IBM Security QRadar Reviews

IBM Security QRadar is primarily used for orchestration, automation, and incident response in my environment.

I use IBM Security QRadar for automation and incident response through a phishing mail playbook, where an employee sends a malicious phishing email to the SOAR inbox, and SOAR automatically generates an incident based on that email. After the incident is generated, we have created an advanced playbook that analyzes and scans the incident artifacts, extracting malicious elements in the notes. Following the identification of malicious content, another playbook sends an email notification about the findings and integrates with firewalls to automatically block the IOCs identified in the email. This is one of several playbooks we have developed.

Regarding my main use case for IBM Security QRadar, I have used most of IBM Security QRadar by integrating it with IBM Security QRadar SIEM, consolidating many IBM Security QRadar SIEM alerts in IBM Security QRadar SOAR. We have created incident types for each IBM Security QRadar alert and handle each incident carefully in IBM Security QRadar SOAR, automating incidents at an advanced level, including the use of a custom SOAR SDK to develop a custom SOAR application to meet client requirements. We have leveraged the potential of IBM Security QRadar SOAR.

The best features of IBM Security QRadar, in my experience, include multiple application integrations available through the IBM App Exchange, and I particularly appreciate the Playbook Designer feature, which allows me to design playbooks on a canvas, making it user-friendly and efficient.

The Playbook Designer in IBM Security QRadar has specifically helped my workflow by allowing the creation of advanced SOAR playbooks, with many sub-playbooks integrated into the main playbook itself. This feature enables me to create great workflows using functions, scripts, and rules tailored to client requirements, and the integration of applications enhances the feasibility of using Playbook Designer while allowing me to expand playbooks as necessary.

IBM Security QRadar has positively impacted my organization by enabling me to mitigate many incidents and reduce manual tasks by up to 40%. I have noticed a decrease in incident response time and a significant reduction in the number of manual tasks performed, leading to more efficient overall operations.

IBM Security QRadar needs to be more user-friendly; the current build is based on basic code and could benefit from updates. Making IBM Security QRadar's interface more intuitive, similar to that of Splunk, would enhance usability. Additionally, improving the installation and deployment processes to minimize setup time compared to other SIEM and SOAR tools is necessary.

I gave IBM Security QRadar a score of six or seven out of ten because it has a very basic interface; the dashboards require extension management for better usability. There should be an effort to build more effective dashboards within IBM Security QRadar itself without relying on additional applications. Additionally, maintaining good compatibility with IBM App Exchange applications is crucial, as IBM Security QRadar SIEM is an older product that would benefit from code updates.

I have been using IBM Security QRadar for more than two years.

For others looking into using IBM Security QRadar, my advice is to first learn IBM Security QRadar SOAR. Training is essential, but IBM Security QRadar SOAR is not overly complicated, and the documentation from IBM's portal is quite good. By learning IBM Security QRadar SOAR first, users can operate it more efficiently and leverage its versatile features, including rules, workflows, and various custom properties. I would rate IBM Security QRadar a score of six out of ten.

I use it daily because it's shared as a log alert, and we have a security operations center. Every now and then, and almost every day, there are some alerts. I utilize it every day, twenty-four by seven, as you can see.

Actually, the dashboard is very good. The dashboard is easy to use and easy to understand what's going on and what the alerts mean. It's very user-friendly, I would say. So far, it's very good. Recently, I faced an incident, a cyber incident, and it was detected in real time. It correlates well with other solutions. I have EDR, vulnerability, and IPS, and it shows useful findings for root cause analysis.

There are many types of AI, and this AI is very limited in SQL and features. There may be potential for improvement. So far, it seems very limited. It shows some good features in the correlation part, but I think there is room for improvement. For instance, when creating rules, it can suggest more rules, reducing the effort needed. If AI-related support can suggest rules and integrate with existing security devices like MD, IPS, this SIM can create more relevant rules. Sometimes logs I receive don't mean anything, and I need technical stakeholders to share or forward logs, but these are sometimes inadequate. Keywords can help identify insufficient logs. I often lack time to verify logs. Sharing false positive results could be reduced to help my team.

I have been working with the product for the last four months.

The product has been stable so far. I didn’t face any issues after deployment. I haven't encountered any software deployment issues, although I have only used it for four or five months. I might face issues after a year, two years, or with a major release or software update.

I am satisfied with the scalability. It depends on my budget. How much I spend on licensing size is up to me.

I received very good support, possibly due to a good relationship with IBM. I don't know about other companies, but I am happy with the support.

Positive

Previously, I had another SIM before IBM brought it up, but I couldn't correlate with different solutions. Now it saves me at least one hour, sometimes up to three hours. I used Micro Focus, which I think was acquired by another company, possibly OpenText. The ownership changed. I am very satisfied with Qradar compared to OpenText. It's superior. I am not sure which one is best, but so far it is. My people had good training and needed to invest time to get good results.

The initial setup was very difficult. I needed help from the local partner and expert users. Without expert users, it's challenging to deploy.

Assistance from the support system is always needed.

It's still very early, but I have saved significant damage. Investing this amount was very much worth it for my organization.

The cost depends. The price I negotiated varies by region and relationship with the OEM. Cost is not shared due to another procurement team handling negotiations, but it was reasonable as far as I know.

My advice is to understand your infrastructure first. Assess the size before sending any protocol requests or RFPs to adjust licensing costs. You may procure licenses less or more than needed, impacting finances. Analyzing your infrastructure is crucial, considering the logs and security issues you will set. Trained personnel are necessary. Without them, usage is challenging. Overall, the product rating is eight out of ten.

I am using QRadar, like standard centimeters, for security monitoring for information systems.

I use standard rules and special user-defined or correlation rules. I also use behavioral analysis for users. Additionally, there is limited integration with other systems. IBM is seeking information about IBM QRadar because a part of QRadar, especially in the cloud, has been sold to Palo Alto.

Improving the integration with IBM Server for MetaMask for correlation rules would be beneficial. Currently, I use Sentinel in Azure, and I would prefer creating one rule to roll it out to both Sentinel and QRadar. However, this is not possible because QRadar lacks this capability.

I have been using QRadar for five or six years.

I think QRadar is stable and currently satisfies my needs. However, there is uncertainty about the future because if IBM sold part of QRadar to Palo Alto, it would be a concerning signal.

Scalability is fine. It is one of the three well-known CMs.

I am unsure because the problem escalates through level one to level three, and then the process starts over with Novo again. This is problematic for technical support.

I am not personally using it. These boxes are in use within my company.

In the middle of evaluating, I am looking for some information about comparison boxes or licenses, products, and so on. I am interested in this issue, but I will not purchase it personally. We have a plan for internal projects for this. Product rating: five out of ten.

My main use case for IBM Security QRadar is its good features which create an offense or trigger an offense. This offense has a description and contains many events with sensitive or helpful information about the offense. My daily activity as a SOC analyst L1 is to ensure if the offense is legitimate, if it is truly a suspicious or malicious offense, or a false positive. After that, I create a ticket to close it and determine if it is suspicious or not. If I need to conduct more investigation and delegate the ticket further, I escalate it to SOC L2 or the SOC Manager to take additional activities or conduct more investigation about it.

IBM Security QRadar is a very good SIEM solution because it has features that allow me to create rules or built-in lookups specific to my company. I can tune those to reduce the attack surface and be specific about the right malicious activities to reduce risk about an attack on my company or attacks on endpoints or assets.

IBM Security QRadar offers a good dashboard because it provides many things, including offense, log activity, network flow, reporting, and rules. All of these are very helpful for me as a SOC analyst L1 or a security engineer. I can see networking activities and log activities coming from our clients. IBM Security QRadar gathers information and logs from these sources and determines based on my rules whether to trigger an offense about that rule or not.

IBM Security QRadar is also helpful because when I see any IP or source IP and destination IP, I can search in IBM X-Force to determine if it is malicious or not. I can also scan the IP to see what it is and if it is related to a domain or a suspicious domain. Another very helpful feature is the built-in work or rules created by default from IBM product sales.

IBM Security QRadar has impacted my organization positively by helping me with many things, including catching attacks and moving quickly to reduce damage or risk from attacks. I cannot share specific information about how IBM Security QRadar helped me catch attacks quickly because it is sensitive information about my company, but IBM Security QRadar is helpful and has enabled me to accomplish many things.

The GUI or graphic interface for IBM Security QRadar is neither good nor bad, but I hope for it to be more interesting, more live, and have better style. IBM Security QRadar needs to improve its graphics.

I have been using IBM Security QRadar for more than one year to detect and conduct further investigation and monitoring activities from our clients.

My advice is that IBM Security QRadar is good. Splunk is also good, but IBM Security QRadar has many features including rules by default that I can tune the speed of. The core advice is that every SIEM is good, but what you will do with them and what you will work on with them is the secret. I would rate this product a 9 out of 10.

My main use case for IBM Security QRadar is implementing it as a SIEM solution to collect logs and correlate events so we can have offenses inside our organization.

Acting as a SIEM solution, IBM Security QRadar helps us deep dive into what happened in our network by collecting network flows and network events, and correlating events to generate incidents or offenses so we can stop attacks.

The best features IBM Security QRadar offers include its stability.

What makes IBM Security QRadar's stability stand out for me is that I am currently using FortiSIEM, but implementing IBM Security QRadar is a more advanced and more stable product, making it reliable for me to use.

IBM Security QRadar helps my organization correlate events and gain insight into our network traffic and security events.

Since using IBM Security QRadar, it has helped reduce security risks as we have a risk manager module, which is really helpful for us, and the response to an incident is very quick, so we have reduced the mean time to detect attacks.

I think the support for IBM Security QRadar needs improvement as it is a big product and needs more support engineers to help customers.

The time to support and providing more engineers for support are the needed improvements.

I have been working in my current field for about ten years.

IBM Security QRadar is stable.

IBM Security QRadar's scalability is great.

The customer support for IBM Security QRadar needs improvement.

Negative

I did not previously use a different solution.

I have seen a return on investment in terms of time saved and money saved as we stopped attacks, which also means fewer employees are needed.

Regarding the setup cost, it is great; the licensing module is very powerful and has a granular structure, so the licensing is great, but the price needs more focus to be compared to other vendors.

I did not evaluate other options before choosing IBM Security QRadar.

I would advise others looking into using IBM Security QRadar that it can help your organization reduce the mean time to detect and mean time to respond, and also in building a SOC. I would rate this product a ten out of ten.

My main use case for IBM Security QRadar is building a SOC with IBM Security QRadar as a SIEM.

I use IBM Security QRadar in my SOC operations as an information security management, security and event management tool, to correlate events and build use cases for incident response.

My main use case helps us to deep dive into the logs and correlate events from many other products like firewalls, endpoints, and also a lot of products.

The best features IBM Security QRadar offers include vulnerability management, a powerful integration, and being a stable product. The vulnerability management feature helps to build an asset library for our organization, and with integrations, we can integrate this vulnerability with other ticketing systems to discover new vulnerabilities and build a patch management for it.

IBM Security QRadar has positively impacted my organization by allowing me to get offenses and threats into our organization, helping me to discover the real threats attacking our organization. The real threats that IBM Security QRadar helps us with are provided as offenses, real offenses with real examples that allow us to discover new offenses and assist in closing these offenses.

IBM Security QRadar can be improved; perhaps IBM support needs improvement in fast response and also the team response.

I have been using IBM Security QRadar for about nine years.

IBM Security QRadar is stable.

IBM Security QRadar's scalability is great; you can have a new collector to deploy if you have increased EPS per second.

Customer support for IBM Security QRadar needs improvement.

Negative

I have not used a different solution before IBM Security QRadar; this is my first use.

I have seen a return on investment; I can share that it includes time saved, money saved, and fewer employees needed.

My experience with pricing, setup cost, and licensing is great compared to the other vendor.

I did not evaluate other options before choosing IBM Security QRadar.

IBM Security QRadar is stable and has great support.

I advise others looking into using IBM Security QRadar that it is really helpful for building a SOC and to get a deep dive into your real threats at the earliest time. I have given this product a review rating of 10.

One major drawback we are facing is in the area of IBM Security QRadar integration with flat file databases. IBM Security QRadar does not support flat file database integration. We are currently facing an issue with respect to the database, which you normally call a NoSQL database. There is no direct integration mechanism available with IBM Security QRadar. We have to approach IBM and generate a ticket so that they can develop a custom method for the integration. In database integration, we are facing issues with IBM Security QRadar.

The solution does not support the integration of flat file databases. Certain organizations have flat file databases. IBM does not support direct integration with some databases. We had to create a plug, and we requested IBM to develop a parser, but it is taking IBM a couple of months to develop it. I think a flat-file database should be supported directly instead of developing a parser plugin. There should be a more refined threat intelligence platform, and cross-integration should be possible with locally available threat intelligence platforms.

I have been using IBM Security QRadar for three years. I use the solution's latest version.

Stability-wise, I rate the solution a seven out of ten.

It is a scalable solution. With respect to threat intelligence platform integration with locally developed software solutions, IBM works on and provides certain sorts of APIs. The tool also leads to advancement in threat intelligence, which could be beneficial during product deployment.

My company has an unlimited number of user versions. Basically, it does not depend on the number of users. It basically works on events per second. We already acquired unlimited EPS on our IBM QRadar.

I rate the scalability an eight out of ten.

We have two teams using the tool. If you talk about engineering, we have five to ten people on the engineering side who look after the administration. There are also twenty-four hours and seven weeks of managed SOC services catering to the needs of twenty people in each shift. We pursue the principle of following the sun, so you can say the managed SOC services are used in three shifts.

My company is only using IBM.

We didn't face any difficulty in the deployment process. The strategy we follow in the deployment is a phased approach. Initially, we deployed the workspace, and then we moved to routers and hardware-related things. In phase two, we start integrating the tool with business applications.

The solution is deployed on an on-premises version.

The solution can be installed for the initial configuration and settings in around three to four hours or five hours. Asset onboarding varies. Through assets, we integrate very quickly, like switches and data, with instances where no approval is required. Other typical assets like this are applications where certain views we have to create certain views in order to create our fetch logs. It all depends from application to application.

Three or four people are required to install the tool. Actually, we have a team and deployed the tool with five people. Two people did installations, and two people are supporting, and getting the required things or approvals would be done. You can say it is normally a team of five engineers. They actually take part in maintenance, too. Actually, we divided it into two phases, like team deployment and implementation. One has a team of engineers with whom we are involved with the deployment and installation. Another is the SOC team, which is responsible for monitoring logs on IBM Security QRadar.

IBM solutions are always expensive, as it offers some industry-leading solutions, which is why we have implemented them. Now, locally developed and open-source solutions like Wazuh are available. Certain organizations are deploying the solutions. We receive no cost-benefit from IBM. It is an expensive solution, and we have to incur these costs.

The tool's price is high. Our company faces pricing-related challenges with locally available products and other offerings like Splunk and Wazuh. In addition, there is a need to pay the tool's standard licensing fee. We outsource our SOC operations, so such expenses are in addition to the deployment.

After going through the different reviews over the internet, we found out that IBM is a leader, and we also did a study of the various banks in Pakistan and internationally to find what products they use. After comparing these banks, international banks, and locally made products, we decided to go for IBM.

IBM Security QRadar enhances threat detection and incident response in our specific industry. The threat intelligence is somewhat different in Pakistan. We also have to deploy other open-source solutions and integrate them with the new system. We have IBM X-Force, and the solution provides threat intelligence releases for global incidents. Basically, we have CTM360, which helps with the threat intelligence part. We are actually using both with the solution. I think IBM X-Force complements our challenges, but it is not up to the mark we require. We have to collaborate with different solutions as well with CTM360.

The tool's anomaly detection was useful with respect to application integration. We use a use case where we recently implemented the tool with respect to business applications where we define a rule set, and the system perfectly identifies and triggers an event against the rule set we define, so it is related to business applications. Our use cases are related to the event. An incident was caused a couple of days ago due to the Log4j vulnerability. For such vulnerabilities, the use case will also be helpful.

It is easy to integrate with different solutions or different databases like MySQL and Oracle. It has the edge over other solutions, like open-source solutions like Wazuh and Splunk, so IBM Security QRadar is very much refined with respect to these solutions.

Regarding the tool's ability to maintain high-security standards, I rate it ten out of ten.

So far, we haven't used any AI feature in the tool, or it may not be available in the version we use.

Overall, I recommend the tool to others. We are currently recommending it to peer banks and peer colleagues who need to make a decision to buy a product.

Maintenance is not required, but we regularly check the tool's health reports. If any event occurs monthly or quarterly, then we need to maintain it. Otherwise, no maintenance is required.

I rate the tool an eight out of ten.

I have worked on several use cases, including creating custom ones. QRadar also provides built-in use cases.

Once integrated, you gain comprehensive visibility into all threats. The user behavior analytics module is particularly strong, and adding features allowing integration with third-party threat intelligence services enhances the analysts' ability to identify threats.

The best aspect of Pareto is its user-friendliness. Unlike other solutions requiring query language knowledge, Pareto is entirely GUI-based. This makes it easy to use and understand without learning any query languages.

People are increasingly moving towards big data tools, so QRadar needs to enhance its compatibility. For example, QRadar does not integrate with SAP HANA, widely used in large industries. Similarly, QRadar lacks support for integrating with Fortinet's firewall management services, resulting in limited visibility.

It is still in its early stages. AI analytics require further development because, in my experience, they often generate false positive alerts.

I have been using IBM Security QRadar for seven years.

It is very much stable.

On-premises deployments can be challenging to scale. In contrast, cloud solutions offer much greater scalability; you simply place an order for the required EPS, get approval, and then proceed. This process is more straightforward and faster than on-premises setups.

The initial setup is user-friendly and straightforward, making deployment easy. However, compatibility issues with other security controls still need to be addressed. It provides a 35-day period for project enablement. This timeframe is too short and should be extended to 45 or 50 days.

When deploying QRadar on-premises, we assess the organization's size to determine the required number of UPS units, application servers, and other necessary hardware. Once these requirements are identified, we proceed with the deployment.

We face challenges in the deployment phase, especially when working with an MSSP license. The main issue is with QRadar's multi-tenancy, which often causes the system to crash. Their support services are not very helpful in addressing these problems.

We allocate two working days for the deployment of QRadar for our customers. Our team includes a senior engineer who communicates with the client and a junior engineer responsible for deploying and installing other services.

The deployment time can vary based on the size of the setup. Large deployments, such as those with 20,000 to 25,000 EPS for corporate clients, take longer due to the need for multiple hardware servers. In such cases, it can take several days. QRadar can be installed in about three to four hours for smaller setups.

The price is lower than Splunk but remains high compared to other SIEMs like LogRhythm, Elastic, and RSA. For example, 1,000 EPS costs around $55,000. While it's somewhat more affordable than Splunk, it is still higher than LogRhythm, Elastic, and RSA.

QRadar offers a clean solution with straightforward integration for various devices. Once you define your scope, you effectively gain visibility into it. When comparing QRadar to other SIEM solutions like GloD and Splunk, QRadar lags behind other modern advancements. While new SIEM solutions focus on data lakes and big data, QRadar continues to rely on traditional correlation modules.

QRadar should prioritize R&D and product improvement. Their support services have also declined and need attention.

In QRadar's user behavior analytics, we observed an alert triggered by an unusual login attempt from one of our administrators. While monitoring alerts during my shift, QRadar's anomaly-based detection identified a login attempt outside normal hours. The system detected this as a deviation from the established baseline since the administrator had never logged in at that time before. This triggered the alert, helping us identify the compromised account.

QRadar requires ongoing maintenance, and running it effectively often depends on support from engineers. Unlike big data tools, QRadar can struggle with integration and may require fine-tuning, restarts, or troubleshooting if issues arise. Since its merger with other companies, we've encountered many problems and have experienced delays in receiving timely technical support.

You don’t need to learn any additional tools to use the system. It allows you to create dashboards from a management perspective, and its user behavior analytics work very well, although the AI analytics module is still developing.

When handling compliance requests or forensic investigations, an SIEM solution like QRadar is essential. It helps pull up logs and identify what happened during incidents or breaches.

The time required for investigation depends entirely on the impact of the attack. Sometimes, only a single device or network is compromised, which may be resolved quickly. However, the investigation takes longer in cases where the scope is broader, involving multiple devices and networks. The timeframe is driven by the extent of the incident, not just by QRadar.

QRadar is a good product. In Pakistan, many financial sectors are starting to shift towards other solutions. In South Asia, particularly Pakistan, has a growing trend towards Splunk. Similarly, there is a shift towards Splunk, LogRhythm, and RSA in the Gulf region. 

Overall, I rate the solution a seven out of ten.