From 2975441472a4b0d3b768e5f257e5b3cdc0314a0b Mon Sep 17 00:00:00 2001 From: Justin Ibarra Date: Thu, 15 Apr 2021 12:08:45 -0500 Subject: [PATCH] [Detection Rules] Remove empty values in threshold.field array for threshold rules (#97111) ## Issues related to https://github.com/elastic/detection-rules/issues/1097 related to https://github.com/elastic/detection-rules/pull/1099 ## Summary `threshold.field` is an array that currently requires at least one value. An empty string `""` was required if no value was supplied. Instead, this needs to be replaced with no string and just an empty array. ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) --- .../credential_access_aws_iam_assume_role_brute_force.json | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_aws_iam_assume_role_brute_force.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_aws_iam_assume_role_brute_force.json index 623170d16881..d4fe403f5870 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_aws_iam_assume_role_brute_force.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_aws_iam_assume_role_brute_force.json @@ -46,11 +46,9 @@ } ], "threshold": { - "field": [ - "" - ], + "field": [], "value": 25 }, "type": "threshold", - "version": 3 + "version": 4 }