If you don't mind me stepping in, I would say automation should be heavy here. Your SIEM-aaS shouldn't be a siloed service but (and I'll be self serving for a moment because we deliver this every day) should also deliver complimentary services such as incident response and fundamentals like "attack detection" - heck, " full operationalization" in my opinion. I should write my own post on this...but you get my point. Anton?