diff --git a/x-pack/plugins/security_solution/scripts/endpoint/sentinelone_host/common.ts b/x-pack/plugins/security_solution/scripts/endpoint/sentinelone_host/common.ts
index fe9053795737a9..168d2089d9c1ef 100644
--- a/x-pack/plugins/security_solution/scripts/endpoint/sentinelone_host/common.ts
+++ b/x-pack/plugins/security_solution/scripts/endpoint/sentinelone_host/common.ts
@@ -265,7 +265,7 @@ export const createDetectionEngineSentinelOneRuleIfNeeded = async (
   log: ToolingLog
 ): Promise<RuleResponse> => {
   const ruleName = 'Promote SentinelOne alerts';
-  const sentinelOneAlertsIndexPattern = 'logs-sentinel_one.alert';
+  const sentinelOneAlertsIndexPattern = 'logs-sentinel_one.alert*';
   const ruleQueryValue = 'observer.serial_number:*';
 
   const { data } = await findRules(kbnClient, {