diff --git a/rules/ml/ml_linux_anomalous_network_activity.toml b/rules/ml/ml_linux_anomalous_network_activity.toml
index b69886d2d..620bfeb2a 100644
--- a/rules/ml/ml_linux_anomalous_network_activity.toml
+++ b/rules/ml/ml_linux_anomalous_network_activity.toml
@@ -14,14 +14,13 @@ activity can denote process exploitation or injection, where the process is used
 allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network
 applications.
 """
-false_positives = ["A newly installed program or one that rarely uses the network could trigger this signal."]
 from = "now-45m"
 interval = "15m"
 license = "Elastic License"
 machine_learning_job_id = "linux_anomalous_network_activity_ecs"
 name = "Unusual Linux Network Activity"
 note = """### Investigating Unusual Network Activity ###
-Signals from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual.  Here are some possible avenues of investigation:
+Detection alerts from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual.  Here are some possible avenues of investigation:
 - Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? 
 - If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.
 - Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?
diff --git a/rules/ml/ml_linux_anomalous_network_port_activity.toml b/rules/ml/ml_linux_anomalous_network_port_activity.toml
index 462dcc463..fd4a76708 100644
--- a/rules/ml/ml_linux_anomalous_network_port_activity.toml
+++ b/rules/ml/ml_linux_anomalous_network_port_activity.toml
@@ -12,7 +12,7 @@ Identifies unusual destination port activity that can indicate command-and-contr
 exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate
 unauthorized access or threat actor activity.
 """
-false_positives = ["A newly installed program or one that rarely uses the network could trigger this signal."]
+false_positives = ["A newly installed program or one that rarely uses the network could trigger this alert."]
 from = "now-45m"
 interval = "15m"
 license = "Elastic License"
diff --git a/rules/ml/ml_linux_anomalous_network_service.toml b/rules/ml/ml_linux_anomalous_network_service.toml
index 3b2ebc8e1..ee33fcf62 100644
--- a/rules/ml/ml_linux_anomalous_network_service.toml
+++ b/rules/ml/ml_linux_anomalous_network_service.toml
@@ -11,7 +11,7 @@ description = """
 Identifies unusual listening ports on Linux instances that can indicate execution of unauthorized services, backdoors,
 or persistence mechanisms.
 """
-false_positives = ["A newly installed program or one that rarely uses the network could trigger this signal."]
+false_positives = ["A newly installed program or one that rarely uses the network could trigger this alert."]
 from = "now-45m"
 interval = "15m"
 license = "Elastic License"
diff --git a/rules/ml/ml_linux_anomalous_network_url_activity.toml b/rules/ml/ml_linux_anomalous_network_url_activity.toml
index 5316e7a6d..4b0ec7424 100644
--- a/rules/ml/ml_linux_anomalous_network_url_activity.toml
+++ b/rules/ml/ml_linux_anomalous_network_url_activity.toml
@@ -17,7 +17,7 @@ additional software and code. For these reasons, unusual URLs can indicate unaut
 false_positives = [
     """
     A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting
-    could trigger this signal.
+    could trigger this alert.
     """,
 ]
 from = "now-45m"
diff --git a/rules/ml/ml_linux_anomalous_process_all_hosts.toml b/rules/ml/ml_linux_anomalous_process_all_hosts.toml
index e82034bb8..d67356282 100644
--- a/rules/ml/ml_linux_anomalous_process_all_hosts.toml
+++ b/rules/ml/ml_linux_anomalous_process_all_hosts.toml
@@ -15,7 +15,7 @@ to all or many hosts in a fleet.
 false_positives = [
     """
     A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this
-    signal.
+    alert.
     """,
 ]
 from = "now-45m"
@@ -24,7 +24,7 @@ license = "Elastic License"
 machine_learning_job_id = "linux_anomalous_process_all_hosts_ecs"
 name = "Anomalous Process For a Linux Population"
 note = """### Investigating an Unusual Linux Process ###
-Signals from this rule indicate the presence of a Linux process that is rare and unusual for all of the monitored Linux hosts for which Auditbeat data is available. Here are some possible avenues of investigation:
+Detection alerts from this rule indicate the presence of a Linux process that is rare and unusual for all of the monitored Linux hosts for which Auditbeat data is available. Here are some possible avenues of investigation:
 - Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?
 - Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.
 - Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing."""
diff --git a/rules/ml/ml_linux_anomalous_user_name.toml b/rules/ml/ml_linux_anomalous_user_name.toml
index 0ea17fc3b..9262782fa 100644
--- a/rules/ml/ml_linux_anomalous_user_name.toml
+++ b/rules/ml/ml_linux_anomalous_user_name.toml
@@ -29,7 +29,7 @@ license = "Elastic License"
 machine_learning_job_id = "linux_anomalous_user_name_ecs"
 name = "Unusual Linux Username"
 note = """### Investigating an Unusual Linux User ###
-Signals from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:
+Detection alerts from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:
 - Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?
 - Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.
 - Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing."""
diff --git a/rules/ml/ml_packetbeat_dns_tunneling.toml b/rules/ml/ml_packetbeat_dns_tunneling.toml
index d954e9961..994c1ba7a 100644
--- a/rules/ml/ml_packetbeat_dns_tunneling.toml
+++ b/rules/ml/ml_packetbeat_dns_tunneling.toml
@@ -16,7 +16,7 @@ data.
 false_positives = [
     """
     DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger
-    this signal and such parent domains can be excluded.
+    this alert and such parent domains can be excluded.
     """,
 ]
 from = "now-45m"
diff --git a/rules/ml/ml_packetbeat_rare_dns_question.toml b/rules/ml/ml_packetbeat_rare_dns_question.toml
index cc205b033..38f054d8f 100644
--- a/rules/ml/ml_packetbeat_rare_dns_question.toml
+++ b/rules/ml/ml_packetbeat_rare_dns_question.toml
@@ -17,9 +17,9 @@ uses for command-and-control communication.
 false_positives = [
     """
     A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this
-    signal. Network activity that occurs rarely, in small quantities, can trigger this signal. Possible examples are
+    alert. Network activity that occurs rarely, in small quantities, can trigger this alert. Possible examples are
     browsing technical support or vendor networks sparsely. A user who visits a new or unique web destination may
-    trigger this signal.
+    trigger this alert.
     """,
 ]
 from = "now-45m"
diff --git a/rules/ml/ml_packetbeat_rare_server_domain.toml b/rules/ml/ml_packetbeat_rare_server_domain.toml
index 6c77bc97d..76531770f 100644
--- a/rules/ml/ml_packetbeat_rare_server_domain.toml
+++ b/rules/ml/ml_packetbeat_rare_server_domain.toml
@@ -16,9 +16,9 @@ command-and-control communication.
 """
 false_positives = [
     """
-    Web activity that occurs rarely in small quantities can trigger this signal. Possible examples are browsing
+    Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing
     technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may
-    trigger this signal when the activity is sparse. Web applications that generate URLs unique to a transaction may
+    trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may
     trigger this when they are used sparsely. Web domains can be excluded in cases such as these.
     """,
 ]
diff --git a/rules/ml/ml_packetbeat_rare_urls.toml b/rules/ml/ml_packetbeat_rare_urls.toml
index 7414a22cf..af4c20fed 100644
--- a/rules/ml/ml_packetbeat_rare_urls.toml
+++ b/rules/ml/ml_packetbeat_rare_urls.toml
@@ -19,9 +19,9 @@ which are part of common Internet background traffic.
 """
 false_positives = [
     """
-    Web activity that occurs rarely in small quantities can trigger this signal. Possible examples are browsing
+    Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing
     technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may
-    trigger this signal when the activity is sparse. Web applications that generate URLs unique to a transaction may
+    trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may
     trigger this when they are used sparsely. Web domains can be excluded in cases such as these.
     """,
 ]
diff --git a/rules/ml/ml_packetbeat_rare_user_agent.toml b/rules/ml/ml_packetbeat_rare_user_agent.toml
index 0e67b8ec0..5fb51e7f9 100644
--- a/rules/ml/ml_packetbeat_rare_user_agent.toml
+++ b/rules/ml/ml_packetbeat_rare_user_agent.toml
@@ -19,8 +19,8 @@ activity.
 """
 false_positives = [
     """
-    Web activity that is uncommon, like security scans, may trigger this signal and may need to be excluded. A new or
-    rarely used program that calls web services may trigger this signal.
+    Web activity that is uncommon, like security scans, may trigger this alert and may need to be excluded. A new or
+    rarely used program that calls web services may trigger this alert.
     """,
 ]
 from = "now-45m"
diff --git a/rules/ml/ml_rare_process_by_host_linux.toml b/rules/ml/ml_rare_process_by_host_linux.toml
index 5a6f9bff3..cf734c3a5 100644
--- a/rules/ml/ml_rare_process_by_host_linux.toml
+++ b/rules/ml/ml_rare_process_by_host_linux.toml
@@ -15,7 +15,7 @@ with other processes running on the host.
 false_positives = [
     """
     A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this
-    signal.
+    alert.
     """,
 ]
 from = "now-45m"
@@ -24,7 +24,7 @@ license = "Elastic License"
 machine_learning_job_id = "rare_process_by_host_linux_ecs"
 name = "Unusual Process For a Linux Host"
 note = """### Investigating an Unusual Linux Process ###
-Signals from this rule indicate the presence of a Linux process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:
+Detection alerts from this rule indicate the presence of a Linux process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:
 - Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?
 - Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.
 - Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing."""
diff --git a/rules/ml/ml_rare_process_by_host_windows.toml b/rules/ml/ml_rare_process_by_host_windows.toml
index b9578a18b..a22bbb548 100644
--- a/rules/ml/ml_rare_process_by_host_windows.toml
+++ b/rules/ml/ml_rare_process_by_host_windows.toml
@@ -15,7 +15,7 @@ with other processes running on the host.
 false_positives = [
     """
     A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this
-    signal.
+    alert.
     """,
 ]
 from = "now-45m"
@@ -24,7 +24,7 @@ license = "Elastic License"
 machine_learning_job_id = "rare_process_by_host_windows_ecs"
 name = "Unusual Process For a Windows Host"
 note = """### Investigating an Unusual Windows Process ###
-Signals from this rule indicate the presence of a Windows process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:
+Detection alerts from this rule indicate the presence of a Windows process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:
 - Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?
 - Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.
 - Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package. 
diff --git a/rules/ml/ml_suspicious_login_activity.toml b/rules/ml/ml_suspicious_login_activity.toml
index c345827ae..16abe4885 100644
--- a/rules/ml/ml_suspicious_login_activity.toml
+++ b/rules/ml/ml_suspicious_login_activity.toml
@@ -10,8 +10,8 @@ author = ["Elastic"]
 description = "Identifies an unusually high number of authentication attempts."
 false_positives = [
     """
-    Security audits may trigger this signal. Conditions that generate bursts of failed logins, such as misconfigured
-    applications or account lockouts could trigger this signal.
+    Security audits may trigger this alert. Conditions that generate bursts of failed logins, such as misconfigured
+    applications or account lockouts could trigger this alert.
     """,
 ]
 from = "now-45m"
diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml
index 1d5841086..1b032b058 100644
--- a/rules/ml/ml_windows_anomalous_network_activity.toml
+++ b/rules/ml/ml_windows_anomalous_network_activity.toml
@@ -14,14 +14,14 @@ network activity can denote process exploitation or injection, where the process
 that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized
 network applications.
 """
-false_positives = ["A newly installed program or one that rarely uses the network could trigger this signal."]
+false_positives = ["A newly installed program or one that rarely uses the network could trigger this alert."]
 from = "now-45m"
 interval = "15m"
 license = "Elastic License"
 machine_learning_job_id = "windows_anomalous_network_activity_ecs"
 name = "Unusual Windows Network Activity"
 note = """### Investigating Unusual Network Activity ###
-Signals from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual.  Here are some possible avenues of investigation:
+Detection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual.  Here are some possible avenues of investigation:
 - Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? 
 - If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.
 - Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?
diff --git a/rules/ml/ml_windows_anomalous_path_activity.toml b/rules/ml/ml_windows_anomalous_path_activity.toml
index a1e877f55..2788588fc 100644
--- a/rules/ml/ml_windows_anomalous_path_activity.toml
+++ b/rules/ml/ml_windows_anomalous_path_activity.toml
@@ -16,8 +16,8 @@ a user downloaded software directly from the Internet or a malicious script or m
 false_positives = [
     """
     A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting
-    could trigger this signal. Users downloading and running programs from unusual locations, such as temporary
-    directories, browser caches, or profile paths could trigger this signal.
+    could trigger this alert. Users downloading and running programs from unusual locations, such as temporary
+    directories, browser caches, or profile paths could trigger this alert.
     """,
 ]
 from = "now-45m"
diff --git a/rules/ml/ml_windows_anomalous_process_all_hosts.toml b/rules/ml/ml_windows_anomalous_process_all_hosts.toml
index e92ed7533..6b464ac98 100644
--- a/rules/ml/ml_windows_anomalous_process_all_hosts.toml
+++ b/rules/ml/ml_windows_anomalous_process_all_hosts.toml
@@ -15,7 +15,7 @@ or many hosts in a fleet.
 false_positives = [
     """
     A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this
-    signal.
+alert.
     """,
 ]
 from = "now-45m"
@@ -24,10 +24,10 @@ license = "Elastic License"
 machine_learning_job_id = "windows_anomalous_process_all_hosts_ecs"
 name = "Anomalous Process For a Windows Population"
 note = """### Investigating an Unusual Windows Process ###
-Signals from this rule indicate the presence of a Windows process that is rare and unusual for all of the Windows hosts for which Winlogbeat data is available. Here are some possible avenues of investigation:
+Detection alerts from this rule indicate the presence of a Windows process that is rare and unusual for all of the Windows hosts for which Winlogbeat data is available. Here are some possible avenues of investigation:
 - Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?
 - Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.
-- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package. 
+- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package.
 - Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.
 - Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.
 - If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. """
@@ -37,4 +37,3 @@ rule_id = "6e40d56f-5c0e-4ac6-aece-bee96645b172"
 severity = "low"
 tags = ["Elastic", "ML", "Windows"]
 type = "machine_learning"
-
diff --git a/rules/ml/ml_windows_anomalous_process_creation.toml b/rules/ml/ml_windows_anomalous_process_creation.toml
index be6e92bc2..ac7a6d2a6 100644
--- a/rules/ml/ml_windows_anomalous_process_creation.toml
+++ b/rules/ml/ml_windows_anomalous_process_creation.toml
@@ -17,9 +17,9 @@ a method of detecting new and emerging malware that is not yet recognized by ant
 """
 false_positives = [
     """
-    Users running scripts in the course of technical support operations of software upgrades could trigger this signal.
+    Users running scripts in the course of technical support operations of software upgrades could trigger this alert.
     A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this
-    signal.
+    alert.
     """,
 ]
 from = "now-45m"
diff --git a/rules/ml/ml_windows_anomalous_script.toml b/rules/ml/ml_windows_anomalous_script.toml
index f2e2366e1..119f2c399 100644
--- a/rules/ml/ml_windows_anomalous_script.toml
+++ b/rules/ml/ml_windows_anomalous_script.toml
@@ -13,8 +13,8 @@ a characteristic of malicious PowerShell script text blocks.
 """
 false_positives = [
     """
-    Certain kinds of security testing may trigger this signal. PowerShell scripts that use high levels of obfuscation or
-    have unusual script block payloads may trigger this signal.
+    Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or
+    have unusual script block payloads may trigger this alert.
     """,
 ]
 from = "now-45m"
diff --git a/rules/ml/ml_windows_anomalous_service.toml b/rules/ml/ml_windows_anomalous_service.toml
index e968af065..093e1a57b 100644
--- a/rules/ml/ml_windows_anomalous_service.toml
+++ b/rules/ml/ml_windows_anomalous_service.toml
@@ -15,7 +15,7 @@ services. This job helps detect malware and persistence mechanisms that have bee
 false_positives = [
     """
     A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this
-    signal.
+    alert.
     """,
 ]
 from = "now-45m"
diff --git a/rules/ml/ml_windows_anomalous_user_name.toml b/rules/ml/ml_windows_anomalous_user_name.toml
index abdb12a4e..a0eed4cb9 100644
--- a/rules/ml/ml_windows_anomalous_user_name.toml
+++ b/rules/ml/ml_windows_anomalous_user_name.toml
@@ -29,7 +29,7 @@ license = "Elastic License"
 machine_learning_job_id = "windows_anomalous_user_name_ecs"
 name = "Unusual Windows Username"
 note = """### Investigating an Unusual Windows User ###
-Signals from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:
+Detection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:
 - Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?
 - Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.
 - Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.
diff --git a/rules/ml/ml_windows_rare_user_type10_remote_login.toml b/rules/ml/ml_windows_rare_user_type10_remote_login.toml
index 85e17ebbe..24fb237b0 100644
--- a/rules/ml/ml_windows_rare_user_type10_remote_login.toml
+++ b/rules/ml/ml_windows_rare_user_type10_remote_login.toml
@@ -24,7 +24,7 @@ license = "Elastic License"
 machine_learning_job_id = "windows_rare_user_type10_remote_login"
 name = "Unusual Windows Remote User"
 note = """### Investigating an Unusual Windows User ###
-Signals from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:
+Detection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:
 - Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user? 
 - Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?"""
 references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]