1. Identify the internal host(s) and user generating the large volume of data transfer.
2. Identify the application transport used for data transfer.
3. Review traffic logs in the perimeter firewall and understand the type and volume of data transferred outbound.
4. Review any local logs or evidences to determine the files/directories moved outside.
5. if a DLP solution is used, check logs to validate if any data violates the organization policies.
If any privacy regulations applies to your organization, engage your Privacy and Compliance office for an internal investigation to find if any sensitive files were sent out of the company network.