Question
Your egress-monitoring dashboard flags an analytics service account ('svc-reporting') transferring 240GB to an external S3 bucket over the last 6 hours — normal daily egress for it is <2GB. Query logs show svc-reporting running full-table SELECTs against the customers and payment_methods tables, paginated, between 01:00-07:00 local. The account is used by a scheduled BI job that historically only reads aggregated views. A new third-party BI vendor integration was connected via OAuth 4 days ago. No alerts from the WAF. How do you triage, contain, and remediate this suspected data exfiltration?
Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.