From 978a8d9df87de90c6276bc1dfddca215e4451469 Mon Sep 17 00:00:00 2001
From: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Date: Wed, 22 Jul 2020 19:31:09 -0400
Subject: [PATCH] [Bug] Set threshold.field to empty string instead of null
 (#87)

---
 detection_rules/schema.py                                       | 2 +-
 .../aws/credential_access_aws_iam_assume_role_brute_force.toml  | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/detection_rules/schema.py b/detection_rules/schema.py
index ef1e5f704..bf77eb666 100644
--- a/detection_rules/schema.py
+++ b/detection_rules/schema.py
@@ -107,7 +107,7 @@ class SeverityMapping(jsl.Document):
 class ThresholdMapping(jsl.Document):
     """Threshold mapping."""
 
-    field = jsl.StringField(required=False)
+    field = jsl.StringField(required=True, default="")
     value = jsl.IntField(minimum=1, required=True)
 
 
diff --git a/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml b/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml
index 9ddb35312..f444650a7 100644
--- a/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml
+++ b/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml
@@ -48,4 +48,5 @@ name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
 
 [rule.threshold]
+field = ""
 value = 25