return [
         ...acc,
-        buildMlJobsDescription(
-          get(key, data) as string[],
-          (get(key, schema) as { label: string }).label
-        ),
+        buildMlJobsDescription(get(key, data) as string[], MACHINE_LEARNING_JOB_ID_LABEL),
       ];
     }
 
@@ -286,7 +286,7 @@ export const getDescriptionItem = (
     return buildThreatDescription({ label, threat: filterEmptyThreats(threats) });
   } else if (field === 'threshold') {
     const threshold = get(field, data);
-    return buildThresholdDescription(label, threshold);
+    return buildThresholdDescription(THRESHOLD_VALUE_LABEL, threshold);
   } else if (field === 'references') {
     const urls: string[] = get(field, data);
     return buildUrlsDescription(label, urls);
@@ -362,6 +362,9 @@ export const getDescriptionItem = (
   } else if (field === 'maxSignals') {
     const value: number | undefined = get(field, data);
     return value ? [{ title: label, description: value }] : [];
+  } else if (field === 'anomalyThreshold') {
+    const value: number | undefined = get(field, data);
+    return value ? [{ title: ANOMALY_THRESHOLD_LABEL, description: value }] : [];
   } else if (field === 'historyWindowSize') {
     const value: number = get(field, data);
     return value ? [{ title: HISTORY_WINDOW_START_LABEL, description: value }] : [];
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/rule_preview/helpers.ts b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/rule_preview/helpers.ts
index fcbdfdf4f86b7..c45022ebb96b5 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/rule_preview/helpers.ts
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/rule_preview/helpers.ts
@@ -117,7 +117,7 @@ export const getIsRulePreviewDisabled = ({
   dataSourceType: DataSourceType;
   threatIndex: string[];
   threatMapping: ThreatMapping;
-  machineLearningJobId: string[];
+  machineLearningJobId: string[] | undefined;
   queryBar: FieldValueQueryBar;
   newTermsFields: string[];
 }) => {
@@ -125,7 +125,7 @@ export const getIsRulePreviewDisabled = ({
     return isEsqlPreviewDisabled({ isQueryBarValid, queryBar });
   }
   if (ruleType === 'machine_learning') {
-    return machineLearningJobId.length === 0;
+    return !machineLearningJobId ?? machineLearningJobId?.length === 0;
   }
   if (
     !isQueryBarValid ||
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_about_rule/index.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_about_rule/index.tsx
index 2d2ef8c8930d6..6e20138256d7f 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_about_rule/index.tsx
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_about_rule/index.tsx
@@ -50,7 +50,7 @@ const CommonUseField = getUseField({ component: Field });
 
 interface StepAboutRuleProps extends RuleStepProps {
   ruleType: Type;
-  machineLearningJobId: string[];
+  machineLearningJobId: string[] | undefined;
   index: string[];
   dataViewId: string | undefined;
   timestampOverride: string;
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_define_rule/index.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_define_rule/index.test.tsx
index fa7f9a8952cac..65384f838ac9b 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_define_rule/index.test.tsx
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_define_rule/index.test.tsx
@@ -830,7 +830,6 @@ function TestForm({
         shouldLoadQueryDynamically={stepDefineDefaultValue.shouldLoadQueryDynamically}
         queryBarTitle=""
         queryBarSavedId=""
-        thresholdFields={[]}
         {...formProps}
       />
       <button type="button" onClick={form.submit}>
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_define_rule/index.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_define_rule/index.tsx
index f7845c31378af..4c9461c966ced 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_define_rule/index.tsx
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_define_rule/index.tsx
@@ -17,7 +17,6 @@ import {
 } from '@elastic/eui';
 import type { FC } from 'react';
 import React, { memo, useCallback, useState, useEffect, useMemo } from 'react';
-
 import styled from 'styled-components';
 import { i18n as i18nCore } from '@kbn/i18n';
 import { isEqual } from 'lodash';
@@ -39,11 +38,8 @@ import { StepRuleDescription } from '../description_step';
 import type { QueryBarFieldProps } from '../query_bar_field';
 import { QueryBarField } from '../query_bar_field';
 import { SelectRuleType } from '../select_rule_type';
-import { AnomalyThresholdSlider } from '../anomaly_threshold_slider';
-import { MlJobSelect } from '../../../rule_creation/components/ml_job_select';
 import { PickTimeline } from '../../../rule_creation/components/pick_timeline';
 import { StepContentWrapper } from '../../../rule_creation/components/step_content_wrapper';
-import { ThresholdInput } from '../threshold_input';
 import {
   Field,
   Form,
@@ -81,18 +77,24 @@ import { useAlertSuppression } from '../../../rule_management/logic/use_alert_su
 import { AiAssistant } from '../ai_assistant';
 import { RelatedIntegrations } from '../../../rule_creation/components/related_integrations';
 import { useMLRuleConfig } from '../../../../common/components/ml/hooks/use_ml_rule_config';
+import { useTermsAggregationFields } from '../../../../common/hooks/use_terms_aggregation_fields';
 import {
   ALERT_SUPPRESSION_FIELDS_FIELD_NAME,
   AlertSuppressionEdit,
 } from '../../../rule_creation/components/alert_suppression_edit';
 import { ThresholdAlertSuppressionEdit } from '../../../rule_creation/components/threshold_alert_suppression_edit';
-import { usePersistentAlertSuppressionState } from './use_persistent_alert_suppression_state';
-import { useTermsAggregationFields } from '../../../../common/hooks/use_terms_aggregation_fields';
+import { MachineLearningJobIdEdit } from '../../../rule_creation/components/machine_learning_job_id_edit';
+import { ThresholdEdit } from '../../../rule_creation/components/threshold_edit';
+import { AnomalyThresholdEdit } from '../../../rule_creation/components/anomaly_threshold_edit/anomaly_threshold_edit';
 import { HistoryWindowStartEdit } from '../../../rule_creation/components/history_window_start_edit';
 import { NewTermsFieldsEdit } from '../../../rule_creation/components/new_terms_fields_edit';
-import { usePersistentNewTermsState } from './use_persistent_new_terms_state';
 import { EsqlQueryEdit } from '../../../rule_creation/components/esql_query_edit';
+import { usePersistentNewTermsState } from './use_persistent_new_terms_state';
+import { usePersistentAlertSuppressionState } from './use_persistent_alert_suppression_state';
+import { usePersistentThresholdState } from './use_persistent_threshold_state';
 import { usePersistentQuery } from './use_persistent_query';
+import { usePersistentMachineLearningState } from './use_persistent_machine_learning_state';
+import { CreateCustomMlJobButton } from '../../../rule_creation/components/create_ml_job_button/create_ml_job_button';
 
 const CommonUseField = getUseField({ component: Field });
 
@@ -116,7 +118,6 @@ export interface StepDefineRuleProps extends RuleStepProps {
   shouldLoadQueryDynamically: boolean;
   queryBarTitle: string | undefined;
   queryBarSavedId: string | null | undefined;
-  thresholdFields: string[] | undefined;
 }
 
 interface StepDefineRuleReadOnlyProps {
@@ -165,11 +166,10 @@ const StepDefineRuleComponent: FC<StepDefineRuleProps> = ({
   shouldLoadQueryDynamically,
   threatIndex,
   threatIndicesConfig,
-  thresholdFields,
 }) => {
-  const [{ ruleType, queryBar, machineLearningJobId }] = useFormData<DefineStepRule>({
+  const [{ ruleType, queryBar, machineLearningJobId, threshold }] = useFormData<DefineStepRule>({
     form,
-    watch: ['ruleType', 'queryBar', 'machineLearningJobId'],
+    watch: ['ruleType', 'queryBar', 'machineLearningJobId', 'threshold.field'],
   });
 
   const [openTimelineSearch, setOpenTimelineSearch] = useState(false);
@@ -186,7 +186,10 @@ const StepDefineRuleComponent: FC<StepDefineRuleProps> = ({
   } = useMLRuleConfig({ machineLearningJobId });
 
   const isMlSuppressionIncomplete =
-    isMlRule(ruleType) && machineLearningJobId?.length > 0 && !allJobsStarted;
+    isMlRule(ruleType) &&
+    machineLearningJobId &&
+    machineLearningJobId?.length > 0 &&
+    !allJobsStarted;
 
   const isAlertSuppressionLicenseValid = license.isAtLeast(MINIMUM_LICENSE_FOR_SUPPRESSION);
 
@@ -208,11 +211,6 @@ const StepDefineRuleComponent: FC<StepDefineRuleProps> = ({
     [form]
   );
 
-  const aggFields = useMemo(
-    () => (indexPattern.fields as FieldSpec[]).filter((field) => field.aggregatable === true),
-    [indexPattern.fields]
-  );
-
   const termsAggregationFields = useTermsAggregationFields(indexPattern.fields);
   const termsAggregationFieldNames = useMemo(
     () => termsAggregationFields.map((field) => field.name),
@@ -239,6 +237,13 @@ const StepDefineRuleComponent: FC<StepDefineRuleProps> = ({
     form,
   });
   usePersistentAlertSuppressionState({ form });
+  usePersistentThresholdState({ form, ruleTypePath: 'ruleType', thresholdPath: 'threshold' });
+  usePersistentMachineLearningState({
+    form,
+    ruleTypePath: 'ruleType',
+    machineLearningJobIdPath: 'machineLearningJobId',
+    anomalyThresholdPath: 'anomalyThreshold',
+  });
   usePersistentNewTermsState({
     form,
     ruleTypePath: 'ruleType',
@@ -304,24 +309,6 @@ const StepDefineRuleComponent: FC<StepDefineRuleProps> = ({
     setOpenTimelineSearch(false);
   }, []);
 
-  const ThresholdInputChildren = useCallback(
-    ({
-      thresholdField,
-      thresholdValue,
-      thresholdCardinalityField,
-      thresholdCardinalityValue,
-    }: Record<string, FieldHook>) => (
-      <ThresholdInput
-        browserFields={aggFields}
-        thresholdField={thresholdField}
-        thresholdValue={thresholdValue}
-        thresholdCardinalityField={thresholdCardinalityField}
-        thresholdCardinalityValue={thresholdCardinalityValue}
-      />
-    ),
-    [aggFields]
-  );
-
   const ThreatMatchInputChildren = useCallback(
     ({ threatMapping }: Record<string, FieldHook>) => (
       <ThreatMatchInput
@@ -669,50 +656,28 @@ const StepDefineRuleComponent: FC<StepDefineRuleProps> = ({
               </RuleTypeEuiFormRow>
             </>
           )}
-          <RuleTypeEuiFormRow $isVisible={isMlRule(ruleType)} fullWidth>
-            <>
-              <UseField
-                path="machineLearningJobId"
-                component={MlJobSelect}
-                componentProps={{
-                  describedByIds: ['detectionEngineStepDefineRulemachineLearningJobId'],
-                }}
-              />
-              <UseField
-                path="anomalyThreshold"
-                component={AnomalyThresholdSlider}
-                componentProps={{
-                  describedByIds: ['detectionEngineStepDefineRuleAnomalyThreshold'],
-                }}
-              />
-            </>
-          </RuleTypeEuiFormRow>
-          <RuleTypeEuiFormRow
-            $isVisible={isThresholdRule}
-            data-test-subj="thresholdInput"
-            fullWidth
-          >
-            <>
-              <UseMultiFields
-                fields={{
-                  thresholdField: {
-                    path: 'threshold.field',
-                  },
-                  thresholdValue: {
-                    path: 'threshold.value',
-                  },
-                  thresholdCardinalityField: {
-                    path: 'threshold.cardinality.field',
-                  },
-                  thresholdCardinalityValue: {
-                    path: 'threshold.cardinality.value',
-                  },
-                }}
-              >
-                {ThresholdInputChildren}
-              </UseMultiFields>
-            </>
-          </RuleTypeEuiFormRow>
+          {isMlRule(ruleType) && (
+            <EuiFormRow fullWidth>
+              <>
+                <EuiFlexGroup>
+                  <EuiFlexItem grow={false}>
+                    <MachineLearningJobIdEdit path="machineLearningJobId" />
+                  </EuiFlexItem>
+                  <EuiFlexItem grow={false}>
+                    <EuiSpacer size="xs" />
+                    <EuiSpacer size="m" />
+                    <CreateCustomMlJobButton />
+                  </EuiFlexItem>
+                </EuiFlexGroup>
+                <AnomalyThresholdEdit path="anomalyThreshold" />
+              </>
+            </EuiFormRow>
+          )}
+          {isThresholdRule && (
+            <EuiFormRow data-test-subj="thresholdInput" fullWidth>
+              <ThresholdEdit esFields={indexPattern.fields as FieldSpec[]} path="threshold" />
+            </EuiFormRow>
+          )}
           <RuleTypeEuiFormRow
             $isVisible={isThreatMatchRule(ruleType)}
             data-test-subj="threatMatchInput"
@@ -743,7 +708,7 @@ const StepDefineRuleComponent: FC<StepDefineRuleProps> = ({
           <RuleTypeEuiFormRow $isVisible={isAlertSuppressionEnabled} fullWidth>
             {isThresholdRule ? (
               <ThresholdAlertSuppressionEdit
-                suppressionFieldNames={thresholdFields}
+                suppressionFieldNames={threshold?.field}
                 disabled={!isAlertSuppressionLicenseValid}
                 disabledText={alertSuppressionUpsellingMessage}
               />
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_define_rule/schema.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_define_rule/schema.tsx
index 4f168d94388d5..d453378f03824 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_define_rule/schema.tsx
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_define_rule/schema.tsx
@@ -5,7 +5,6 @@
  * 2.0.
  */
 
-import { isEmpty } from 'lodash';
 import { i18n } from '@kbn/i18n';
 import { EuiText } from '@elastic/eui';
 import React from 'react';
@@ -18,7 +17,6 @@ import {
 import {
   isEsqlRule,
   isThreatMatchRule,
-  isThresholdRule,
   isSuppressionRuleConfiguredWithGroupBy,
 } from '../../../../../common/detection_engine/utils';
 import { isMlRule } from '../../../../../common/machine_learning/helpers';
@@ -139,46 +137,8 @@ export const schema: FormSchema<DefineStepRule> = {
     ),
     validations: [],
   },
-  anomalyThreshold: {
-    label: i18n.translate(
-      'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.fieldAnomalyThresholdLabel',
-      {
-        defaultMessage: 'Anomaly score threshold',
-      }
-    ),
-    validations: [],
-  },
-  machineLearningJobId: {
-    label: i18n.translate(
-      'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.fieldMachineLearningJobIdLabel',
-      {
-        defaultMessage: 'Machine Learning job',
-      }
-    ),
-    validations: [
-      {
-        validator: (
-          ...args: Parameters<ValidationFunc>
-        ): ReturnType<ValidationFunc<{}, ERROR_CODE>> | undefined => {
-          const [{ formData }] = args;
-          const needsValidation = isMlRule(formData.ruleType);
-
-          if (!needsValidation) {
-            return;
-          }
-
-          return fieldValidators.emptyField(
-            i18n.translate(
-              'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.machineLearningJobIdRequired',
-              {
-                defaultMessage: 'A Machine Learning job is required.',
-              }
-            )
-          )(...args);
-        },
-      },
-    ],
-  },
+  anomalyThreshold: {},
+  machineLearningJobId: {},
   relatedIntegrations: {
     type: FIELD_TYPES.JSON,
     label: i18n.translate(
@@ -216,163 +176,7 @@ export const schema: FormSchema<DefineStepRule> = {
       }
     ),
   },
-  threshold: {
-    label: i18n.translate(
-      'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.fieldThresholdLabel',
-      {
-        defaultMessage: 'Threshold',
-      }
-    ),
-    field: {
-      type: FIELD_TYPES.COMBO_BOX,
-      label: i18n.translate(
-        'xpack.securitySolution.detectionEngine.createRule.stepAboutRule.fieldThresholdFieldLabel',
-        {
-          defaultMessage: 'Group by',
-        }
-      ),
-      helpText: i18n.translate(
-        'xpack.securitySolution.detectionEngine.createRule.stepAboutRule.fieldThresholdFieldHelpText',
-        {
-          defaultMessage: "Select fields to group by. Fields are joined together with 'AND'",
-        }
-      ),
-      validations: [
-        {
-          validator: (
-            ...args: Parameters<ValidationFunc>
-          ): ReturnType<ValidationFunc<{}, ERROR_CODE>> | undefined => {
-            const [{ formData }] = args;
-            const needsValidation = isThresholdRule(formData.ruleType);
-            if (!needsValidation) {
-              return;
-            }
-            return fieldValidators.maxLengthField({
-              length: 3,
-              message: i18n.translate(
-                'xpack.securitySolution.detectionEngine.validations.thresholdFieldFieldData.arrayLengthGreaterThanMaxErrorMessage',
-                {
-                  defaultMessage: 'Number of fields must be 3 or less.',
-                }
-              ),
-            })(...args);
-          },
-        },
-      ],
-    },
-    value: {
-      type: FIELD_TYPES.NUMBER,
-      label: i18n.translate(
-        'xpack.securitySolution.detectionEngine.createRule.stepAboutRule.fieldThresholdValueLabel',
-        {
-          defaultMessage: 'Threshold',
-        }
-      ),
-      validations: [
-        {
-          validator: (
-            ...args: Parameters<ValidationFunc>
-          ): ReturnType<ValidationFunc<{}, ERROR_CODE>> | undefined => {
-            const [{ formData }] = args;
-            const needsValidation = isThresholdRule(formData.ruleType);
-            if (!needsValidation) {
-              return;
-            }
-            return fieldValidators.numberGreaterThanField({
-              than: 1,
-              message: i18n.translate(
-                'xpack.securitySolution.detectionEngine.validations.thresholdValueFieldData.numberGreaterThanOrEqualOneErrorMessage',
-                {
-                  defaultMessage: 'Value must be greater than or equal to one.',
-                }
-              ),
-              allowEquality: true,
-            })(...args);
-          },
-        },
-      ],
-    },
-    cardinality: {
-      field: {
-        defaultValue: [],
-        fieldsToValidateOnChange: ['threshold.cardinality.field', 'threshold.cardinality.value'],
-        type: FIELD_TYPES.COMBO_BOX,
-        label: i18n.translate(
-          'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.fieldThresholdCardinalityFieldLabel',
-          {
-            defaultMessage: 'Count',
-          }
-        ),
-        validations: [
-          {
-            validator: (
-              ...args: Parameters<ValidationFunc>
-            ): ReturnType<ValidationFunc<{}, ERROR_CODE>> | undefined => {
-              const [{ formData }] = args;
-              const needsValidation = isThresholdRule(formData.ruleType);
-              if (!needsValidation) {
-                return;
-              }
-              if (
-                isEmpty(formData['threshold.cardinality.field']) &&
-                !isEmpty(formData['threshold.cardinality.value'])
-              ) {
-                return fieldValidators.emptyField(
-                  i18n.translate(
-                    'xpack.securitySolution.detectionEngine.validations.thresholdCardinalityFieldFieldData.thresholdCardinalityFieldNotSuppliedMessage',
-                    {
-                      defaultMessage: 'A Cardinality Field is required.',
-                    }
-                  )
-                )(...args);
-              }
-            },
-          },
-        ],
-        helpText: i18n.translate(
-          'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.fieldThresholdFieldCardinalityFieldHelpText',
-          {
-            defaultMessage: 'Select a field to check cardinality',
-          }
-        ),
-      },
-      value: {
-        fieldsToValidateOnChange: ['threshold.cardinality.field', 'threshold.cardinality.value'],
-        type: FIELD_TYPES.NUMBER,
-        label: i18n.translate(
-          'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.fieldThresholdCardinalityValueFieldLabel',
-          {
-            defaultMessage: 'Unique values',
-          }
-        ),
-        validations: [
-          {
-            validator: (
-              ...args: Parameters<ValidationFunc>
-            ): ReturnType<ValidationFunc<{}, ERROR_CODE>> | undefined => {
-              const [{ formData }] = args;
-              const needsValidation = isThresholdRule(formData.ruleType);
-              if (!needsValidation) {
-                return;
-              }
-              if (!isEmpty(formData['threshold.cardinality.field'])) {
-                return fieldValidators.numberGreaterThanField({
-                  than: 1,
-                  message: i18n.translate(
-                    'xpack.securitySolution.detectionEngine.validations.thresholdCardinalityValueFieldData.numberGreaterThanOrEqualOneErrorMessage',
-                    {
-                      defaultMessage: 'Value must be greater than or equal to one.',
-                    }
-                  ),
-                  allowEquality: true,
-                })(...args);
-              }
-            },
-          },
-        ],
-      },
-    },
-  },
+  threshold: {},
   threatIndex: {
     type: FIELD_TYPES.COMBO_BOX,
     label: i18n.translate(
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_define_rule/use_persistent_machine_learning_state.ts b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_define_rule/use_persistent_machine_learning_state.ts
new file mode 100644
index 0000000000000..dd65ab2d98f97
--- /dev/null
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_define_rule/use_persistent_machine_learning_state.ts
@@ -0,0 +1,65 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { useEffect, useRef } from 'react';
+import usePrevious from 'react-use/lib/usePrevious';
+import { isMlRule } from '../../../../../common/detection_engine/utils';
+import type { FormHook } from '../../../../shared_imports';
+import { useFormData } from '../../../../shared_imports';
+import { type DefineStepRule } from '../../../../detections/pages/detection_engine/rules/types';
+
+interface LastMachineLearningState {
+  machineLearningJobId: string[];
+  anomalyThreshold: number;
+}
+
+interface UsePersistentMachineLearningStateParams {
+  form: FormHook<DefineStepRule>;
+  ruleTypePath: string;
+  machineLearningJobIdPath: string;
+  anomalyThresholdPath: string;
+}
+
+export function usePersistentMachineLearningState({
+  form,
+  ruleTypePath,
+  machineLearningJobIdPath,
+  anomalyThresholdPath,
+}: UsePersistentMachineLearningStateParams): void {
+  const lastMlState = useRef<LastMachineLearningState | undefined>();
+  const [formData] = useFormData({ form });
+
+  const {
+    [ruleTypePath]: ruleType,
+    [machineLearningJobIdPath]: machineLearningJobId,
+    [anomalyThresholdPath]: anomalyThreshold,
+  } = formData;
+  const previousRuleType = usePrevious(ruleType);
+
+  useEffect(() => {
+    if (isMlRule(ruleType) && !isMlRule(previousRuleType) && lastMlState.current) {
+      form.updateFieldValues({
+        [machineLearningJobIdPath]: lastMlState.current.machineLearningJobId,
+        [anomalyThresholdPath]: lastMlState.current.anomalyThreshold,
+      });
+
+      return;
+    }
+
+    if (isMlRule(ruleType)) {
+      lastMlState.current = { machineLearningJobId, anomalyThreshold };
+    }
+  }, [
+    form,
+    ruleType,
+    previousRuleType,
+    machineLearningJobIdPath,
+    anomalyThresholdPath,
+    machineLearningJobId,
+    anomalyThreshold,
+  ]);
+}
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_define_rule/use_persistent_threshold_state.ts b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_define_rule/use_persistent_threshold_state.ts
new file mode 100644
index 0000000000000..0895ef466e72b
--- /dev/null
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_define_rule/use_persistent_threshold_state.ts
@@ -0,0 +1,54 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { useEffect, useRef } from 'react';
+import usePrevious from 'react-use/lib/usePrevious';
+import { isThresholdRule } from '../../../../../common/detection_engine/utils';
+import type { FormHook } from '../../../../shared_imports';
+import { useFormData } from '../../../../shared_imports';
+import { type DefineStepRule } from '../../../../detections/pages/detection_engine/rules/types';
+import type { FieldValueThreshold } from '../threshold_input';
+
+interface LastThresholdState {
+  threshold: FieldValueThreshold;
+}
+
+interface UsePersistentThresholdStateParams {
+  form: FormHook<DefineStepRule>;
+  ruleTypePath: string;
+  thresholdPath: string;
+}
+
+export function usePersistentThresholdState({
+  form,
+  ruleTypePath,
+  thresholdPath,
+}: UsePersistentThresholdStateParams): void {
+  const lastThresholdState = useRef<LastThresholdState | undefined>();
+  const [formData] = useFormData({ form });
+
+  const { [ruleTypePath]: ruleType, [thresholdPath]: threshold } = formData;
+  const previousRuleType = usePrevious(ruleType);
+
+  useEffect(() => {
+    if (
+      isThresholdRule(ruleType) &&
+      !isThresholdRule(previousRuleType) &&
+      lastThresholdState.current
+    ) {
+      form.updateFieldValues({
+        [thresholdPath]: lastThresholdState.current.threshold,
+      });
+
+      return;
+    }
+
+    if (isThresholdRule(ruleType)) {
+      lastThresholdState.current = { threshold };
+    }
+  }, [form, ruleType, previousRuleType, threshold, thresholdPath]);
+}
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/threshold_input/index.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/threshold_input/index.tsx
index 3875aa853256c..26c12b2b6a88c 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/threshold_input/index.tsx
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/threshold_input/index.tsx
@@ -7,14 +7,11 @@
 
 import React, { useMemo } from 'react';
 import { EuiFlexGroup, EuiFlexItem } from '@elastic/eui';
-import styled from 'styled-components';
-
 import type { DataViewFieldBase } from '@kbn/es-query';
 import type { FieldHook } from '../../../../shared_imports';
 import { Field } from '../../../../shared_imports';
 import { THRESHOLD_FIELD_PLACEHOLDER } from './translations';
-
-const FIELD_COMBO_BOX_WIDTH = 410;
+import * as styles from './styles';
 
 export interface FieldValueThreshold {
   field: string[];
@@ -33,10 +30,6 @@ interface ThresholdInputProps {
   browserFields: DataViewFieldBase[];
 }
 
-const OperatorWrapper = styled(EuiFlexItem)`
-  align-self: center;
-`;
-
 const fieldDescribedByIds = ['detectionEngineStepDefineRuleThresholdField'];
 const valueDescribedByIds = ['detectionEngineStepDefineRuleThresholdValue'];
 const cardinalityFieldDescribedByIds = ['detectionEngineStepDefineRuleThresholdCardinalityField'];
@@ -56,7 +49,6 @@ const ThresholdInputComponent: React.FC<ThresholdInputProps> = ({
       options: browserFields.map((field) => ({ label: field.name })),
       placeholder: THRESHOLD_FIELD_PLACEHOLDER,
       onCreateOption: undefined,
-      style: { width: `${FIELD_COMBO_BOX_WIDTH}px` },
     }),
     [browserFields]
   );
@@ -67,16 +59,15 @@ const ThresholdInputComponent: React.FC<ThresholdInputProps> = ({
       options: browserFields.map((field) => ({ label: field.name })),
       placeholder: THRESHOLD_FIELD_PLACEHOLDER,
       onCreateOption: undefined,
-      style: { width: `${FIELD_COMBO_BOX_WIDTH}px` },
       singleSelection: { asPlainText: true },
     }),
     [browserFields]
   );
 
   return (
-    <EuiFlexGroup direction="column" style={{ marginLeft: 0 }}>
-      <EuiFlexGroup>
-        <EuiFlexItem grow={false}>
+    <EuiFlexGroup direction="column" className={styles.mainContainer}>
+      <EuiFlexGroup className={styles.fieldSection}>
+        <EuiFlexItem className={styles.dropdownContainer}>
           <Field
             field={thresholdField}
             idAria={fieldDescribedByIds[0]}
@@ -86,8 +77,8 @@ const ThresholdInputComponent: React.FC<ThresholdInputProps> = ({
             euiFieldProps={fieldEuiFieldProps}
           />
         </EuiFlexItem>
-        <OperatorWrapper grow={false}>{'>='}</OperatorWrapper>
-        <EuiFlexItem grow={false}>
+        <EuiFlexItem className={styles.operatorContainer}>{'>='}</EuiFlexItem>
+        <EuiFlexItem className={styles.input}>
           <Field
             field={thresholdValue}
             idAria={valueDescribedByIds[0]}
@@ -97,8 +88,8 @@ const ThresholdInputComponent: React.FC<ThresholdInputProps> = ({
           />
         </EuiFlexItem>
       </EuiFlexGroup>
-      <EuiFlexGroup>
-        <EuiFlexItem grow={false}>
+      <EuiFlexGroup className={styles.fieldSection}>
+        <EuiFlexItem className={styles.dropdownContainer}>
           <Field
             field={thresholdCardinalityField}
             idAria={cardinalityFieldDescribedByIds[0]}
@@ -108,8 +99,8 @@ const ThresholdInputComponent: React.FC<ThresholdInputProps> = ({
             euiFieldProps={cardinalityFieldEuiProps}
           />
         </EuiFlexItem>
-        <OperatorWrapper grow={false}>{'>='}</OperatorWrapper>
-        <EuiFlexItem grow={false}>
+        <EuiFlexItem className={styles.operatorContainer}>{'>='}</EuiFlexItem>
+        <EuiFlexItem className={styles.input}>
           <Field
             field={thresholdCardinalityValue}
             idAria={cardinalityValueDescribedByIds[0]}
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/threshold_input/styles.ts b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/threshold_input/styles.ts
new file mode 100644
index 0000000000000..f37b6a5816272
--- /dev/null
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/threshold_input/styles.ts
@@ -0,0 +1,62 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { css, cx } from '@emotion/css';
+import { euiThemeVars } from '@kbn/ui-theme';
+
+const CONTAINER_BREAKPOINT = 500;
+
+export const mainContainer = css`
+  container-type: inline-size;
+`;
+
+const baseStyle = css`
+  flex-basis: 100%;
+`;
+
+export const dropdownContainer = cx(
+  baseStyle,
+  css`
+    @container (min-width: ${CONTAINER_BREAKPOINT}px) {
+      flex: 1;
+      min-width: 0; /* Allows the dropdown to shrink */
+    }
+  `
+);
+
+export const operatorContainer = cx(
+  baseStyle,
+  css`
+    justify-content: center;
+    text-align: center;
+
+    @container (min-width: ${CONTAINER_BREAKPOINT}px) {
+      margin-top: ${euiThemeVars.euiSizeXL};
+      justify-content: flex-start;
+      flex: 0 0 auto;
+    }
+  `
+);
+
+export const input = cx(
+  baseStyle,
+  css`
+    @container (min-width: ${CONTAINER_BREAKPOINT}px) {
+      flex: 0 0 150px;
+    }
+  `
+);
+
+export const fieldSection = css`
+  gap: ${euiThemeVars.euiSizeS};
+  flex-wrap: wrap;
+
+  @container (min-width: ${CONTAINER_BREAKPOINT}px) {
+    flex-wrap: nowrap;
+    gap: ${euiThemeVars.euiSizeL};
+  }
+`;
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/index.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/index.tsx
index 4bf634595a9db..ac70dabc1006d 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/index.tsx
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/index.tsx
@@ -550,7 +550,6 @@ const CreateRulePageComponent: React.FC = () => {
             shouldLoadQueryDynamically={defineStepData.shouldLoadQueryDynamically}
             queryBarTitle={defineStepData.queryBar.title}
             queryBarSavedId={defineStepData.queryBar.saved_id}
-            thresholdFields={defineStepData.threshold.field}
           />
           <NextStep
             dataTestSubj="define-continue"
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_editing/index.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_editing/index.tsx
index 3327e45bd2bb7..dc0c9ac6409f1 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_editing/index.tsx
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_editing/index.tsx
@@ -245,7 +245,6 @@ const EditRulePageComponent: FC<{ rule: RuleResponse }> = ({ rule }) => {
                   shouldLoadQueryDynamically={defineStepData.shouldLoadQueryDynamically}
                   queryBarTitle={defineStepData.queryBar.title}
                   queryBarSavedId={defineStepData.queryBar.saved_id}
-                  thresholdFields={defineStepData.threshold.field}
                 />
               )}
               <EuiSpacer />
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/anomaly_threshold/anomaly_threshold_adapter.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/anomaly_threshold/anomaly_threshold_adapter.tsx
new file mode 100644
index 0000000000000..b12d4ddb995ef
--- /dev/null
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/anomaly_threshold/anomaly_threshold_adapter.tsx
@@ -0,0 +1,13 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+import { AnomalyThresholdEdit } from '../../../../../../../rule_creation/components/anomaly_threshold_edit';
+
+export function AnomalyThresholdAdapter(): JSX.Element {
+  return <AnomalyThresholdEdit path="anomaly_threshold" />;
+}
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/anomaly_threshold/anomaly_threshold_form.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/anomaly_threshold/anomaly_threshold_form.tsx
new file mode 100644
index 0000000000000..1fb1612a64811
--- /dev/null
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/anomaly_threshold/anomaly_threshold_form.tsx
@@ -0,0 +1,18 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+import { RuleFieldEditFormWrapper } from '../../../field_final_side';
+import { AnomalyThresholdAdapter } from './anomaly_threshold_adapter';
+
+export function AnomalyThresholdForm(): JSX.Element {
+  return (
+    <RuleFieldEditFormWrapper component={AnomalyThresholdAdapter} ruleFieldFormSchema={schema} />
+  );
+}
+
+const schema = {};
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/machine_learning_job_id/machine_learning_job_id_adapter.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/machine_learning_job_id/machine_learning_job_id_adapter.tsx
new file mode 100644
index 0000000000000..e187a1b3a283e
--- /dev/null
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/machine_learning_job_id/machine_learning_job_id_adapter.tsx
@@ -0,0 +1,13 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+import { MachineLearningJobIdEdit } from '../../../../../../../rule_creation/components/machine_learning_job_id_edit';
+
+export function MachineLearningJobIdAdapter(): JSX.Element {
+  return <MachineLearningJobIdEdit path="machine_learning_job_id" shouldShowHelpText={false} />;
+}
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/machine_learning_job_id/machine_learning_job_id_form.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/machine_learning_job_id/machine_learning_job_id_form.tsx
new file mode 100644
index 0000000000000..404666a986327
--- /dev/null
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/machine_learning_job_id/machine_learning_job_id_form.tsx
@@ -0,0 +1,35 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+import type { FormData } from '../../../../../../../../shared_imports';
+import { type MachineLearningJobId } from '../../../../../../../../../common/api/detection_engine';
+import { RuleFieldEditFormWrapper } from '../../../field_final_side';
+import { normalizeMachineLearningJobId } from '../../../../../../../../common/utils/normalize_machine_learning_job_id';
+import { MachineLearningJobIdAdapter } from './machine_learning_job_id_adapter';
+
+interface MachineLearningJobIdFormData {
+  machine_learning_job_id: MachineLearningJobId;
+}
+
+export function MachineLearningJobIdForm(): JSX.Element {
+  return (
+    <RuleFieldEditFormWrapper
+      component={MachineLearningJobIdAdapter}
+      ruleFieldFormSchema={schema}
+      deserializer={deserializer}
+    />
+  );
+}
+
+function deserializer(defaultValue: FormData): MachineLearningJobIdFormData {
+  return {
+    machine_learning_job_id: normalizeMachineLearningJobId(defaultValue.machine_learning_job_id),
+  };
+}
+
+const schema = {};
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/threshold/threshold_adapter.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/threshold/threshold_adapter.tsx
new file mode 100644
index 0000000000000..6eba36d57c9b9
--- /dev/null
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/threshold/threshold_adapter.tsx
@@ -0,0 +1,23 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+import { useDiffableRuleDataView } from '../hooks/use_diffable_rule_data_view';
+import type { DiffableRule } from '../../../../../../../../../common/api/detection_engine';
+import { ThresholdEdit } from '../../../../../../../rule_creation/components/threshold_edit';
+
+interface ThresholdAdapterProps {
+  finalDiffableRule: DiffableRule;
+}
+
+export function ThresholdAdapter({ finalDiffableRule }: ThresholdAdapterProps): JSX.Element {
+  const { dataView } = useDiffableRuleDataView(finalDiffableRule);
+
+  const esFields = dataView?.fields ?? [];
+
+  return <ThresholdEdit path="threshold" esFields={esFields} />;
+}
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/threshold/threshold_edit_form.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/threshold/threshold_edit_form.tsx
new file mode 100644
index 0000000000000..6ba9198a74392
--- /dev/null
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/threshold/threshold_edit_form.tsx
@@ -0,0 +1,69 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+import type { FormData } from '../../../../../../../../shared_imports';
+import { RuleFieldEditFormWrapper } from '../../../field_final_side';
+import { ThresholdAdapter } from './threshold_adapter';
+import type { FieldValueThreshold } from '../../../../../../../rule_creation_ui/components/threshold_input';
+import type { Threshold } from '../../../../../../../../../common/api/detection_engine';
+import { normalizeThresholdField } from '../../../../../../../../../common/detection_engine/utils';
+
+export function ThresholdEditForm(): JSX.Element {
+  return (
+    <RuleFieldEditFormWrapper
+      component={ThresholdAdapter}
+      ruleFieldFormSchema={schema}
+      deserializer={deserializer}
+      serializer={serializer}
+    />
+  );
+}
+
+interface ThresholdFormData {
+  threshold: FieldValueThreshold;
+}
+
+function deserializer(defaultValue: FormData): ThresholdFormData {
+  const threshold: Threshold = defaultValue.threshold;
+
+  const deserializedThreshold: FieldValueThreshold = {
+    field: normalizeThresholdField(threshold.field),
+    value: `${threshold?.value ?? 100}`,
+  };
+
+  if (threshold.cardinality?.length) {
+    deserializedThreshold.cardinality = {
+      field: [`${threshold.cardinality[0].field}`],
+      value: `${threshold.cardinality[0].value}`,
+    };
+  }
+
+  return { threshold: deserializedThreshold };
+}
+
+function serializer(formData: FormData): { threshold: Threshold } {
+  const threshold: FieldValueThreshold = formData.threshold;
+
+  const serializedThreshold: Threshold = {
+    field: threshold.field,
+    value: Number.parseInt(threshold.value, 10),
+  };
+
+  if (threshold.cardinality?.field?.length) {
+    serializedThreshold.cardinality = [
+      {
+        field: threshold.cardinality.field[0],
+        value: Number.parseInt(threshold.cardinality.value, 10),
+      },
+    ];
+  }
+
+  return { threshold: serializedThreshold };
+}
+
+const schema = {};
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/machine_learning_rule_field_edit.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/machine_learning_rule_field_edit.tsx
index 52b214b6a97dc..9563c64da7da1 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/machine_learning_rule_field_edit.tsx
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/machine_learning_rule_field_edit.tsx
@@ -7,7 +7,10 @@
 
 import React from 'react';
 import type { UpgradeableMachineLearningFields } from '../../../../model/prebuilt_rule_upgrade/fields';
+import { AnomalyThresholdForm } from './fields/anomaly_threshold/anomaly_threshold_form';
 import { AlertSuppressionEditForm } from './fields/alert_suppression';
+import { MachineLearningJobIdForm } from './fields/machine_learning_job_id/machine_learning_job_id_form';
+import { assertUnreachable } from '../../../../../../../common/utility_types';
 
 interface MachineLearningRuleFieldEditProps {
   fieldName: UpgradeableMachineLearningFields;
@@ -17,7 +20,11 @@ export function MachineLearningRuleFieldEdit({ fieldName }: MachineLearningRuleF
   switch (fieldName) {
     case 'alert_suppression':
       return <AlertSuppressionEditForm />;
+    case 'anomaly_threshold':
+      return <AnomalyThresholdForm />;
+    case 'machine_learning_job_id':
+      return <MachineLearningJobIdForm />;
     default:
-      return null; // Will be replaced with `assertUnreachable(fieldName)` once all fields are implemented
+      return assertUnreachable(fieldName);
   }
 }
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/threshold_rule_field_edit.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/threshold_rule_field_edit.tsx
index ad9efe076b5bc..bbf6d765fc3a8 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/threshold_rule_field_edit.tsx
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/threshold_rule_field_edit.tsx
@@ -10,6 +10,8 @@ import type { UpgradeableThresholdFields } from '../../../../model/prebuilt_rule
 import { KqlQueryEditForm } from './fields/kql_query';
 import { DataSourceEditForm } from './fields/data_source';
 import { ThresholdAlertSuppressionEditForm } from './fields/threshold_alert_suppression';
+import { ThresholdEditForm } from './fields/threshold/threshold_edit_form';
+import { assertUnreachable } from '../../../../../../../common/utility_types';
 
 interface ThresholdRuleFieldEditProps {
   fieldName: UpgradeableThresholdFields;
@@ -17,13 +19,15 @@ interface ThresholdRuleFieldEditProps {
 
 export function ThresholdRuleFieldEdit({ fieldName }: ThresholdRuleFieldEditProps) {
   switch (fieldName) {
-    case 'kql_query':
-      return <KqlQueryEditForm />;
-    case 'data_source':
-      return <DataSourceEditForm />;
     case 'alert_suppression':
       return <ThresholdAlertSuppressionEditForm />;
+    case 'data_source':
+      return <DataSourceEditForm />;
+    case 'kql_query':
+      return <KqlQueryEditForm />;
+    case 'threshold':
+      return <ThresholdEditForm />;
     default:
-      return null; // Will be replaced with `assertUnreachable(fieldName)` once all fields are implemented
+      return assertUnreachable(fieldName);
   }
 }
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.tsx b/x-pack/solutions/security/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.tsx
index b244ecba07941..4136b21e96106 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.tsx
+++ b/x-pack/solutions/security/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.tsx
@@ -47,6 +47,7 @@ import { DataSourceType, AlertSuppressionDurationType } from './types';
 import { severityOptions } from '../../../../detection_engine/rule_creation_ui/components/step_about_rule/data';
 import { DEFAULT_SUPPRESSION_MISSING_FIELDS_STRATEGY } from '../../../../../common/detection_engine/constants';
 import type { RuleAction, RuleResponse } from '../../../../../common/api/detection_engine';
+import { normalizeMachineLearningJobId } from '../../../../common/utils/normalize_machine_learning_job_id';
 import { convertDateMathToDuration } from '../../../../common/utils/date_math';
 import { DEFAULT_HISTORY_WINDOW_SIZE } from '../../../../common/constants';
 
@@ -99,9 +100,7 @@ export const getActionsStepsData = (
 
 export const getMachineLearningJobId = (rule: RuleResponse): string[] | undefined => {
   if (rule.type === 'machine_learning') {
-    return typeof rule.machine_learning_job_id === 'string'
-      ? [rule.machine_learning_job_id]
-      : rule.machine_learning_job_id;
+    return normalizeMachineLearningJobId(rule.machine_learning_job_id);
   }
   return undefined;
 };
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts b/x-pack/solutions/security/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts
index 3cfbf6e0fd5e7..b7c23ced9d895 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts
+++ b/x-pack/solutions/security/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts
@@ -152,7 +152,7 @@ export interface DefineStepRule {
   anomalyThreshold: number;
   index: string[];
   indexPattern?: DataViewBase;
-  machineLearningJobId: string[];
+  machineLearningJobId?: string[];
   queryBar: FieldValueQueryBar;
   dataViewId?: string;
   dataViewTitle?: string;