diff --git a/detection_rules/schema.py b/detection_rules/schema.py
index ef1e5f704..bf77eb666 100644
--- a/detection_rules/schema.py
+++ b/detection_rules/schema.py
@@ -107,7 +107,7 @@ class SeverityMapping(jsl.Document):
 class ThresholdMapping(jsl.Document):
     """Threshold mapping."""
 
-    field = jsl.StringField(required=False)
+    field = jsl.StringField(required=True, default="")
     value = jsl.IntField(minimum=1, required=True)
 
 
diff --git a/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml b/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml
index 9ddb35312..f444650a7 100644
--- a/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml
+++ b/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml
@@ -48,4 +48,5 @@ name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
 
 [rule.threshold]
+field = ""
 value = 25