You should add a capability to track specific types of behavior. For instance, I would like to use SIEM to track when my clients move a large amount of data at one time. This can indicate malicious intent in some cases and we would like to be alerted to this when it happens.