Buyer's Guide
User Behavior Analytics - UEBA
November 2022
Get our free report covering Securonix Solutions, Splunk, Microsoft, and other competitors of IBM QRadar User Behavior Analytics. Updated: November 2022.
653,522 professionals have used our research since 2012.

Read reviews of IBM QRadar User Behavior Analytics alternatives and competitors

Lokesh Puthalapattu - PeerSpot reviewer
Senior Marketing Specialist II at Harman International
Real User
Top 5Leaderboard
Easy to access, priced well, and straightforward installation
Pros and Cons
  • "I have used IBM QRadar User Behavior Analytics in a Cloud Pak on Amazon, and there it runs on top of it and is easy to assess. Additionally, I have installed processes and characters."
  • "Whenever we are upgrading or installing any type of patch, at that time we have some delays."

What is our primary use case?

Currently, we are using only Amazon Web Services for monitoring. We have CloudTrail, GuardDuty, Avast, and some Kubernetes security we have installed on Amazon AWS. By getting these logs, we have created the uses for these components.

What is most valuable?

I have used IBM QRadar User Behavior Analytics in a Cloud Pak on Amazon, and there it runs on top of it and is easy to assess. Additionally, I have installed processes and characters.

The most useful feature of IBM QRadar User Behavior Analytics is the User Behavior Analytics aspect. For example, whoever logs into the Amazon AWS to the interface, if someone is logging in for the first time that the administrator has created, or someone is logging in, we receive an email notification saying that they have logged in, we need to check. Based on that, we will start checking to see if the visit was a valid one or a malicious one. Even if we only have a few users, such as 25 to 30 Amazon AWS records.

What needs improvement?

Whenever we are upgrading or installing any type of patch, at that time we have some delays. 

 Sometimes by mistake, AWS has migrated some other accounts to my enrollment. At that time, we receive a notification special for that. We have created one rule and a case. We receive a notification and we are informed that the Amazon AWS team, sent an email apologizing for this happening. They have confirmed that going forward we will not receive this type of account modification issue. They have sent an email to us. 

If you are searching for three to four months back it takes and there is a time delay. If I compare it to Splunk, it is a little bit delayed. It is because Splunk is using Elasticsearch, while IBM QRadar User Behavior Analytics uses a normal one. For example, if Splunk takes two minutes, it will take IBM QRadar User Behavior Analytics approximately three minutes.

For how long have I used the solution?

I have been using IBM QRadar User Behavior Analytics for approximately seven years.

Which solution did I use previously and why did I switch?

I have used many other solutions previously, such as Splunk and McAfee SIEM tool.

How was the initial setup?

The initial setup of IBM QRadar User Behavior Analytics is straightforward. We only have to activate a few aspects. We directly installed our process characters, and an all-in-one setup with it to do the installation. The deployment took use 30 to 40 minutes. However, if you want to add components it will take more time.

What was our ROI?

We have seen a good return on investment with IBM QRadar User Behavior Analytics.

What's my experience with pricing, setup cost, and licensing?

We pay approximately $40,000 to use the solution annually. This solution is a lot less expensive than Splunk.

What other advice do I have?

I rate IBM QRadar User Behavior Analytics an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
Head of Cyber security analysis at DNV Poland Sp. z o.o.
Real User
Top 5
It has good support and works with Linux platforms
Pros and Cons
  • "It's hard for me to pinpoint any one feature that's most valuable because it is all about consuming logs and analyzing them. We started using QRadar UBA because we needed something that could analyze Linux authentication information. Other products take care of the Windows platform."
  • "I don't give it a 10 because it is something we have to request. I would love it if UBA was included out of the box like Microsoft."

What is our primary use case?

We analyze all our authentication traffic in QRadar UBA using the solution's AI module to detect and understand uncommon authentication patterns. There is also the rule logic, but we don't use that much. Instead, we mostly rely on AI to do that. In that respect, I wouldn't say we are using the product to the fullest extent because we only have the AI and what the CM is providing. We have a suite of security products, and QRadar UBA is only one source of information that we rely on.

QRadar UBA collects information on 16,000 employees in the company, including when they log in and out or when they launch applications. We have a team of 10 security analysts who go into the solution to check the alarms. IBM has set the solution up so that we only need to react to the alarms. The UBA will flag it if someone does something weird, and our security team will investigate the anomaly to see if that was valid or malicious. 

We are currently on QRoC — short for QRadar for Cloud — so it's the latest and greatest solution. It was originally on a private cloud, but we moved to the public cloud three years ago.

What is most valuable?

It's hard for me to pinpoint any one feature that's most valuable because it is all about consuming logs and analyzing them. We started using QRadar UBA because we needed something that could analyze Linux authentication information. Other products take care of the Windows platform.

What needs improvement?

Better algorithms or AI would always be appreciated, but this product does what it's supposed to do. And maybe there is something behind the scenes that could be improved, but I don't know. 

UBA is a plugin for QRadar SIEM. If we're talking about the SIEM solution as a whole, there is a lot I can talk about, but there isn't much to say about UBA as a standalone. I'm not in a position to criticize or comment on the underlying code.

For how long have I used the solution?

I have been using QRadar UBA for six years.

What do I think about the scalability of the solution?

I haven't had any problems. We have never needed to add more memory or CPU. 

How are customer service and support?

IBM technical support is excellent. 10 out of 10. IBM is highly professional when it comes to security support. IBM's support for other types of solutions isn't quite as good, but the security domain is a different world. I've worked with IBM in other areas, and it's different. Security support is on a tier by itself inside IBM. 

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We are also using a Microsoft solution called Azure Advanced Threat Protection. It provides similar UBA features but only for a Microsoft environment.  Most UBA products do exactly the same thing. I haven't tried many other solutions besides QRadar, Microsoft, and Splunk.

Splunk is brilliant. It does the same thing, but it's slightly more expensive, so we selected IBM. Microsoft's solution is a little cheaper, but it lacks Linux support currently. There are minor differences, but we went with IBM in this case because it has the best support.

How was the initial setup?

IBM did the setup. I called them to ask for UBA, and it was available the next day. They handled all the deployment and maintenance. 

What about the implementation team?



What was our ROI?

I have not calculated ROI for this product. QRadar UBA is a tiny part of the entire security portfolio. In the context of the SIEM as a whole, the cost is so low that it's hard to defend not doing it.

What's my experience with pricing, setup cost, and licensing?

I have no idea what QRadar UBA costs as a standalone solution because it is bundled with the QRoC security operation center and several other modules that we pay for in a big lump sum. However, I don't think that part is too expensive. It's a plugin to the QRadar SIEM that feeds off the same data. We have X-Force Threat Exchange, so IBM is operating the SIEM for us. I say to them, "I want UBA," and there it is.

What other advice do I have?

I rate QRadar UBA eight out of 10. It's a small product doing exactly what it's supposed to do as an integrated part of our SIEM. It looks good and works well. I don't give it a 10 because it is something we have to request. I would love it if UBA was included out of the box like Microsoft.

Regardless of which solution you use, I recommend user behavior analytics. It provides valuable information to the security team. It doesn't matter whether you use Splunk or Microsoft— you should use a UBA solution. 

We will probably stick with QRadar for the foreseeable future. It depends on the developments in the SIEM market. We will probably continue with IBM because changing SIEM is not something you do lightly. As long as we keep the IBM SIEM, we will continue to use QRadar UBA.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Technical Analyst at a manufacturing company with 10,001+ employees
Real User
Top 20
Real-time detection is quite efficient but the dashboard lacks important visibility for threat hunting
Pros and Cons
  • "Blocks of predefined conditions can be used to configure detection rules without having to write complicated script."
  • "The dashboard and reports are not user-friendly or efficient so are of little help with threat hunting activity."

What is our primary use case?

Our company includes 20 senior engineers and analysts who use the solution to detect viruses on Windows servers and critical assets.

We also track user activity such as connections during travel. 

We have many use cases and playbooks in our portfolio. 

How has it helped my organization?

Our company uses the solution as our main CM to detect malicious activity. There are many campaigns targeting Europe and other countries so it is important that we remain vigilant about suspicious activity inside our organization. 

The solution uses rules to identify suspicious activity that needs to be investigated. We conduct advanced forensic investigations based on the solution's output, including collecting logs from devices and correlating them for processing by a security analyst. 

What is most valuable?

Blocks of predefined conditions can be used to configure detection rules without having to write complicated script. 

Real-time detection is quite efficient and valuable. Other products such as Splunk focus only on running searches to detect a particular behavior.

The Vulnerability Manager module is useful and quite efficient. 

What needs improvement?

The dashboard and reports are not user-friendly or efficient so are of little help with threat hunting activity. We deal with large data sets so need to have great visibility for detection of malicious activity and indicators for cybersecurity. 

For example, the dashboards for Power BI and Splunk are very efficient and it is easy to observe suspicious activity. 

For how long have I used the solution?

I have been using the solution for five years.

What do I think about the stability of the solution?

The solution is stable and easy to use if deployed well.

On occasion, you might get an error when running advanced analytics but reboots are not needed. 

What do I think about the scalability of the solution?

The solution is scalable and it is easy to add appliances or expand your license. 

How are customer service and support?

Engineers used technical support regularly between 2016 and 2019 and found them to be very helpful and responsive. If a situation was urgent, technical support intervened immediately. 

I rate technical support an eight out of ten. 

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I used the solution, switched to Splunk, then switched back to the solution. 

How was the initial setup?

The ease of setup is based on the complexity of your environment and network architecture.

The initial setup is not complicated and should go smoothly if you set all predefined requirements prior to installing the solution.  

It took us two weeks to prepare all requirements and a few hours to deploy which included installing all resources. 

Documentation for the installation process is pretty straightforward. 

What about the implementation team?

An in-house team that handles integrations was responsible for implementing the solution. Myself and other cybersecurity analysts participated with the team.

A team of three engineers handle ongoing maintenance for our large environment. 

What's my experience with pricing, setup cost, and licensing?

The solution has a licensing model that is based on events per second so it scales to need and budget. 

At the time of deployment, we were premium partners with IBM so received advantageous pricing. 

The on-premises solution and its license are not impacted by the number of users so it is easy to add staff. 

Which other solutions did I evaluate?

In my experience, Splunk is efficient because it is customizable. You can create scripts to detect multiple behaviors based on scheduled jobs. 

What other advice do I have?

I rate the solution a seven out of ten because it is difficult to write script for advanced detection cases and the dashboard is insufficient. 

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer:
Flag as inappropriate
Buyer's Guide
User Behavior Analytics - UEBA
November 2022
Get our free report covering Securonix Solutions, Splunk, Microsoft, and other competitors of IBM QRadar User Behavior Analytics. Updated: November 2022.
653,522 professionals have used our research since 2012.