Limitations Prerequisites Choosing a dashboard Filtering a dashboard on a date or time range Viewing the query for a dashboard widget

View CloudTrail Lake dashboards

You can use CloudTrail Lake dashboards to visualize the events in an event data store. You can select from several different dashboard types. The dashboard types available for an event data store are dependent upon the advanced event selectors configuration of the event data store. For example, if a dashboard type displays information about CloudTrail management events, you can only select the dashboard if the currently selected event data store collects CloudTrail management events.

Each dashboard type consists of multiple widgets and each widget represents a SQL query. To view the query for a widget, choose View and analyze in query editor to open up the query editor. You can't modify the system-generated query that is used to populate the widget, but you can make edits to the query and run the query in the query editor for further analysis.

To populate and update a dashboard, choose Run queries. When you choose Run queries, CloudTrail runs system-generated queries on your behalf. Because running queries incur costs, CloudTrail asks you to acknowledge the costs associated with running queries. This is a one time confirmation. For more information about CloudTrail pricing, see CloudTrail Pricing.

Topics

Limitations
Prerequisites
Choosing a dashboard
Filtering a dashboard on a date or time range
Viewing the query for a dashboard widget

Limitations

The following limitations apply to the current release.

The current release doesn't support customized dashboards, widgets, or queries.
The current release only provides dashboards for event data stores that collect CloudTrail events (data events, management events) and Insights events.
The current release doesn't support editing the system-generated queries used to populate the dashboard. You can view and edit the underlying query for any widget on the Query Editor tab, however, any changes you make to the query are intended for supplemental analysis outside of the dashboard.

Prerequisites

The following prerequisites apply to Lake dashboards.

To view and use Lake dashboards, you must create at least one CloudTrail Lake event data store. You can create event data stores using the console, AWS CLI, or SDKs. For information about creating an event data store using the console, see Create an event data store for CloudTrail events with the console. For information about creating an event data store using the AWS CLI, see Create, update, and manage event data stores with the AWS CLI.
To populate the dashboard, CloudTrail runs queries on your behalf. The first time you view the Dashboards page, CloudTrail asks you to acknowledge the costs associated with running queries. Choose I agree to acknowledge the cost of running queries.

Choosing a dashboard

Use the following procedure to choose an event data store and dashboard type to view.

Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.
In the left navigation pane, under Lake, choose Dashboard.
Choose the event data store for which you want to visualize data.
Choose the dashboard type you want to view. The dashboards list is populated based upon the advanced event selectors configuration of the selected event data store.

The following are the possible dashboard types.
- Overview dashboard - Shows the most active users, AWS Regions, and AWS services by event count. You can also view information about read and write management event activity, most throttled events, and the top errors. This dashboard is available for event data stores that collect management events.
- Management Events dashboard - Shows console sign-in events, access denied events, destructive actions, and top errors by user. You can also view information about TLS versions and outdated TLS calls by user. This dashboard is available for event data stores that collect management events.
- S3 Data Events dashboard - Shows S3 account activity, most accessed S3 objects, top S3 users, and top S3 actions. This dashboard is available for event data stores that collect Amazon S3 data events.
- Insights Events dashboard - Shows the overall proportion of Insights events by Insights type, the proportion of Insights events by Insights type for the top users and services, and the number of Insights events per day. The dashboard also includes a widget that lists up to 30 days of Insights events. This dashboard is only available for event data stores that collect Insights events.
  Note
  After you enable CloudTrail Insights for the first time on the source event data store, it can take up to 7 days for CloudTrail to deliver the first Insights event, if unusual activity is detected. For more information, see Understanding Insights events delivery.
  
  The Insights Events dashboard only displays information about the Insights events collected by the selected event data store, which is determined by the configuration of the source event data store. For example, if you configure the source event data store to enable Insights events on ApiCallRateInsight but not ApiErrorRateInsight, you won't see information about Insights events on ApiErrorRateInsight.
Choose to filter the dashboard data by an Absolute range or Relative range. Choose Absolute range to select a specific date and time range. Choose Relative range to select a predefined time range or a custom range. By default, the dashboard displays event data for the past 24 hours.

Note
CloudTrail Lake queries incur costs based upon the amount of data scanned. To help control costs, you can filter on a narrower time range. For more information about CloudTrail pricing, see AWS CloudTrail Pricing.
Choose Run queries to run the queries for the dashboard's widgets.

Filtering a dashboard on a date or time range

By default, the dashboard displays data for the past 24 hours. You can filter a dashboard by an Absolute range or Relative range.

Choose Absolute range to select a specific date and time range.

Choose Relative range to select a predefined time range or a custom range.

After you've chosen the time range, choose Run queries to refresh the dashboard.

Note

CloudTrail Lake queries incur costs based upon the amount of data scanned. To help control costs, you can filter on a narrower time range. For more information about CloudTrail pricing, see AWS CloudTrail Pricing.

Viewing the query for a dashboard widget

Each widget represents a SQL query. To view the query for a widget, choose View and analyze in query editor to open up the query editor. Using the query editor, you can further refine the query outside the dashboard and run the query to see the results of your updated query. For more information about working with queries, see Create or edit a query.

Note

You cannot modify the system-generated query for a dashboard widget. Any changes made to the query on the Query Editor tab are intended solely for further analysis outside of the dashboard.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

CloudTrail Lake integrations event schema

Queries