Adding persistence event

custom_schemas/custom_persistence.yml

@@ -0,0 +1,39 @@
+---
+- name: Persistence
+  title: Persistence
+  group: 2
+  short: These fields contain information about persistence event.
+  description: >
+    These fields contain information about a Persistence event.
+  type: group
+  fields:
+    - name: path
+      level: custom
+      type: keyword
+      description: >
+        The file's path
+    - name: name
+      level: custom
+      type: keyword
+      description: >
+        The persistence item's name
+    - name: executable
+      level: custom
+      type: keyword
+      description: >
+        The persistence item's executable
+    - name: args
+      level: custom
+      type: keyword
+      description: >
+        Arguments used to execute the persistence item
+    - name: runatload
+      level: custom
+      type: boolean
+      description: >
+        Run at load option boolean
+    - name: keepalive
+      level: custom
+      type: boolean
+      description: >
+        Keep alive option boolean

custom_subsets/elastic_endpoint/file/file.yaml

@@ -155,6 +155,14 @@ fields:
       name: {}
       executable: {}
       entity_id: {}
+  Persistence:
+    fields:
+      args: {}
+      keepalive: {}
+      executable: {}
+      name: {}
+      path: {}
+      runatload: {}
   file:
     fields:
       accessed: {}

package/endpoint/data_stream/file/fields/fields.yml

@@ -61,6 +61,47 @@
       description: Process ID.
       example: 4242
       default_field: false
+- name: Persistence
+  title: Persistence
+  group: 2
+  description: These fields contain information about a Persistence event.
+  type: group
+  default_field: true
+  fields:
+    - name: args
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: Arguments used to execute the persistence item
+      default_field: false
+    - name: executable
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: The persistence item's executable
+      default_field: false
+    - name: keepalive
+      level: custom
+      type: boolean
+      description: Keep alive option boolean
+      default_field: false
+    - name: name
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: The persistence item's name
+      default_field: false
+    - name: path
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: The file's path
+      default_field: false
+    - name: runatload
+      level: custom
+      type: boolean
+      description: Run at load option boolean
+      default_field: false
 - name: agent
   title: Agent
   group: 2

package/endpoint/docs/README.md

@@ -1447,6 +1447,12 @@ sent by the endpoint.
 | Effective_process.executable | Executable name for the effective process. | keyword |
 | Effective_process.name | Process name for the effective process. | keyword |
 | Effective_process.pid | Process ID. | long |
+| Persistence.args | Arguments used to execute the persistence item | keyword |
+| Persistence.executable | The persistence item's executable | keyword |
+| Persistence.keepalive | Keep alive option boolean | boolean |
+| Persistence.name | The persistence item's name | keyword |
+| Persistence.path | The file's path | keyword |
+| Persistence.runatload | Run at load option boolean | boolean |
 | agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword |
 | agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword |
 | agent.version | Version of the agent. | keyword |