From ce71d12d3202b3aebf225f4d32619f33afd75464 Mon Sep 17 00:00:00 2001
From: Paul Tavares <56442535+paul-tavares@users.noreply.github.com>
Date: Tue, 2 Jan 2024 15:16:29 -0500
Subject: [PATCH] [Security Solution][Endpoint] Fix index name pattern in
 SentinelOne dev. script (#174105)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Summary

- Corrects index name pattern for S1 alerts in the SIEM Rule that the
SentinelOne dev script uses

🤦
---
 .../scripts/endpoint/sentinelone_host/common.ts                 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/x-pack/plugins/security_solution/scripts/endpoint/sentinelone_host/common.ts b/x-pack/plugins/security_solution/scripts/endpoint/sentinelone_host/common.ts
index fe9053795737a9..168d2089d9c1ef 100644
--- a/x-pack/plugins/security_solution/scripts/endpoint/sentinelone_host/common.ts
+++ b/x-pack/plugins/security_solution/scripts/endpoint/sentinelone_host/common.ts
@@ -265,7 +265,7 @@ export const createDetectionEngineSentinelOneRuleIfNeeded = async (
   log: ToolingLog
 ): Promise<RuleResponse> => {
   const ruleName = 'Promote SentinelOne alerts';
-  const sentinelOneAlertsIndexPattern = 'logs-sentinel_one.alert';
+  const sentinelOneAlertsIndexPattern = 'logs-sentinel_one.alert*';
   const ruleQueryValue = 'observer.serial_number:*';
 
   const { data } = await findRules(kbnClient, {