IBM Security QRadar Reviews

Our company includes 20 senior engineers and analysts who use the solution to detect viruses on Windows servers and critical assets.

We also track user activity such as connections during travel. 

We have many use cases and playbooks in our portfolio. 

Our company uses the solution as our main CM to detect malicious activity. There are many campaigns targeting Europe and other countries so it is important that we remain vigilant about suspicious activity inside our organization. 

The solution uses rules to identify suspicious activity that needs to be investigated. We conduct advanced forensic investigations based on the solution's output, including collecting logs from devices and correlating them for processing by a security analyst. 

Blocks of predefined conditions can be used to configure detection rules without having to write complicated script. 

Real-time detection is quite efficient and valuable. Other products such as Splunk focus only on running searches to detect a particular behavior.

The Vulnerability Manager module is useful and quite efficient. 

The dashboard and reports are not user-friendly or efficient so are of little help with threat hunting activity. We deal with large data sets so need to have great visibility for detection of malicious activity and indicators for cybersecurity. 

For example, the dashboards for Power BI and Splunk are very efficient and it is easy to observe suspicious activity. 

I have been using the solution for five years.

The solution is stable and easy to use if deployed well.

On occasion, you might get an error when running advanced analytics but reboots are not needed. 

The solution is scalable and it is easy to add appliances or expand your license. 

Engineers used technical support regularly between 2016 and 2019 and found them to be very helpful and responsive. If a situation was urgent, technical support intervened immediately. 

I rate technical support an eight out of ten. 

Positive

I used the solution, switched to Splunk, then switched back to the solution. 

The ease of setup is based on the complexity of your environment and network architecture.

The initial setup is not complicated and should go smoothly if you set all predefined requirements prior to installing the solution.  

It took us two weeks to prepare all requirements and a few hours to deploy which included installing all resources. 

Documentation for the installation process is pretty straightforward. 

An in-house team that handles integrations was responsible for implementing the solution. Myself and other cybersecurity analysts participated with the team.

A team of three engineers handle ongoing maintenance for our large environment. 

The solution has a licensing model that is based on events per second so it scales to need and budget. 

At the time of deployment, we were premium partners with IBM so received advantageous pricing. 

The on-premises solution and its license are not impacted by the number of users so it is easy to add staff. 

In my experience, Splunk is efficient because it is customizable. You can create scripts to detect multiple behaviors based on scheduled jobs. 

I rate the solution a seven out of ten because it is difficult to write script for advanced detection cases and the dashboard is insufficient. 

We use the blocking mode and spam mode for the IPS - XGS 5000 series and use of QRadar as a SIEM Solution for logging and monitoring network security, security analysis, and monitoring for network-related attacks. 

The playbook is defined with identified use cases. IPS acted as an inline to the firewall. It helped to track and sniff the packet and match the details. It helped to reduce the insider and outsider attacks. The traffic is analyzed and helped users to know the patters and access level in the network and resource being used.

It helped our organization to identify and prevent security attacks.

We need to come with new releases and understand what will happen and how the customer will be able to manage and update the system what are ways in which user behavior and access to various resources in the network could be tracked and alerted in more robust manner. 

There needs to be proper patch management which is done in a controlled environment with a proper newsletter update. The new releases from the company in terms of product and services needs to be updated to product managers in organization.

The monitoring and dashboards are great. 

The user behavior analysis could be better. The playbook guide which specifies the rules for security use cases needs to be provided to support in case the organization needs help. The security playbook needs more help when it comes to QRadar. The QRadar implementation guide, especially in cluster environment, is complicated to deploy in an enterprise level. The support of SIEM of QRadar is complicated and when we encounter implementation issues it needs quick response. The skilled resources are really important for support.

I have deployed the solution for 230 sites across globe using for past seven years.

We are a product-based organization. We use this solution for a shared SOC service and security audits and compliance.

There are a lot of features in QRadar. App Exchange is the most valuable feature. User behavior analytics (UBA) is also a very good feature. Watson is also there, but we are not currently using Watson.

It is versatile and quite easy. It also has an all-in-one-box feature and good integration with AWS. 

SOAR is what is expected the most from QRadar. They have something called SOAR Resilient, and it would be great if that gets induced in SIEM. IBM QRadar (as well as McAfee ESM) should have analytics platform integration. Currently, SIEMs don't have full-fledged integration with analytics where we are able to dump our data in SIEM, and the same data can be called from different analytics applications. We should be able to bring this data to a platform like Hadoop for big data and run the analytics there. Currently, people are seeing the past data and taking some actions in the present, but when it comes to analytics, there should be futuristic data where you can predict something out of your present and past data. Apart from that, I would like to see a full-fledged ITSM tool in QRadar.

It sometimes has some technical issues that need to be checked. It requires a dedicated QRadar engineer to completely manage it. It has different module sets, such as event collector and event processor, and some technical glitches come in between. It takes the log but doesn't exactly process it in the way we want. 

If its pricing can be reduced, it would help a lot of customers in bringing in a new SIEM environment.

It is stable. There are no incidents when SIEM completely stopped. 

I have expanded it. It is very good in terms of scalability. Because it is on the cloud, it can be scaled anytime. If I want to increase my CPU's RAM, I can do it. At any point in time, if I want to get additional licenses, I can just call support, and they will provide that.

I have around six customers who are using QRadar in a shared model. We do have plans to increase its usage. We are looking after different customers, and when they're ready, we can integrate it.

They are good and responsive. However, because of COVID, of late everyone is working from home, and sometimes, their response has been a little bit slow for incidents. They did apologize for that.

It is straightforward. AWS has a feature called Marketplace in its environment. When we click it, we can load it directly. It doesn't take more than two to three days to completely deploy the infrastructure. 

They can give us some scalability and flexibility on pricing. If its pricing can be reduced, it would help a lot of customers in bringing in a new SIEM environment and grow business in the market. If I start a license today and take around 10,000 EPS, and after a month, there is an increase in the number of clients on my platform, I can increase the number of licenses. I can add 5,000 EPS on a yearly basis.

We chose QRadar over McAfee ESM.

It has good integration with AWS. AWS has come up with a Marketplace click-in option that provides direct integration between your AWS and data centers or cloud solutions through a small VPN. It allows you to bring up small environments with 5,000 EPS or 6,000 EPS or even 3,500 EPS or 2,500 EPS very quickly. It is very flexible and not at all tough for a startup engineer to click and bring solutions inside. It is quite easy.

I would rate IBM QRadar an eight out of ten.

We use this solution for deploying and integrating log sources and use cases.

We use it to generate offensives based on normal behavior and suspicious behavior from our security tools, firewalls, and other solutions.

We have applied a set of old and new rules to QRAdar that aim to detect persistent abnormalities in our environments.

Within our organization, our security operations center and users from our local security team — roughly 10 to 12 users — use QRadar. We plan to expand to other areas of the company so that other people can use QRadar for different use cases. But right now only the security teams use it.

It's more of what it has provided for our company. We have much better visibility into our environment now. It has become much easier to create an alert for suspicious behavior, to operate on security incidents when they happen, and to drill down on specific events and figure out exactly which machines and users were involved.

I think the log search is pretty good. It's very easy to create complex searches and aggregate results and create graphics, etc. 

The rule engine is very easy to use — very flexible. We can create rules based on whatever behavior we want. It's very easy to use compared to Splunk. 

When we analyzed Splunk, that was the criteria that we looked at. Splunk was a lot more difficult to use and to create rules.

The standard rules they have are very comprehensive. There are many content packs in the apps that enrich those rules. We are still using the native rules from QRadar because there are many useful rules there. I think we're going to have a very good experience with them.

One thing one has to be aware is that qRadar doesn't have a standard UI style, but older (clunkier) and newer (more modern and easy to use) screens. The QRadar UI involves a lot of clicks and pop-ups to get where you want, which is certainly not the best UX, but isn't totally a pain also. Although it's a bit difficult to navigate through screens at first, the UX is pretty good once you learn the "qRadar way", which takes about a few weeks to master.

I have been using this solution for the last three months.

We had some bugs and we had to handle them. They impacted our deployment timeline, but all of the bugs that we had were quickly solved by engineers from IBM. Currently, we are not fully satisfied with the stability, but the support from IBM is very good and they can solve our problems very, very quickly.

There seems to be a cap-limit regarding scalability. IBM limits the amount of data you can send into the collectors so scalability-wise, it's not that optimum because sometimes we have a resource or a machine that tends to think it gets more events per second than it actually gets. Because of how the solution is made, If we send a large number of events to these event collectors, then they will start dropping events because we can't queue them. That seems to be by design — we aren't entirely satisfied with that. In this way, IBM kind of forces their customers to buy a larger license.

IBM's customer support is very good. 

We don't have any comments about community support because we don't know any communities that we can use to look up information about QRadar; however, in general, we have used IBM's documentation extensively — I think it's very useful, it's very complete, but sometimes it's a bit outdated. 

We used to use ArcSight. I can't even begin to compare these two products because ArcSight was a solution managed entirely by our security operations center team. We didn't have full knowledge of what the solution was capable of. Now we're seeing a much larger universe with QRadar — I think it's a completely different thing. QRadar is much more capable than ArcSight.

Deployment-wise it's pretty easy already; it took us one hour to get QRadar running, and then a couple of days later, we had full deployment. We then began onboarding log sources — the process of onboarding log sources has been almost painless for 90% of our log sources, which are from different vendors and different tools, and within a month we had about 70% of all of our relevant security logs in qRadar, generating many interesting offenses on a daily basis. So that has been very positive.

We had little interaction with qRadar during the process of onboarding log sources — most log sources were automatically discovered, their events were mapped correctly and parsed to extract relevant fields. A few log sources required manual intervention or installation of content packs, and some of IBM's DSMs were a bit outdated, but these issues were rather quick to fix within qRadar itself.

We used a partner company here called IT.eam, which helped us with the deployment. They are very capable and professional and it's been overall a great experience.

It's very expensive but it fits our budget. Because it's very expensive, we had to come up with ways of filtering our logs before they get into QRadar because otherwise, we'd have to buy a much greater amount of events per second, and that would be very expensive.

Splunk is virtually the same price.

I'd recommend QRadar for security teams that are more from the IT world and not so much from the development or data-science world. I think other tools, such as Splunk, are really great too, but QRadar is natively concerned with providing security rules and use cases. If you're looking for a reliable solution for security purposes only, QRadar is probably the way to go.

Overall, on a scale from one to ten, I would give this solution a rating of eight.

Our primary use case is in the banking industry in two banks here in Egypt. We generally are monitoring the user behavior of the employees, For example, working after working hours, and signing into the machines after working hours.

The most valuable feature is the machine learning module.

I would like to see the interface improved along with the tuning and any adjustments when it comes to maintenance. It is not straightforward. I would also like to see some artificial intelligence and alternative solutions.

I have been using IBM QRadar User Behavior Analytics for almost five years now.

I would give stability an eight on a scale of one to ten.

The scalability is not a problem and we have above three thousand in our organization.

The initial setup is extremely easy and straightforward.

The deployment took around two to three days and we did it ourselves in-house. We simply downloaded the application and went from there following the deployment process.

We are seeing a return on investment when it comes to profiling the employees.

The pricing is higher but cheaper than others and there are no additional costs.

We looked at ArcSight but the cost is more expensive than IBM. ArcSight did have the artificial intelligence model.

I would recommend tuning it to the maximum before going live. I would rate IBM QRadar User Behavior Analytics a seven on a scale of one to ten.

We use QRadar to collect logs and monitor user activity and traffic from one network to another. The SOC team is in a room watching the logs from the tool live most of the time. 

QRadar monitors all internet activity and the output of every device configured to send a log. All traffic from various networking devices passes through the QRadar servers, and we can view it live.

We have two data centers, and QRadar is deployed in one. It comes with two physical appliances to allow failover capability. There's a management interface that binds them together, and we set up an interface for each device connected to the network that sends a log.  

QRadar allows you to filter by the source and destination IPs and see detailed logs on that. For example, if a user is trying to access a server using a malicious port like 4.5.0, I can get valuable data and take action from other devices. 

It also has a graph that shows the traffic history. I can see what happened yesterday or today. If there's an incident, I can check the traffic behavior on QRadar.

I would like to see QRadar add more integration and interoperability. For instance, we are not able to send logs from Windows servers. We can send logs to the QRadar server from network devices and other types of servers. However, we have more than a hundred Windows servers that still don't use QRadar. 

Our company has been using QRadar for the last five years. We implemented it in 2017.

QRadar's performance has room for improvement because it cannot handle the volume. I need massive amounts of logs from various devices in our existing network architecture. IBM needs to improve QRadar's capacity to handle more logs. 

Usually, disk space is the issue. When it runs out of space, we need to stop logs from different network devices, especially the firewall, before it starts working. 

It's hard for me to estimate the number of QRadar users because all of our banking traffic and user activity will pass through QRadar. At the higher end, more than 25,000 active users might use QRadar.

I was directly involved with the IBM support team during the implementation, and we received training for some time after. The service has been excellent and supportive. 

When we needed to upgrade, our security team invited the IBM technician back, and it was very smooth. Now, they are planning to set up redundancy in our second data center. Generally speaking, the support is good, and they check in about once a month remotely. I am directly involved with them, but I hear positive feedback from the team. 

The initial setup was configured in Linux on the server. We had a technical guy from IBM who came from Kenya. We only prepared the environment, like setting up the rack, but an IBM technician took care of the implementation. We also rely on the vendor for support and activities that require professional expertise.

I rate QRadar eight out of 10 for return on investment. We get a lot of valuable data from QRadar.

I rate QRadar eight out of 10. 

I use IBM Security QRadar in my company for authentication of users and to block the access of a user to the internet. In my company, we have only used the basic version of the solution, and currently, we don't have a license for the product since we didn't renew it. The basic version of the solution fits my company's basic requirements.

IBM Security QRadar is not hard to implement and administrate. To serve new use cases or do the tuning and allow correlation rules, you may need training since it is necessary to know the solution. With IBM solutions, you need training to know how to use the different features of the solution. IBM needs to provide training to its users to teach them how to use the case manager and how to tune rules.

I have been using IBM Security QRadar since 2020, so I have experience with it for three years. I am a customer of IBM.

It is a scalable solution.

With IBM Security QRadar, my company faced issues with the support we received for the product. Basically, my company faced problems due to the delays or mistakes made by IBM's support team.

I rate the technical support a six out of ten.

Neutral

The solution is deployed on an on-premises model.

For the product's implementation, my company took two months. To implement all log sources, my company took somewhere between three to five months.

IBM Security QRadar is a very expensive tool.

In the future, my company would want the cloud version of the solution and not its on-prem version.

I rate the overall tool a seven out of ten.

The primary use case of this solution is to help customize the workflows and dashboards for our clients in a secure manner.

The solution has helped improve our organization by providing the comfort and visibility that we are, meeting compliance, and doing our due diligence in analyzing events from multiple sources and correlating threat activity. 

The most valuable features are the AI assistant, which is good at detecting known types of behavior. The solution can analyze different logged events, and network activity and create a correlation. The solution is easy to customize and tune compared to other products.

The solution can be improved by lowering the cost and bettering their technical support.

I have been using the solution for three and a half years.

The stability of this solution is rock solid, a ten out of ten.

The solution appears to be scalable. I have used the solution in organizations with users ranging from 2000 to 10,000.

The technical support eventually gets the job done.

Positive

Depending on what the client is looking for I have used and recommended ArcSight, Splunk, and Cisco.

The initial setup is in-between straightforward and complex. Any SIEM solution is complex, but compared to other products, it is the middle of the road. It's not as difficult or cumbersome, especially when you compare it to ArcSight being the most difficult where you require a whole team of people to really derive any value.

Most of our clients have seen a return on investment because compared to other solutions it does not require a busload of people to operate it and it is reasonably priced.

The solution is costly and the price differs depending on the vendor you use.

I give the solution an eight out of ten.

The solution is fairly easy to maintain and the learning curve is reasonable compared to other products to customize the workflow dashboards and get meaningful insight as far as what is happening within our organization. The solution is also fairly straightforward to integrate with different data log sources.

The solution requires three to five people to maintain including one analyst, an engineer, and an architect.

I suggest before using the solution you know what your process is, know what your logging sources are, and plan well because It's really a leadership challenge. The solution is better deployed than other models.