From efd48871c58a71570ae8de37130ee45cd79b9129 Mon Sep 17 00:00:00 2001
From: Konrad Szwarc <konrad.szwarc@elastic.co>
Date: Mon, 27 May 2024 14:25:00 +0200
Subject: [PATCH] [EDR Workflows][Osquery] Use newly added action responses
 data stream (#184209)

Follow up to https://github.com/elastic/kibana/pull/183892 with a commit
that got lost during local rebase.
---
 .../factory/actions/results/query.action_results.dsl.ts     | 6 +++---
 .../plugins/osquery/server/search_strategy/osquery/index.ts | 2 ++
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/x-pack/plugins/osquery/server/search_strategy/osquery/factory/actions/results/query.action_results.dsl.ts b/x-pack/plugins/osquery/server/search_strategy/osquery/factory/actions/results/query.action_results.dsl.ts
index 2ed9d406895a55..18a9c4fab8332f 100644
--- a/x-pack/plugins/osquery/server/search_strategy/osquery/factory/actions/results/query.action_results.dsl.ts
+++ b/x-pack/plugins/osquery/server/search_strategy/osquery/factory/actions/results/query.action_results.dsl.ts
@@ -47,11 +47,11 @@ export const buildActionResultsQuery = ({
 
   let index: string;
   if (useNewDataStream) {
-    index = ACTION_RESPONSES_DATA_STREAM_INDEX;
+    index = `${ACTION_RESPONSES_DATA_STREAM_INDEX}*`;
   } else if (componentTemplateExists) {
-    index = ACTION_RESPONSES_INDEX;
+    index = `${ACTION_RESPONSES_INDEX}*`;
   } else {
-    index = AGENT_ACTIONS_RESULTS_INDEX;
+    index = `${AGENT_ACTIONS_RESULTS_INDEX}*`;
   }
 
   return {
diff --git a/x-pack/plugins/osquery/server/search_strategy/osquery/index.ts b/x-pack/plugins/osquery/server/search_strategy/osquery/index.ts
index 3cc3f8ad6b6c14..efc9dd6582ced8 100644
--- a/x-pack/plugins/osquery/server/search_strategy/osquery/index.ts
+++ b/x-pack/plugins/osquery/server/search_strategy/osquery/index.ts
@@ -40,6 +40,8 @@ export const osquerySearchStrategyProvider = <T extends FactoryQueryTypes>(
         }),
         newDataStreamIndexExists: esClient.asInternalUser.indices.exists({
           index: `${ACTION_RESPONSES_DATA_STREAM_INDEX}*`,
+          allow_no_indices: false,
+          expand_wildcards: 'all',
         }),
       }).pipe(
         mergeMap(({ actionsIndexExists, newDataStreamIndexExists }) => {