sure an ML job that queries the metricbeat index and does a low_count partitioned (split) on hostname should do the trick. If the volume of documents ingested by any beat suddenly drops, it will be flagged as anomalous and you can optionally alert upon that.
But, I will say that you probably can build a Watch (similar to what's discussed here) to accomplish it without the need for ML.