Filtering data in Filebeat

Hello !

I work on a Proxmox server where I installed a Firewall PfSense router with three interfaces (LAN, DMZ, WAN) with different "user" VMs and as well as servers (web and bdd).

So I installed Wazuh and Suricata to monitor my machines and my network with ELK.

Indeed, in previous projects, I had used Logstash to code in Ruby various filters such as deleting fields, modifying them, filtering logs according to files (with REGEX), adding tags or information to certain specific alerts, etc.

But in this project, I can't do like this and use Logstash's filtering, since Wazuh and ELK were installed by an installer script, to "wazuh-index". So I don't have access to Logstash configurations, or I really don't know how to do it.

So I wanted to know if it is possible to perform filter conditions on Filebeat.

The idea is to filter alerts that I identify as potential false positives.

Currently, my false positives are alerts of the type "Suricata: Alert -GPL ICMP_INFO PING *NIX" corresponding to a known IP address. There are also alerts of the "Host-based abnormaly detection event" type which is redundant. Of course, I can't "remove" these false positives by filtering the rule (somehow) because I can't risk missing an alert that might turn out to be true. My idea is therefore to create a tag that would be added automatically to each selected alert, in order to identify potential false positives but while being able to view and analyze them, if necessary. Nothing goes by the wayside.

For example, add a "PFP" tag for "Potential False Positive" on alerts of the type "Suricata: Alert -GPL ICMP_INFO PING *NIX" for defined IPs. However, this recursive tag addition, cannot be done via Filebeat? I know very little about Filebeat unlike Logstash.

With Logstash, I would have made a condition on the corresponding field, to verify that it is equal to "Suricata: Alert -GPL ICMP_INFO PING *NIX" and a second condition that would look in a white list of IPs (defined in prior) if the source IP of the alert is registered or not.

But with Filebeat, I don't know if it's possible?