diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/get_filter.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/get_filter.test.ts
index 55cd7b942b3d8..49f70eafd7d3a 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/get_filter.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/get_filter.test.ts
@@ -137,6 +137,52 @@ describe('get_filter', () => {
       });
     });
 
+    test('returns the query persisted to the threat_match rule, despite saved_id being specified', async () => {
+      const filter = await getFilter({
+        type: 'threat_match',
+        filters: undefined,
+        language: 'kuery',
+        query: 'host.name: siem',
+        savedId: 'some-id',
+        services: servicesMock,
+        index: ['auditbeat-*'],
+        lists: [],
+      });
+      expect(filter).toEqual({
+        bool: {
+          filter: [
+            { bool: { minimum_should_match: 1, should: [{ match: { 'host.name': 'siem' } }] } },
+          ],
+          must: [],
+          must_not: [],
+          should: [],
+        },
+      });
+    });
+
+    test('returns the query persisted to the threshold rule, despite saved_id being specified', async () => {
+      const filter = await getFilter({
+        type: 'threat_match',
+        filters: undefined,
+        language: 'kuery',
+        query: 'host.name: siem',
+        savedId: 'some-id',
+        services: servicesMock,
+        index: ['auditbeat-*'],
+        lists: [],
+      });
+      expect(filter).toEqual({
+        bool: {
+          filter: [
+            { bool: { minimum_should_match: 1, should: [{ match: { 'host.name': 'siem' } }] } },
+          ],
+          must: [],
+          must_not: [],
+          should: [],
+        },
+      });
+    });
+
     test('throws on saved query if saved_id is undefined', async () => {
       await expect(
         getFilter({
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/get_filter.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/get_filter.ts
index 346c4adeba537..574020af45c15 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/get_filter.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/get_filter.ts
@@ -94,9 +94,7 @@ export const getFilter = async ({
 
   switch (type) {
     case 'threat_match':
-    case 'threshold': {
-      return savedId != null ? savedQueryFilter() : queryFilter();
-    }
+    case 'threshold':
     case 'query': {
       return queryFilter();
     }