I am a Product Manager. I am managing the inventory and the logs. For R&D purposes, we downloaded various SIEM solutions from the internet to analyze their performance, and QRadar was one of them. I downloaded the Community Edition of QRadar to check its capabilities and see how to integrate various log sources in our network. It is in my lab, and I have tested it with a few hardware devices and a few computers and servers.
What I like the most about it is that you can very easily install and configure it. As compared to other SIEM solutions, for which you need to know and do a lot more to prepare your SIEM environment, QRadar is much simpler to install and configure. There are various options in the Admin console. In the Admin tab, you can design dashboards and view various graphs. It has a lot of attractive features, and you don't need to configure everything on your own.
I have noticed a few things while working on this. After the restart of the server, sometimes, the services misbehave, and you need to manually start or restart the service. I have seen that specifically with the Tomcat service.
Sometimes, when you click on log sources, instead of opening the log source extension, it redirects you over the internet.
There are two types of dashboards in QRadar. One is the conventional or old one, and the other one is Pulse. The Pulse dashboard is better, but we would like to have more options in the dashboard.
Additionally, if possible, there should be a single product for SIEM and SOAR. Instead of having QRadar and Resilient separately, there should be a combined solution to benefit from both. Furthermore, there should be a built-in mechanism to configure it in the cluster mode and high availability mode.
I tested this product in the last two, three months. It is not implemented in our company.
Its installation is very simple. You can install it and configure it very easily.
We are looking at implementing a SIEM solution, and currently, we're comparing various commercial and open-source SIEM solutions. We have tested Wazuh, which is an open-source SIEM solution, but we have not finalized anything.
I would rate it a seven out of 10. It is good, but when a product doesn't behave in a good manner, it creates confusion. Its behavior isn't consistent.
We use it as a SIEM for monitoring a client's environment.
One of the most valuable features of this solution is that it is more flexible than AlienVault.
It is difficult to anticipate and understand the space utilization, so more clarity there would be great.
My company has been using this solution for two years.
It is a very stable solution.
The solution is very scalable.
The technical support is adequate.
Neutral
We currently use AlienVault for some clients and Elastic Security for others. We chose Elastic Security because we felt it was the most flexible, cost-effective solution to provide the results needed.
In certain respects, the setup of this solution is more straightforward than other solutions, but in other respects, it's more complex because it needs more fine-tuning than Splunk or AlienVault.
We implemented through an in-house team and it took about two months.
The licensing cost depends on the size of the environment it's monitoring. Everything is based on volume, as with all SIEMs. When compared to other products, the price is average or on the low side.
We evaluated several options, including Monster SIEM, Splunk, and Wazuh.
There's a lot of fine-tuning involved with this solution. When you go to a diner, and the menu has everything on it, and you can't figure out which part to look at first, it's a double-edged sword. You can do everything with this solution, which means you have to figure out which part of "everything" makes sense for your company to do.
I would rate this solution as an eight out of ten. It's a good value for money and a reliable solution, but it's heavily reliant on appropriate configuration.
