Data Activity Monitoring in Investigations

How Security Teams Use Data Activity Monitoring During Incident Investigations

There is a well-documented gap between when a security incident occurs and when an organization discovers it. According to IBM's 2025 Cost of a Data Breach Report, breaches involving stolen credentials take an average of 246 days to identify and contain. That is not a technology failure in a narrow sense. It is a visibility failure, and it plays out in organizations where data activity is not systematically observed, logged, or surfaced for review.

For legal operations leaders, compliance officers, and information governance teams, that gap is where exposure accumulates. By the time an incident is confirmed, the question is no longer only what happened. It is whether the organization can prove what happened, demonstrate appropriate controls, and defend its response to regulators or a court.

Why Investigations Fail Without Data Activity Monitoring

Visibility gaps drive attacker success

The Palo Alto Networks Unit 42 2026 Global Incident Response Report found that visibility gaps, particularly across SaaS, cloud identity, and automation layers, were a primary driver of attacker success in 2025. In most organizations, data generated by collaboration tools, file sharing platforms, and messaging applications exists in separate silos with no unified view. When an investigation begins, investigators are left correlating disconnected logs across systems that were never designed to be queried together. The result is a timeline full of gaps and a legal narrative that cannot withstand scrutiny.

Insider risk is structurally invisible to perimeter tools

Not all incidents originate externally. Verizon's 2026 Data Breach Investigations Report identifies credential abuse as the leading initial access vector in confirmed breaches. A user accessing files they are authorized to open, moving data to a personal device, or exporting records before a departure does not trigger conventional alerts. Only monitoring that tracks behavior against established baselines will surface these patterns. This is the early warning function that Onna's analysis of data activity monitoring as a signal in legal cases examines. The value lies not just in responding to incidents but in catching precursors before a formal investigation is required.

How Security Teams Apply DAM During an Active Investigation

Establishing scope

The first task in any investigation is defining what happened and to what extent. DAM provides the query surface to answer that question with precision: unusual file access volumes during the relevant window, data transfers to external destinations, access events involving inactive accounts, and bulk exports from collaboration platforms. Scoping work that previously took days of manual log review can be completed in hours when data activity is centralized and indexed. Onna's guide to detecting risks early through data activity monitoring covers how this approach transforms investigation timelines.

Reconstructing the activity timeline

A credible investigation requires a chronological record of events that is accurate, complete, and auditable across every data source in scope. This cross-platform completeness is particularly important in organizations running multiple collaboration tools simultaneously. An incident that touches email, a cloud file store, and a messaging platform requires evidence from all three, correlated to a single timeline. Without a unified data activity layer, that correlation is manual, slow, and prone to error.

Distinguishing authorised from anomalous behaviour

Not every access event is suspicious. Effective DAM systems maintain baseline context about normal user patterns and flag deviations that meet defined thresholds, such as a user accessing three hundred documents in a single session rather than their usual ten or accessing sensitive files from an unmanaged endpoint at unusual hours. Onna's comparison of data activity monitoring and traditional auditing sets out why this real-time anomaly detection separates modern DAM from the legacy audit log approaches legal teams have historically relied on.

Moving from alert to action

Detection without a clear action pathway creates its own risk. The operational value of DAM lies in its ability to feed directly into response workflows: immediate preservation of relevant data, access restriction, and generation of documentation suitable for legal or regulatory use. Onna's framework for moving from alert to action in legal and security contexts details how that operational loop is structured.

The Regulatory Dimension: DAM as Compliance Infrastructure

Internal investigations do not happen in isolation from regulatory obligations. Under the UK GDPR and equivalent regimes, organizations have a 72-hour notification window from the point a personal data breach is confirmed. Meeting that window requires the ability to determine quickly whether personal data was involved, which data subjects are affected, and what the scope of exposure is. Without DAM, organizations face the 246-day detection average cited above while their notification clock is already running.

Onna's guide to detecting and remediating exposed personal data addresses the specific workflows legal and compliance teams need when personal data is at the centre of an investigation, from initial detection through to regulatory reporting.

What Effective DAM Looks Like in Practice

For organizations evaluating their data activity monitoring capability, the following features distinguish platforms that support investigations from those that only support routine reporting:

• Coverage across collaboration platforms: DAM must extend to cloud storage, messaging tools, shared workspaces, and email. Gaps in coverage become gaps in the investigation.

• Centralised, normalised data: activity logs from disparate systems need to be aggregated into a single searchable layer with normalisation across formats to ensure accurate cross-platform correlation.

• Retention aligned to investigation requirements: investigation timelines are unpredictable. Platforms must retain activity data for periods sufficient to support cases that may begin weeks or months after the relevant events.

• Audit-ready outputs: data produced during an investigation may be required as evidence. Outputs must be tamper-evident, accurately timestamped, and formatted for legal use.

• Real-time alerting with context: alerts should carry user history, data sensitivity, and access pattern context so investigators can triage quickly.

Security incidents are not discovered by accident in organisations with mature data activity monitoring. They are identified through continuous observation, surfaced through anomaly detection, and investigated through a structured evidence layer that supports both internal decision-making and external accountability.

The 246-day average detection window is not inevitable. It is the product of fragmented visibility and reactive workflows. Organisations that treat data activity monitoring as operational infrastructure rather than a compliance checkbox, recover faster, demonstrate controls more credibly, and close investigations with better outcomes.

Ready to strengthen your investigation capability?  Contact the Onna team to learn how a unified collaboration data platform can give your security, legal, and compliance teams the visibility they need to detect, investigate, and respond with confidence.