How would you go about doing the above? Internal investigation, no need for court admissible evidence.

Given: A private device (cell data) has been used to break into multiple accounts with predictable passwords on a cloud platform.

Same perp has also used a device on local network to do same (similar cluster of break ins, likely same perp). Cloud side just shows my company IP, so it’s a mix of all users, but timestamp and behavior shows it’s highly likely same person, perhaps through an office owned device in this case.

I have access to WLAN controllers, routers, firewalls.

Tips, ideas?