Cybersecurity: Incident Response Plan (IRP)
In the event, that an end user is showing signs of a breach and it can be confirmed that there is indeed a breach follow the organization IRP
Link to PowerDMS Policy - https://powerdms.com/link/Aspire/document/?id=2418092
While reviewing the policy and procedures be sure to communicate to senior leadership and if able cut off all access to the resource being impacted.