IBM Security QRadar Reviews

Our primary use case is in the banking industry in two banks here in Egypt. We generally are monitoring the user behavior of the employees, For example, working after working hours, and signing into the machines after working hours.

The most valuable feature is the machine learning module.

I would like to see the interface improved along with the tuning and any adjustments when it comes to maintenance. It is not straightforward. I would also like to see some artificial intelligence and alternative solutions.

I have been using IBM QRadar User Behavior Analytics for almost five years now.

I would give stability an eight on a scale of one to ten.

The scalability is not a problem and we have above three thousand in our organization.

The initial setup is extremely easy and straightforward.

The deployment took around two to three days and we did it ourselves in-house. We simply downloaded the application and went from there following the deployment process.

We are seeing a return on investment when it comes to profiling the employees.

The pricing is higher but cheaper than others and there are no additional costs.

We looked at ArcSight but the cost is more expensive than IBM. ArcSight did have the artificial intelligence model.

I would recommend tuning it to the maximum before going live. I would rate IBM QRadar User Behavior Analytics a seven on a scale of one to ten.

We are using it for visibility and compliance.

The visibility it gives you into your infrastructure has been great.

The notifications it provides offer valuable information when something is happening in your blind spot.

The AI engine could be smarter. 

It is a bit expensive. 

I've used the solution for about three years. 

The solution is stable. I'd rate it five out of five. It's very reliable. There are no bugs or glitches. It doesn't crash or freeze. 

The solution scales well, and it's easy to do. I'd rate it five out of five in terms of the ease of scalability. 

We have a lot of users on the solution currently. We have customers on the product as well. There are likely more than 500 users inside and outside the organization. 

Support has been helpful and responsive. There may sometimes be a delay. However, they do get you the information you need. 

Positive

We've only ever used IBM. 

The setup is a bit complex. I'd rate it two out of five in terms of ease of deployment. It took us a week to get everything up and running. 

We had two engineers working on deployment and maintenance. 

We handled the solution in-house. We did not need outside assistance. 

We've seen a good ROI. I'd give it a five out of five. 

It's a bit pricey as a product. I'd rate it a two out of five, with five being the most affordable. It depends on what you buy; the longer you use it, the better the cost. It's an all-inclusive license. You don't need to pay for extra features. 

We did look at a few other options. 

We use the solution inside our organization. Our clients use it too. We are a premium partner in our region. 

We're using the latest version of the solution.

I'd rate the solution nine out of ten. It really provides good visibility.

We use the blocking mode and spam mode for the IPS - XGS 5000 series and use of QRadar as a SIEM Solution for logging and monitoring network security, security analysis, and monitoring for network-related attacks. 

The playbook is defined with identified use cases. IPS acted as an inline to the firewall. It helped to track and sniff the packet and match the details. It helped to reduce the insider and outsider attacks. The traffic is analyzed and helped users to know the patters and access level in the network and resource being used.

It helped our organization to identify and prevent security attacks.

We need to come with new releases and understand what will happen and how the customer will be able to manage and update the system what are ways in which user behavior and access to various resources in the network could be tracked and alerted in more robust manner. 

There needs to be proper patch management which is done in a controlled environment with a proper newsletter update. The new releases from the company in terms of product and services needs to be updated to product managers in organization.

The monitoring and dashboards are great. 

The user behavior analysis could be better. The playbook guide which specifies the rules for security use cases needs to be provided to support in case the organization needs help. The security playbook needs more help when it comes to QRadar. The QRadar implementation guide, especially in cluster environment, is complicated to deploy in an enterprise level. The support of SIEM of QRadar is complicated and when we encounter implementation issues it needs quick response. The skilled resources are really important for support.

I have deployed the solution for 230 sites across globe using for past seven years.

There is a Pulse dashboard that they have. From a reporting perspective, we'll be creating dashboards based on the pulse functionalities. 

There are other third-party plugins that we can use as well. We can initiate in the QRadar platform, however, Pulse is one of the most user-friendly options. 

Along with that, there are out the box rules and out the box dashboards that we have available to us. Mostly what we are concentrating on is creating the rules and fine-tuning the rules to align properly with the customer infrastructure depending upon the customer's requirements. Pulse, UEBA, and NBAD are the features that are the best. They are the most useful from a SOC manager perspective.

The AQL queries could be better. With the queries, there's an option for you to create dashboards based on the queries that they have. The documentation that is available for AQL queries is not well received. They could maybe look at how Microsoft is leveraging AQLs from a Sentinel perspective and create more documentation and training materials and make those more available to the general public.

They have to facilitate more learning opportunities. Microsoft has something called Playground where you have some sample logs and where you can learn how to work on all this stuff, however, there is nothing like that for IBM. They really could make it more generalized and accessible to the general analyst population.

Technical support should be improved.

In terms of QRadar, I've used it for close to two years. I worked for a customer that is a managed security service provider. What we do is we will provide SOC as a service and QRadar. IBM is one of the partners that we have. Depending upon the customer considerations and customer preferences, we will either engage QRadar or Sentinel according to the customer preferences. Splunk and LogRhythm we also use on an as-needed basis. 

What they have claimed is 99.5% uptime. However, I'm not very sure whether there's an implementation problem or not. Sometimes the system gets hung and then we have to restart everything from the scratch. You have got these multi printing options, though not functionally. Sometimes it gets some jitters there. Sometimes there are cases where we are finding it very difficult to get into the system as there can be three or four people logging into the same platform at the same time and sometimes the reduces the speed a lot.

From an architect implementation perspective, the role that I have played is very limited. I'm not very sure about scaling. I'm not in a position to comment on that part. That said, once everything is implemented, I've noted that it's not as scalable as Sentinel or Splunk on the cloud, for sure. That is the same for LogRhythm and QRadar. Obviously, cloud-hosted applications will be more scalable and more resilient.

Technical support is something that has always been an issue for us. We have to raise a ticket and the products team will be available, however, depending upon the criticality, sometimes the support is not very easily accessible on weekends and on Friday evenings.

I've also worked with Sentinel, Splunk, QRadar, and LogRhythm. 

Compared to Sentinel, the initial setup is a bit complex. Depending upon whether you're going ahead with the cloud version or on-prem version, there is human involvement, however, normally everything is done by the platform engineer. I don't have to get my head into that part. Once everything is up and running, that is when we have to start working from our side. I'm sure it is more complex than a plug-and-play Sentinel, where connectors are easily available and just have to click, click and get things done.

The administration and maintenance would be two or three people depending upon the availability. I'm not very sure about troubleshooting. I'm coming at the solution from a user perspective. I'm more concerned with the rule fine-tuning and rule-building part. That kind of troubleshooting will be done with the platform team, which specializes in that. 

Licensing is mostly dependent on the EPS, events per second. Depending upon the number of products that are integrated with the platform, we have to come to an optimal EPS value. I'm not very sure about the financials, however, the licensing cost cannot be as much as that for Sentinel, which is not very low. For customers who need medium EPS values, we advise QRadar.

The basic out the box cost covers, the EPS value that you have specified, and then some archiving maybe. It should include at least six months of archiving and other functionalities. Most of the customers will go for the standard package and we don't have to go for extra archival or enhanced DPS. 10% to 15% of DPS can always be increased. It will not completely shut down the system, however, it'll start sending us notifications that the DPS is getting increased and then we can go for a higher licensing.

The version we use depends on when the customer is onboarded. Whenever recent onboarding takes place, we use the most up-to-date versions. However, there are customers that we have been facilitating for the past two or two and a half years and they might be using the previous versions. There are proper version upgrades that happen on a quarterly basis. 

I'd rate the solution seven out of ten.

To be very frank, it's not that much help as of now. We are not getting that many insights from UVA, which we wanted, actually. As of now, we are exploring that UVA, and we have installed it. It's still quite new.

The initial setup is straightforward. 

The solution is still new to us. Currently, it's a work in progress with this. I'm not in any particular condition to tell what exact improvements are required. I will let a few more months go by before analyzing the overall UBS solution QRadar to get to know and final understanding of this particular application.

There are a lot of things that require modification. That's my initial observation, however, I need more time and a few more months to get to know it and get a final understanding of the solution as a whole.

I want a reduction of false positives. I want crisp true positive incidents out of it. I want to see proper user behavior. Whatever algorithm is working in the background, that algorithm should produce accurate, true positive incidents and not false positives.

We are using QRadar as an appliance for the last four years, however, we recently, for the last six months, started using UBS.

I'm not sure about the stability just yet. We've observed a few issues and we raised a supporting ticket for it.

The scalability is very good. It's not a problem.

Technical support has been very supportive. We're largely satisfied with them.

Positive

The initial setup is straightforward and simple. It's not very complex. 

We are using multiple features in QRadar. UVA is just one feature. We have overall 14 data nodes and we are almost 2,500 GB of data integrated with it and we are using multiple applications in QRadar. We have a nine-member team that manages the overall QRadar architecture, not only UBA.

We did a direct integration.

I'm an architect. Normally costs and licensing are handled by senior management.

For UBA, they haven't asked for any extra charges or anything. It's included in the licensing.

We're an IBM partner. We have platinum support with IBM.

We have segregated our data between on-prem and the cloud. All the on-prem data we have integrated with the QRadar. QRadar itself is an on-prem solution. We have QRadar hardware with us.

At this point, I would not recommend the solution to others. 

I'd rate the solution a six out of ten.

Currently, we are using only Amazon Web Services for monitoring. We have CloudTrail, GuardDuty, Avast, and some Kubernetes security we have installed on Amazon AWS. By getting these logs, we have created the uses for these components.

I have used IBM QRadar User Behavior Analytics in a Cloud Pak on Amazon, and there it runs on top of it and is easy to assess. Additionally, I have installed processes and characters.

The most useful feature of IBM QRadar User Behavior Analytics is the User Behavior Analytics aspect. For example, whoever logs into the Amazon AWS to the interface, if someone is logging in for the first time that the administrator has created, or someone is logging in, we receive an email notification saying that they have logged in, we need to check. Based on that, we will start checking to see if the visit was a valid one or a malicious one. Even if we only have a few users, such as 25 to 30 Amazon AWS records.

Whenever we are upgrading or installing any type of patch, at that time we have some delays. 

 Sometimes by mistake, AWS has migrated some other accounts to my enrollment. At that time, we receive a notification special for that. We have created one rule and a case. We receive a notification and we are informed that the Amazon AWS team, sent an email apologizing for this happening. They have confirmed that going forward we will not receive this type of account modification issue. They have sent an email to us. 

If you are searching for three to four months back it takes and there is a time delay. If I compare it to Splunk, it is a little bit delayed. It is because Splunk is using Elasticsearch, while IBM QRadar User Behavior Analytics uses a normal one. For example, if Splunk takes two minutes, it will take IBM QRadar User Behavior Analytics approximately three minutes.

I have been using IBM QRadar User Behavior Analytics for approximately seven years.

I have used many other solutions previously, such as Splunk and McAfee SIEM tool.

The initial setup of IBM QRadar User Behavior Analytics is straightforward. We only have to activate a few aspects. We directly installed our process characters, and an all-in-one setup with it to do the installation. The deployment took use 30 to 40 minutes. However, if you want to add components it will take more time.

We have seen a good return on investment with IBM QRadar User Behavior Analytics.

We pay approximately $40,000 to use the solution annually. This solution is a lot less expensive than Splunk.

I rate IBM QRadar User Behavior Analytics an eight out of ten.

We are using mixed solutions. We are currently working with IBM solutions and Azure system services. We are using two SIEM solutions: Azure Sentinel and QRadar. Azure Sentinel is covering our cloud-based solutions, and QRadar is covering our on-premise solutions.

QRadar has a lot of connectors out of the box. It has a lot of predefined and pre-deployed connectors that you can use. 

It has a lot of good correlation rules. From a customer's point of view, it is one of the best solutions because you don't need to create correlation rules from scratch. You just review them and customize them as you want. 

It supports using SQL queries. Sentinel uses KQL, but you need to learn it from scratch.

It doesn't have a SOAR system by default. You need to purchase it additionally, which is the main problem with QRadar. 

Its reporting can be improved.

I have been using this solution for approximately three years.

It is stable.

It is scalable. It works for small, medium, and large enterprises. You can have a huge SOC, and you can implement it in a big company. 

Our company has more than 5,000 assets, and we are covering them all with the QRadar system.

We are using Azure Sentinel for our cloud-based solutions. The best functionality that you can get from Azure Sentinel is the SOAR capability. So, you can estimate any type of activity, such as when an alert was triggered or an incident was found.

Azure Sentinel doesn't have many connectors for third-party SIEM solutions. Many customers are struggling with the integration of Azure Sentinel with their on-premise SIEM.

If we start to collect all logs from our on-premise SIEM solutions, Azure Sentinel will cost much more than QRadar. If we calculate its cost over the next five or ten years, it will cost more than QRadar.

You have a one-time payment, and you also can purchase it for one year as a subscription. We have it on-premise, and we have a permanent license for it. We have to pay for the support on a yearly basis.

If you compare its cost with Sentinel for one year, QRadar would seem more expensive, but if you compare its cost over five or ten years, Azure Sentinel will be more expensive than QRadar.

I would recommend purchasing a cloud-based license subscription because it doesn't have any limits on the license. You can easily install it in a cloud environment. This cloud pack can be integrated with different types of SIEM solutions. So, you can use one management console to query all of the SIEM systems that you are managing. It is like having one window to manage your SOC. For example, a SOC can operate, manage, or provide services for different types of companies, and all these companies can have different types of SIEM solutions. With the cloud subscription of QRadar, you can cover all companies, which is good in my opinion.

I would recommend both QRadar and Azure Sentinel. It depends on the use case of a customer and the environment that they are using.

I would rate QRadar a seven out of ten. 

We are a product-based organization. We use this solution for a shared SOC service and security audits and compliance.

There are a lot of features in QRadar. App Exchange is the most valuable feature. User behavior analytics (UBA) is also a very good feature. Watson is also there, but we are not currently using Watson.

It is versatile and quite easy. It also has an all-in-one-box feature and good integration with AWS. 

SOAR is what is expected the most from QRadar. They have something called SOAR Resilient, and it would be great if that gets induced in SIEM. IBM QRadar (as well as McAfee ESM) should have analytics platform integration. Currently, SIEMs don't have full-fledged integration with analytics where we are able to dump our data in SIEM, and the same data can be called from different analytics applications. We should be able to bring this data to a platform like Hadoop for big data and run the analytics there. Currently, people are seeing the past data and taking some actions in the present, but when it comes to analytics, there should be futuristic data where you can predict something out of your present and past data. Apart from that, I would like to see a full-fledged ITSM tool in QRadar.

It sometimes has some technical issues that need to be checked. It requires a dedicated QRadar engineer to completely manage it. It has different module sets, such as event collector and event processor, and some technical glitches come in between. It takes the log but doesn't exactly process it in the way we want. 

If its pricing can be reduced, it would help a lot of customers in bringing in a new SIEM environment.

It is stable. There are no incidents when SIEM completely stopped. 

I have expanded it. It is very good in terms of scalability. Because it is on the cloud, it can be scaled anytime. If I want to increase my CPU's RAM, I can do it. At any point in time, if I want to get additional licenses, I can just call support, and they will provide that.

I have around six customers who are using QRadar in a shared model. We do have plans to increase its usage. We are looking after different customers, and when they're ready, we can integrate it.

They are good and responsive. However, because of COVID, of late everyone is working from home, and sometimes, their response has been a little bit slow for incidents. They did apologize for that.

It is straightforward. AWS has a feature called Marketplace in its environment. When we click it, we can load it directly. It doesn't take more than two to three days to completely deploy the infrastructure. 

They can give us some scalability and flexibility on pricing. If its pricing can be reduced, it would help a lot of customers in bringing in a new SIEM environment and grow business in the market. If I start a license today and take around 10,000 EPS, and after a month, there is an increase in the number of clients on my platform, I can increase the number of licenses. I can add 5,000 EPS on a yearly basis.

We chose QRadar over McAfee ESM.

It has good integration with AWS. AWS has come up with a Marketplace click-in option that provides direct integration between your AWS and data centers or cloud solutions through a small VPN. It allows you to bring up small environments with 5,000 EPS or 6,000 EPS or even 3,500 EPS or 2,500 EPS very quickly. It is very flexible and not at all tough for a startup engineer to click and bring solutions inside. It is quite easy.

I would rate IBM QRadar an eight out of ten.