IBM Security QRadar Reviews

The primary use case of this solution is to help customize the workflows and dashboards for our clients in a secure manner.

The solution has helped improve our organization by providing the comfort and visibility that we are, meeting compliance, and doing our due diligence in analyzing events from multiple sources and correlating threat activity. 

The most valuable features are the AI assistant, which is good at detecting known types of behavior. The solution can analyze different logged events, and network activity and create a correlation. The solution is easy to customize and tune compared to other products.

The solution can be improved by lowering the cost and bettering their technical support.

I have been using the solution for three and a half years.

The stability of this solution is rock solid, a ten out of ten.

The solution appears to be scalable. I have used the solution in organizations with users ranging from 2000 to 10,000.

The technical support eventually gets the job done.

Positive

Depending on what the client is looking for I have used and recommended ArcSight, Splunk, and Cisco.

The initial setup is in-between straightforward and complex. Any SIEM solution is complex, but compared to other products, it is the middle of the road. It's not as difficult or cumbersome, especially when you compare it to ArcSight being the most difficult where you require a whole team of people to really derive any value.

Most of our clients have seen a return on investment because compared to other solutions it does not require a busload of people to operate it and it is reasonably priced.

The solution is costly and the price differs depending on the vendor you use.

I give the solution an eight out of ten.

The solution is fairly easy to maintain and the learning curve is reasonable compared to other products to customize the workflow dashboards and get meaningful insight as far as what is happening within our organization. The solution is also fairly straightforward to integrate with different data log sources.

The solution requires three to five people to maintain including one analyst, an engineer, and an architect.

I suggest before using the solution you know what your process is, know what your logging sources are, and plan well because It's really a leadership challenge. The solution is better deployed than other models.

Our company includes 20 senior engineers and analysts who use the solution to detect viruses on Windows servers and critical assets.

We also track user activity such as connections during travel. 

We have many use cases and playbooks in our portfolio. 

Our company uses the solution as our main CM to detect malicious activity. There are many campaigns targeting Europe and other countries so it is important that we remain vigilant about suspicious activity inside our organization. 

The solution uses rules to identify suspicious activity that needs to be investigated. We conduct advanced forensic investigations based on the solution's output, including collecting logs from devices and correlating them for processing by a security analyst. 

Blocks of predefined conditions can be used to configure detection rules without having to write complicated script. 

Real-time detection is quite efficient and valuable. Other products such as Splunk focus only on running searches to detect a particular behavior.

The Vulnerability Manager module is useful and quite efficient. 

The dashboard and reports are not user-friendly or efficient so are of little help with threat hunting activity. We deal with large data sets so need to have great visibility for detection of malicious activity and indicators for cybersecurity. 

For example, the dashboards for Power BI and Splunk are very efficient and it is easy to observe suspicious activity. 

I have been using the solution for five years.

The solution is stable and easy to use if deployed well.

On occasion, you might get an error when running advanced analytics but reboots are not needed. 

The solution is scalable and it is easy to add appliances or expand your license. 

Engineers used technical support regularly between 2016 and 2019 and found them to be very helpful and responsive. If a situation was urgent, technical support intervened immediately. 

I rate technical support an eight out of ten. 

Positive

I used the solution, switched to Splunk, then switched back to the solution. 

The ease of setup is based on the complexity of your environment and network architecture.

The initial setup is not complicated and should go smoothly if you set all predefined requirements prior to installing the solution.  

It took us two weeks to prepare all requirements and a few hours to deploy which included installing all resources. 

Documentation for the installation process is pretty straightforward. 

An in-house team that handles integrations was responsible for implementing the solution. Myself and other cybersecurity analysts participated with the team.

A team of three engineers handle ongoing maintenance for our large environment. 

The solution has a licensing model that is based on events per second so it scales to need and budget. 

At the time of deployment, we were premium partners with IBM so received advantageous pricing. 

The on-premises solution and its license are not impacted by the number of users so it is easy to add staff. 

In my experience, Splunk is efficient because it is customizable. You can create scripts to detect multiple behaviors based on scheduled jobs. 

I rate the solution a seven out of ten because it is difficult to write script for advanced detection cases and the dashboard is insufficient. 

We use the blocking mode and spam mode for the IPS - XGS 5000 series and use of QRadar as a SIEM Solution for logging and monitoring network security, security analysis, and monitoring for network-related attacks. 

The playbook is defined with identified use cases. IPS acted as an inline to the firewall. It helped to track and sniff the packet and match the details. It helped to reduce the insider and outsider attacks. The traffic is analyzed and helped users to know the patters and access level in the network and resource being used.

It helped our organization to identify and prevent security attacks.

We need to come with new releases and understand what will happen and how the customer will be able to manage and update the system what are ways in which user behavior and access to various resources in the network could be tracked and alerted in more robust manner. 

There needs to be proper patch management which is done in a controlled environment with a proper newsletter update. The new releases from the company in terms of product and services needs to be updated to product managers in organization.

The monitoring and dashboards are great. 

The user behavior analysis could be better. The playbook guide which specifies the rules for security use cases needs to be provided to support in case the organization needs help. The security playbook needs more help when it comes to QRadar. The QRadar implementation guide, especially in cluster environment, is complicated to deploy in an enterprise level. The support of SIEM of QRadar is complicated and when we encounter implementation issues it needs quick response. The skilled resources are really important for support.

I have deployed the solution for 230 sites across globe using for past seven years.

There is a Pulse dashboard that they have. From a reporting perspective, we'll be creating dashboards based on the pulse functionalities. 

There are other third-party plugins that we can use as well. We can initiate in the QRadar platform, however, Pulse is one of the most user-friendly options. 

Along with that, there are out the box rules and out the box dashboards that we have available to us. Mostly what we are concentrating on is creating the rules and fine-tuning the rules to align properly with the customer infrastructure depending upon the customer's requirements. Pulse, UEBA, and NBAD are the features that are the best. They are the most useful from a SOC manager perspective.

The AQL queries could be better. With the queries, there's an option for you to create dashboards based on the queries that they have. The documentation that is available for AQL queries is not well received. They could maybe look at how Microsoft is leveraging AQLs from a Sentinel perspective and create more documentation and training materials and make those more available to the general public.

They have to facilitate more learning opportunities. Microsoft has something called Playground where you have some sample logs and where you can learn how to work on all this stuff, however, there is nothing like that for IBM. They really could make it more generalized and accessible to the general analyst population.

Technical support should be improved.

In terms of QRadar, I've used it for close to two years. I worked for a customer that is a managed security service provider. What we do is we will provide SOC as a service and QRadar. IBM is one of the partners that we have. Depending upon the customer considerations and customer preferences, we will either engage QRadar or Sentinel according to the customer preferences. Splunk and LogRhythm we also use on an as-needed basis. 

What they have claimed is 99.5% uptime. However, I'm not very sure whether there's an implementation problem or not. Sometimes the system gets hung and then we have to restart everything from the scratch. You have got these multi printing options, though not functionally. Sometimes it gets some jitters there. Sometimes there are cases where we are finding it very difficult to get into the system as there can be three or four people logging into the same platform at the same time and sometimes the reduces the speed a lot.

From an architect implementation perspective, the role that I have played is very limited. I'm not very sure about scaling. I'm not in a position to comment on that part. That said, once everything is implemented, I've noted that it's not as scalable as Sentinel or Splunk on the cloud, for sure. That is the same for LogRhythm and QRadar. Obviously, cloud-hosted applications will be more scalable and more resilient.

Technical support is something that has always been an issue for us. We have to raise a ticket and the products team will be available, however, depending upon the criticality, sometimes the support is not very easily accessible on weekends and on Friday evenings.

I've also worked with Sentinel, Splunk, QRadar, and LogRhythm. 

Compared to Sentinel, the initial setup is a bit complex. Depending upon whether you're going ahead with the cloud version or on-prem version, there is human involvement, however, normally everything is done by the platform engineer. I don't have to get my head into that part. Once everything is up and running, that is when we have to start working from our side. I'm sure it is more complex than a plug-and-play Sentinel, where connectors are easily available and just have to click, click and get things done.

The administration and maintenance would be two or three people depending upon the availability. I'm not very sure about troubleshooting. I'm coming at the solution from a user perspective. I'm more concerned with the rule fine-tuning and rule-building part. That kind of troubleshooting will be done with the platform team, which specializes in that. 

Licensing is mostly dependent on the EPS, events per second. Depending upon the number of products that are integrated with the platform, we have to come to an optimal EPS value. I'm not very sure about the financials, however, the licensing cost cannot be as much as that for Sentinel, which is not very low. For customers who need medium EPS values, we advise QRadar.

The basic out the box cost covers, the EPS value that you have specified, and then some archiving maybe. It should include at least six months of archiving and other functionalities. Most of the customers will go for the standard package and we don't have to go for extra archival or enhanced DPS. 10% to 15% of DPS can always be increased. It will not completely shut down the system, however, it'll start sending us notifications that the DPS is getting increased and then we can go for a higher licensing.

The version we use depends on when the customer is onboarded. Whenever recent onboarding takes place, we use the most up-to-date versions. However, there are customers that we have been facilitating for the past two or two and a half years and they might be using the previous versions. There are proper version upgrades that happen on a quarterly basis. 

I'd rate the solution seven out of ten.

Currently, we are using only Amazon Web Services for monitoring. We have CloudTrail, GuardDuty, Avast, and some Kubernetes security we have installed on Amazon AWS. By getting these logs, we have created the uses for these components.

I have used IBM QRadar User Behavior Analytics in a Cloud Pak on Amazon, and there it runs on top of it and is easy to assess. Additionally, I have installed processes and characters.

The most useful feature of IBM QRadar User Behavior Analytics is the User Behavior Analytics aspect. For example, whoever logs into the Amazon AWS to the interface, if someone is logging in for the first time that the administrator has created, or someone is logging in, we receive an email notification saying that they have logged in, we need to check. Based on that, we will start checking to see if the visit was a valid one or a malicious one. Even if we only have a few users, such as 25 to 30 Amazon AWS records.

Whenever we are upgrading or installing any type of patch, at that time we have some delays. 

 Sometimes by mistake, AWS has migrated some other accounts to my enrollment. At that time, we receive a notification special for that. We have created one rule and a case. We receive a notification and we are informed that the Amazon AWS team, sent an email apologizing for this happening. They have confirmed that going forward we will not receive this type of account modification issue. They have sent an email to us. 

If you are searching for three to four months back it takes and there is a time delay. If I compare it to Splunk, it is a little bit delayed. It is because Splunk is using Elasticsearch, while IBM QRadar User Behavior Analytics uses a normal one. For example, if Splunk takes two minutes, it will take IBM QRadar User Behavior Analytics approximately three minutes.

I have been using IBM QRadar User Behavior Analytics for approximately seven years.

I have used many other solutions previously, such as Splunk and McAfee SIEM tool.

The initial setup of IBM QRadar User Behavior Analytics is straightforward. We only have to activate a few aspects. We directly installed our process characters, and an all-in-one setup with it to do the installation. The deployment took use 30 to 40 minutes. However, if you want to add components it will take more time.

We have seen a good return on investment with IBM QRadar User Behavior Analytics.

We pay approximately $40,000 to use the solution annually. This solution is a lot less expensive than Splunk.

I rate IBM QRadar User Behavior Analytics an eight out of ten.

I'm an administrator. I have been leading the security operation center for the past four years. I have more than 12 members or SOC analysts for our 24/7 operations. I have been pitching the solutions to multiple customers, and I have also designed, implemented, and administered customer projects and completed them at the specified timeline.

We have many use cases. The most common use cases are related to insights into any threats from the inside and outside. I have also configured X-Force with QRadar, and we are getting all the feeds showing malware-based IPs, etc. I also have designed some anomaly-based rules in case anyone has logged in from outside Pakistan. Most of the rules are custom-based.

The QNI feature is the one I am very interested in, and I have also been interested in Watson. From the log analysis and the security perspective, we are able to dive deep into any of the logs and anomalies.

It is user-friendly, and it is easy to develop. If you know the architecture, what to develop, and how to get the output for your results, you can easily work with it.

I have also been working with other SIEM solutions, and I have observed that they have extensive Linux-based and Unix-based integrations. They have been able to support some of the Linux-based agents, which is useful to investigate and process the information on the Linux and Unix side.

It could have pre-defined automation and integration of all those device parameters that analysts have to share manually.

It is stable.

I would rate them a 3.5 out of 5.

It is not very difficult. I have done more than 10 deployments, and I have integrated and developed custom applications. I have also developed a Python-based script to support me with the things that IBM cannot support. I am using that script from the health check perspective. It gives me a high-level and low-level overview of QRadar with respect to the rules that have been triggered and the notifications that have been generated and how to tune them.

I would rate it an eight out of 10.

When it sends the log source, QRadar generates a lot of noise and false positives. LogRhythm logs when the alarm rules are disabled, so it doesn't generate any noise when sending the log source. I think LogRhythm's one, this one too. QRadar, we have to cure it all the time. It's only this advantage with QRadar.

I would also like to see more integration with other vendors. IBM doesn't integrate well with products from China, like Huawei. Many Middle Eastern customers are switching to Huawei from American vendors like Cisco because of the price. In most RFPs, Huawei wins because it costs less. 

IBM needs to integrate better with Huawei. I opened one case with IBM, and they told me to submit a request for enhancement so they could write the correct DSMs to integrate with Huawei. We were very disappointed. Customers who want to implement QRadar or LogRhythm need to consider all the other components. The environment needs to be homogenous to avoid problems due to a lack of integration.

My old company used QRadar, so I still use it sometimes when I consult for them. They get stuck on a few things. I also worked on vulnerability discovery. Right now, my current customers are migrating from QRadar to LogRhythm.

QRadar is built around Red Hat Linux, which is highly robust.

IBM's support for QRadar could be improved. Sometimes it takes them two days to reply to a low-priority case. However, it tasks them about 1.5 hours to respond to a more serious case. Sometimes our customer service will think it's a priority one case, so he asks me to open it as priority one, then IBM reduces it to two or three. 

We don't have any security appliances from Huawei, but they have the best technical support. We have engineers everywhere with CRM, and they call you after the problem is resolved. IBM closes the case, and that's it. It's a very restricted environment. 

QRadar is reasonable compared to LogRhythm.

I rate IBM QRadar nine out of 10. If you're going to use QRadar, you have to be familiar with it and know all the components. IBM offers free appliances, like data nodes, that offload many processes from the collectors and the processors. 

Every engineer must understand the overall portfolio to add some value to the solutions. If a solution isn't integrated with other solutions, they are only collectors. You need to tune the rules and be up to date with the Mitre Att&ck framework all the time.

QRadar is our SIEM solution. Our use cases include authentication between logins, database security, monitoring, and user behavior analytics.

QRadar is helping us to identify ongoing, day-to-day threats. We use it to analyze the risk in our environment, including user behaviors. We can easily monitor many things using this tool.

All of the features offered by this product are useful for analysis. Essentially, everything that it offers is critical and we use it.

Several things need to be improved.

We have been struggling with the QRadar support team for quite a long time. There are things that they can reproduce in their lab environment and can fix, yet we struggled with them trying to get this done. These issues included things like custom logs. There are many things that they need to improve upon.

This product should support multiple log sources.

They need to improve their threat intelligence feed and they need to improve their user behavior analytics modules.

The risk manager module needs to be improved.

It's not a very user-friendly interface.

I have been working with IBM QRadar for seven years.

IBM QRadar is quite stable.

We have approximately 50 users and we keep expanding its usage. It is growing on the infrastructure level, as well as the EPS level.

Three or four administrators are all that is required for the maintenance.

I recommend this product for large enterprises.

We have had a lot of trouble with technical support. As of late, they take too long to respond to our issues. For 99% of our issues, they take too long to respond. It's not instant.

I do not have any experience with other SIEM solutions. QRadar is the first one for me.

The initial setup is complex because it is not managed properly.

Our implementation strategy is based on it being a distributed environment.

We completed the implementation and deployment ourselves.

We did not evaluate other options prior to selecting QRadar.

This is a good product for large enterprises. Smaller companies should implement an open-source solution but for a large enterprise, QRadar is a good product.

I would rate this solution a seven out of ten.