We would be happy with an IDS log in a format something like this:

Timespamp

Offending IP

Total Attempts

First Seen

Last Seen

Rule Broken

Data string that broke the rule

Action Taken

This would concentrate everything the IDS does into one log file.  Admins like me, who see abusive IP ranges, can block them at our firewall without having to dig into multiple places to find out the account being attacked, and so forth.

We've have VERY strict IDS rules -- Password Brute Force by IP gets you a year long ban.  We track the IPs and verify they are not our legitimate users having made a settings change that requires assistance - but the majority (some 200 int he list so far) are all banned because they're the types of attacks where some random IP attempts an attack - then a day later, tries again, and so forth. Currently, we have about 100 IPs a day that do this -- it's a bot net -- and we catch most them with our EHLO blocking - but we have to have Password Brute Force that waits for 2 days counting and 3 attempts gets you banned.

SMTP Harvesting Rule is also set for a very long ban. We get servers who attempt to spam using lists of users -- checking for "valid mailboxes" or whatever -- and those bans are also highly sensitive and long term. We reject mail from over 50 "vanity domain extensions" on principle.  .top .zyx .whatever (the list goes on) -- these are all nothing more than spam operations - and we block every last one of them.  If you're a legit company you've got a major established TLD or are using a service to legitimately send your mail like O365 or any of the relay services.

An addtional request would be to add an item in the "right click" of the IDS offender list to give us a "Copy IP" feature -- I routinely check IPs against ipinfo.io to gather information on whether I need to issue Class "n" range block or it it's a one-of -- or even if it's one of our normal client IPs showing questionable behavior.