diff --git a/rules/ml/ml_linux_anomalous_sudo_activity.toml b/rules/ml/ml_linux_anomalous_sudo_activity.toml
index 9687bc893..ea1f49694 100644
--- a/rules/ml/ml_linux_anomalous_sudo_activity.toml
+++ b/rules/ml/ml_linux_anomalous_sudo_activity.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/09/03"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/03"
+updated_date = "2020/09/28"
 
 [rule]
 anomaly_threshold = 75
@@ -27,3 +27,25 @@ rule_id = "1e9fc667-9ff1-4b33-9f40-fefca8537eb0"
 severity = "low"
 tags = ["Elastic", "Linux", "ML"]
 type = "machine_learning"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1548"
+name = "Abuse Elevation Control Mechanism"
+reference = "https://attack.mitre.org/techniques/T1548/"
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1548"
+name = "Abuse Elevation Control Mechanism"
+reference = "https://attack.mitre.org/techniques/T1548/"
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
\ No newline at end of file