diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/filterlists/endpoint_alerts.ts b/x-pack/plugins/security_solution/server/lib/telemetry/filterlists/endpoint_alerts.ts
index 089c7592c384..e38b4a5c3000 100644
--- a/x-pack/plugins/security_solution/server/lib/telemetry/filterlists/endpoint_alerts.ts
+++ b/x-pack/plugins/security_solution/server/lib/telemetry/filterlists/endpoint_alerts.ts
@@ -102,6 +102,7 @@ const allowlistBaseEventFields: AllowlistFields = {
   user: {
     id: true,
   },
+  Persistence: true,
 };
 
 // Allow list for the data we include in the events. True means that it is deep-cloned
diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts b/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts
index bb0cc6b1707c..97d61a98e70f 100644
--- a/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts
@@ -150,6 +150,12 @@ describe('TelemetryEventsSender', () => {
           threat: {
             ignored_object: true, // this field is not allowlisted
           },
+          Persistence: {
+            name: 'foo',
+            path: '/foo/bar',
+            runatload: true,
+            args: ['foo', 'bar'],
+          },
         },
       ];
 
@@ -263,6 +269,12 @@ describe('TelemetryEventsSender', () => {
               },
             },
           },
+          Persistence: {
+            name: 'foo',
+            path: '/foo/bar',
+            runatload: true,
+            args: ['foo', 'bar'],
+          },
         },
       ]);
     });