Your company operates a popular gaming service where instances are deployed with private IP addresses, and external access is facilitated through a global load balancer. Suspecting a potential malicious actor, you seek to identify them while minimizing disruption to legitimate users. What should you do?