Often it is relatively easy to setup your QRadar and maybe integrate some of your logsources. Then of course you expect some alarms popping up after some time but it seems to be just sitting there doing nothing. Of course you can look at log activity and 1000s of events are coming in but what about the many default policies being promised? What about security in general? The security dashboards are still empty...
a week ago when publishing the new 7.5.0 CE setup guide I promised to add some tips on custom rule editing in here. It has become a 15 page presentation i.e. its not a complete guide but includes many tips and tricks plus two slides including URLs where else to go.