@Ruslan1 Now I remember, I was responding to this case in November 2025
When the Security Analytics detector is created, Alerting creates a Monitor to support that detector.
The observed error wasn’t caused by SA, but it’s an output from the Alerting plugin.
I suspect that this PR has introduced the pattern check.
In short, the Alerting plugin takes a dot from the index name as part of the regex.
As a workaround, I suggest using index/alias name without dots, i.e. logs-auditbeat-8_5_0
You can also report this as a bug in OpenSearch GitHub. If you do so, please share the link here.