Mastodawn

Scenario: You're asked to provide security monitoring on logs from a bespoke system or one that uses technology that there isn't much in the way of security tooling or rules for already, say an API interface.

What's your approach? I guess it's going to be a 'it depends' depending on how it's deployed right? (e.g. facing internet), or do you reject it and only take on logs you know have a known security value? Or keep them but just for incident response?