You should ask them for information contained in the list below. The IDS team may have all of it, or just act as a group that feeds into another team that does the analysis.
- Number of alerts, sorted by severity (high, medium, low) and particular probe (You should have a numerical naming structure for all probes to quickly identify where the data is coming from.)
- Number of high alerts that have been resolved
- List of high alerts that are still pending investigation, including priorities
- List of known false positives
- Planned changes to signature base to deal with false positives and new signature releases
- Overall network diagram showing placement of IDS probes (This changes frequently, so including it in a monthly report helps you understand where you are getting data from.)
Note that "Number" just means a count. "List" indicates that we want a simple description of each issue.
Hope this helps.
For more information on this topic, visit these other SearchSecurity.com resources:
News & Analysis: Software takes holitic approach to detecting security glitches
Infosec Know IT All Trivia: Intrusion detection
Scheier's Security Product Roundup: Vendors struggle to provide common view of security events
This was first published in January 2003