In the event that a cloud security team observes irregular patterns of access to a vital database from an IP address known for legitimate activities, which security mechanism should be primarily utilized to conduct an in-depth analysis of this abnormal behavior?