I believe it would be a great value for the LEM database to collect NAT information so that one can identify who traffic is originating from. The LEM would need to track the internal (private) IP that is associated with a public IP address and port number at a specified date and time. Tracking the associated user of the private IP would be an even bigger plus. This type of forensic information is essential in investigating copyright violations and other security issues.
Currently, the LEM discards (Cisco ASA firewall) syslog information about NAT builds and teardowns. At least there is a workaroundm which is to enable the raw log collection. However, this consumes are great deal of storage and isn't as readily searchable. Adding this functionality would help the LEM become a better security tool.