You detect unapproved systems sending logs to your SIEM. What’s the most appropriate response?