You can enable auditing to keep track of security-related events such as authorization success and failures. Logging these events enables you to monitor Kibana for suspicious activity and provides evidence in the event of an attack. Audit logs are disabled by default. To enable this functionality, you must set xpack.security.audit.enabled to true in kibana.yml .
https://www.elastic.co/guide/en/kibana/current/xpack-security-audit-logging.html
Use the Kibana audit logs in conjunction with Elasticsearch’s audit logging to get a holistic view of all security related events. Kibana defers to Elasticsearch’s security model for authentication, data index authorization, and features that are driven by cluster-wide privileges.
look at Log users and query in audit log - for more implementation ideas.
Hope this helps
Rashmi