IBM QRadar Use Case Manager provides several ways to tune your QRadar environment.
Tune Your QRadar Offenses by Analyzing Rules That Cause the Biggest Number Of Offenses
Tune most active rules
QRadar Use Case Manager can help you determine which rules generate the most offenses, and then guide you through the steps to tune them.
Tune based on the CRE event report
The Custom Rules Engine (CRE) event report shows which CRE events were generated most often. It also provides information about the rule activity. You can tune these rules or use the event information from the report to update your QRadar environment.
Tune Your QRadar Offenses by Going Through the Most Common Configuration Steps
Review network hierarchy
Network Hierarchy is used to define which IP addresses and subnet are part of your network. Defining your network hierarchy and keeping it up-to-date is an important step in helping prevent false offenses.
Review building blocks
Rules use information about your servers to determine whether to generate the rule responses. Review and update common rule building blocks to enable QRadar to discover and classify more servers on your network, and prevent false positives.