The custom logs is really dependent on what each org decides to upload to the platform so it’s kind of a difficult question to answer completely, but here goes:
Custom logs I’ve seen uploaded:
AD Security Event Log (when setting up the AD event source, check the box for all unfiltered logs)
Palo Alto Cortex
To break down use cases for each, I would suggest looking for activity from any of your log sets, custom or otherwise, that you would like to see or be notified of. Creating dashboards is a great way to see everything in one go with full customization so that you only see what interests you or your team. Should any log activity require notifications that aren’t covered by ABA or UBA, then go ahead and create some custom pattern detections for those.
Take a look at the Dashboard Card Library, in the upper right portion of the screen, when you are in the main dashboard area of IDR and see if anything there is available for you to add right away (ensure you have the logs needed in IDR to power the dashboards so they provide data)
A really popular one for AD is looking under the raw logs, if you have your domain controllers plugged in as event sources with wmi collection method and the unfiltered log box checked in the event source config. This provides the entire domain controller’s security event log and is great for visibility on what’s going on in your Active Directory environment. A lot of users built custom pattern detections from there in order to be notified should end users be doing things they shouldn’t, or just keeping an eye on things.