IBM Security QRadar Reviews

IBM Security QRadar has many valuable features. One of the most valuable features of IBM Security QRadar is the ease of extracting information from raw logs/events, whether the log source sending the events is supported by IBM or not (for example, a custom in-house application) and use this information in creating searches, correlation rules, reports, and dashboards. Another feature is scalability; scaling up a deployment to support more events per second is made simple just by “linking” new appliances to the main deployment through configuration steps that only take minutes to complete. I do not know if I can call this a feature, but a “general” feature of QRadar is that it does not require highly technically skilled personnel to administer. The dashboards and configurations through the web UI are easy to read, understand, and change.

Although QRadar provides incident management of the alerts it produces, this area could use a little improvement to allow more restrictions on who can close alerts and easily updating alerts with and reading text templates.

I have used IBM Security QRadar for nearly two years now. I use it as a user in my organization’s Managed Security Services division where we monitor clients’ environments. I also work with it as an implementer to deploy and customize it for clients.

Any deployment will have issues. The issues that I encounter with deploying QRadar are raised with IBM Support and are usually solved quickly through applying patches or changing individual files to fix the web GUI issue.

The causes of stability issues are usually not QRadar, but of misconfigured devices/log sources (for example, sending debug events to QRadar that results in millions of events in a short period of time). However, if a deployment is done correctly, QRadar stays stable.

No, I did not face issues with scalability. One of the great features of QRadar is the ease of scalability. A license upgrade is simply done by purchasing it and applying it through the GUI which only takes minutes to. If an organization wants a larger expansion, all that it has to do is to buy the required hardware with QRadar installed, and “link” it to the main deployment through steps that also take minutes. This new hardware will provide the extra events per second or flows per minute capabilities required for the expansion.

IBM provides support in various regions in the world. The level of technical support is good. Once a support ticket is open, the support team tries to fix it directly or passes it on to higher levels, and will involve the QRadar development team if required.

No, I did not use a separate solution, although I have read and heard about different solutions from the various clients I have met with. Clients switch to using QRadar because they say that maintaining and administering other solutions becomes a hassle and requires trained personnel. Another reason clients switch to using QRadar because of cost.

The initial setup of QRadar is straightforward. From the installation perspective, IBM provides one ISO file that can be used to install any of the QRadar components, with the activation key deciding which components to install. From the deployment perspective, QRadar has the ability to automatically detect many log sources sending logs. The out-of-the-box dashboards, searches, reports, and correlation rules allows QRadar to start displaying intelligence and insight on devices, network statistics, authentication, and many more, and to start alerting on offenses and policy violations automatically. Coupling this with the automatically detected log sources, a demonstration of QRadar can only take a few hours from the installation, to automatically detecting a log source such as firewall logs, to getting alerts on excessive firewall denies, port scans, etc.

The advice I would give to others is to work with the implementation team to properly fine tune the out-of-the-box “building block rules” and to enter their network hierarchy in QRadar in order for it to give best results and reduce false positive alerts.

The event collector, flow collector, PCAP and SOAR are valuable.

Whenever we connect the span port, its device and health status increase the capacity level. So I suggest the mitigation of that part for IBM. Otherwise, it's a good product. We also continuously have issues with technical support because they do not have a prompt response time.

We have been using IBM QRadar for the last five years.

I rate the stability a nine out of ten.

I rate the scalability an eight out of ten. We deploy to many customers and have completed many POCs. We have a four-person team.

The technical support is good, but they are not prompt. I rate them a five out of ten.

Neutral

I rate the initial setup a ten out of ten. It is deployed on-premises and takes about two to three days to deploy the full environment readiness. But the device integration, rules screening and log onboarding take too long, about three to four months. The deployment was completed in-house.

The solution is expensive compared to other products, and I rate the pricing a five out of ten.

I rate this solution a nine out of ten.

IBM QRadar is typically deployed in a SOC environment for security monitoring. It is used for log and packet capturing. It has some supporting technology, such as data leakage prevention and data encryption.

I have found visibility very helpful for analytics.

This solution is on-premise and many customers are moving to the cloud base solution.

I have been using this solution for approximately one year.

I have not had any complaints from my clients about the stability of the solution.

The solution is scalable. Our customers that are using this solution are mainly large-sized companies, such as the government.

The technical support is very good.

Nowadays cloud stack security is very good. Some of my customers are planning to build their data center over the cloud, or implement cloud-based services using some of the beneficial services, such as threat intelligence services.

I rate IBM QRadar a ten out of ten.

On-premises

We are a system integrator and IBM QRadar is one of the security and monitoring products that we implement for our clients. It is used for monitoring applications such as Windows virtual desktop access (VDA) and computer-managed instruction (CMI).

We are using the platform version, which I like.

We have had problems with networking.

I have been using QRadar for about half a year.

We have not tried to scale because it is installed all in one machine.

The initial setup was easy and it took one day to install it.

Overall, I like this product and I think that the features are good enough.

I would rate this solution a seven out of ten.