Now that our CloudTrail logs are streamed into ElasticSearch, we can really search through CloudTrail logs. In addition, we can create a dashboard to highlight some of the important events occurring on the AWS account.

To illustrate this point, we will simulate login attempts. Log out and log in a few times to the AWS console. Try also to log in using a wrong password to generate login failures in the logs.

Wait a few minutes for the data to be generated and sent to ElasticSearch, then go through the following steps to create a new index pattern:

1. Open Kibana in your browser and go to the management menu.
2. Click on Index Patterns.
3. Click on Add New.
4. In the Index name or pattern, give the name logstash-cloudtrail-*.
5. In the time-field name, select @timestamp.
6. Finally, click create to complete the creation of the index pattern.

The next step will be to create the visualizations that will populate our dashboard:

1. Click on Visualize to access the visualization menu.
2. Click on Create a visualization.
3. Click on Vertical bar chart.
4. Click on logstash-cloudtrail-*.
5. Under Select buckets type, click on X-Axis.
6. In the aggregation menu, select Date histogram.
7. Select the @timestamp for the Field value.
8. Click on Add sub-bucket.
9. Select Split Bars.
10. Select Terms as our Sub Aggregation.
11. Select the Field responseElements.ConsoleLogin.
12. Click on the Apply change icon at the top. You should end up with a visualization looking as follows:

13. Click on Save at the top and give it the name CloudTrail - login timeline.

Another useful bit of information is to group login failures by IP. For this, we will create a new visualization as given in the following steps:

1. Click on Visualize to access the visualization menu.
2. Click on Create a visualization.
3. Click on Data Table.
4. Click on logstash-cloudtrail-*.
5. Click on split rows.
6. Select Filters.
7. Set the Filter1field to responseElements.ConsoleLogin.keyword:Failure.
8. Click on Add sub-bucket.
9. Select Split Rows.
10. Select Term.
11. Use SourceIPAddress.Keyword as your Field and as before, click on Apply. You should end up with a visualization as follows:

12. You can now save the new visualization under the name Cloudtrail - login failures by IP.

You can continue this exercise and add a few more visualizations that are important to you. You can, for example, graph all deletion events, user activities (as shown in the following screenshot), and so on:

Once you have everything you need, go to the Dashboard menu and create a new dashboard:

1. Go to the Dashboard menu in Kibana.
2. Click on create dashboard.
3. Click on Add in the top menu.
4. Select all relevant visualizations.

5. Click on Save and give your new dashboard a name such as CloudTrail:

Thanks to the work we just did, we can quickly analyze any API activity. This puts us in a very good spot to start making changes to the security of our infrastructure. The first and most important service we will look at is the IAM service.