diff --git a/salt/curator/files/action/logs-windows-sysmon_operational-default-delete.yaml b/salt/curator/files/action/logs-windows-sysmon_operational-default-delete.yaml
index 9a1cc6a9a..a1413bc1c 100644
--- a/salt/curator/files/action/logs-windows-sysmon_operational-default-delete.yaml
+++ b/salt/curator/files/action/logs-windows-sysmon_operational-default-delete.yaml
@@ -3,19 +3,19 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set DELETE_DAYS = CURATORMERGED['logs-system-auth-default'].delete %}
+{%- set DELETE_DAYS = CURATORMERGED['logs-windows-sysmon_operational-default'].delete %}
 actions:
   1:
     action: delete_indices
     description: >-
-      Delete Elastic Agent system auth indices when older than {{ DELETE_DAYS }} days.
+      Delete Elastic Agent Windows Sysmon operational indices when older than {{ DELETE_DAYS }} days.
     options:
       ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern
       kind: regex
-      value: '^(.ds-logs-system.auth-default.*)$'
+      value: '^(.ds-logs-windows.sysmon_operational-default.*)$'
     - filtertype: age
       source: name
       direction: older