IBM Security QRadar Reviews

We are a product-based organization. We use this solution for a shared SOC service and security audits and compliance.

There are a lot of features in QRadar. App Exchange is the most valuable feature. User behavior analytics (UBA) is also a very good feature. Watson is also there, but we are not currently using Watson.

It is versatile and quite easy. It also has an all-in-one-box feature and good integration with AWS. 

SOAR is what is expected the most from QRadar. They have something called SOAR Resilient, and it would be great if that gets induced in SIEM. IBM QRadar (as well as McAfee ESM) should have analytics platform integration. Currently, SIEMs don't have full-fledged integration with analytics where we are able to dump our data in SIEM, and the same data can be called from different analytics applications. We should be able to bring this data to a platform like Hadoop for big data and run the analytics there. Currently, people are seeing the past data and taking some actions in the present, but when it comes to analytics, there should be futuristic data where you can predict something out of your present and past data. Apart from that, I would like to see a full-fledged ITSM tool in QRadar.

It sometimes has some technical issues that need to be checked. It requires a dedicated QRadar engineer to completely manage it. It has different module sets, such as event collector and event processor, and some technical glitches come in between. It takes the log but doesn't exactly process it in the way we want. 

If its pricing can be reduced, it would help a lot of customers in bringing in a new SIEM environment.

It is stable. There are no incidents when SIEM completely stopped. 

I have expanded it. It is very good in terms of scalability. Because it is on the cloud, it can be scaled anytime. If I want to increase my CPU's RAM, I can do it. At any point in time, if I want to get additional licenses, I can just call support, and they will provide that.

I have around six customers who are using QRadar in a shared model. We do have plans to increase its usage. We are looking after different customers, and when they're ready, we can integrate it.

They are good and responsive. However, because of COVID, of late everyone is working from home, and sometimes, their response has been a little bit slow for incidents. They did apologize for that.

It is straightforward. AWS has a feature called Marketplace in its environment. When we click it, we can load it directly. It doesn't take more than two to three days to completely deploy the infrastructure. 

They can give us some scalability and flexibility on pricing. If its pricing can be reduced, it would help a lot of customers in bringing in a new SIEM environment and grow business in the market. If I start a license today and take around 10,000 EPS, and after a month, there is an increase in the number of clients on my platform, I can increase the number of licenses. I can add 5,000 EPS on a yearly basis.

We chose QRadar over McAfee ESM.

It has good integration with AWS. AWS has come up with a Marketplace click-in option that provides direct integration between your AWS and data centers or cloud solutions through a small VPN. It allows you to bring up small environments with 5,000 EPS or 6,000 EPS or even 3,500 EPS or 2,500 EPS very quickly. It is very flexible and not at all tough for a startup engineer to click and bring solutions inside. It is quite easy.

I would rate IBM QRadar an eight out of ten.

We use IBM Security QRadar for storage. These tools are setting high tools on the usage of the logs from multiple devices. It manages millions of logs from multiple devices, such as firewalls, routers, switches, etc. The solution is stable and has better support than LogRhythm. It doesn't have multiple components or servers, troubleshooting, or remote servers. It is based on a CentOS platform, and implementation is difficult.

We make use of the tool to ensure company security. We have the firewall services and switches integrated. We use the solution for attack-related loss, firewall and blacklist IP. There are multiple use cases, like, internal firewalls, internal Windows servers and Internet controllers. It protect us from multiple authentication values, unauthorized access and antivirus threats. We don't open and see the console all the time, so we need automated alert access to all Windows. There's a malware incident and wireless incident. The QRadar has antivirus which detect cache files, etc.

IBM Security QRadar is stable. The tool exhibits minimal vulnerabilities and does not encounter multiple issues. It is not easy to operate, it ensures minimal downtime. Its usability, synchronization with systems, user interface, and storage capabilities are crucial. Storage is essential for research and hunting, as it involves delving into logs. The response time of IBM QRadar is commendable, and even when processing large amounts of data, it maintains a consistently high level of performance. The tool utilise RAM efficiently.

IBM Security QRadar lacks automated response. With this feature, there's no need to visit VirusTotal or other sites for IP reputation. There should be a small plug-in where users can click to retrieve details about the reputation and organization of public IP.

I have been using IBM Security QRadar for 4 years. We are using V7.5 of the solution.

The solution is stable. It's crucial for maintaining the company's security.

I rate its stability as nine out of ten.

The solution’s scalability is excellent. 

25 users are using this solution. 

I rate the solution’s scalability a nine out of ten.

IBM provides good support.We have paid licenses, which come with special performance enhancements.

Positive

The initial setup is straightforward and can be done within a day. It is based on Linux. If there is any issue, you need to bang your head to solve the issue.

IBM Security QRadar requires a specific server with a minimum of 128 GB RAM and can support up to 2,000 endpoints. The installation process involves obtaining the ISO and setting up the necessary configurations. Once installed, we must ensure the components are properly located and configured.

One person is required for maintenance and deployment each.

I rate the solution's setup as a seven out of ten.

We opted for IBM Security QRadar based on its market rating and recommendations from previous alumni who have experience with it at our company. QRadar is a software solution provided by IBM for security purposes.

QRadar supports connectivity with a 2800 vendors, including Cisco and Fortinet FortiGate. These integrations encompass various platforms such as VMs, Linux distributions like Red Hat and CentOS, and Symantec and Microsoft Windows for CRM databases and other server functionalities. Cloud technologies such as Office 365 are also supported.

The tool is flexible and I recommend it.

Overall, I rate the solution a nine out of ten.

I've got use cases where we monitor positive controls wherein something doesn't allow something to happen. It alarms when somebody changes the control.

The most valuable features of IBM Security QRadar are flexibility, IBM support, and scalability.

IBM Security QRadar’s GUI could be improved.

I have been using IBM Security QRadar for 12 years.

I rate IBM Security QRadar ten out of ten for stability.

Around five to ten users are using the solution in our organization.

I rate IBM Security QRadar ten out of ten for scalability.

The solution's initial setup is pretty difficult. I rate IBM Security QRadar a four or five out of ten for the ease of its initial setup.

Based on the size and the number of use cases, the solution's deployment can take three or four days to a few months.

IBM Security QRadar is about 50% less expensive than Splunk. SIEM solutions charge by the amount of data, whether EPS or gigabytes. They directly incentivize you not to put things in it, which doesn't make sense since the goal is to put everything in it. They'd make it where you can't afford to do it.

On a scale from one to ten, where one is cheap and ten is expensive, I rate IBM Security QRadar's pricing a five out of ten.

Overall, I rate IBM Security QRadar a nine out of ten.

We use QRadar to collect logs and monitor user activity and traffic from one network to another. The SOC team is in a room watching the logs from the tool live most of the time. 

QRadar monitors all internet activity and the output of every device configured to send a log. All traffic from various networking devices passes through the QRadar servers, and we can view it live.

We have two data centers, and QRadar is deployed in one. It comes with two physical appliances to allow failover capability. There's a management interface that binds them together, and we set up an interface for each device connected to the network that sends a log.  

QRadar allows you to filter by the source and destination IPs and see detailed logs on that. For example, if a user is trying to access a server using a malicious port like 4.5.0, I can get valuable data and take action from other devices. 

It also has a graph that shows the traffic history. I can see what happened yesterday or today. If there's an incident, I can check the traffic behavior on QRadar.

I would like to see QRadar add more integration and interoperability. For instance, we are not able to send logs from Windows servers. We can send logs to the QRadar server from network devices and other types of servers. However, we have more than a hundred Windows servers that still don't use QRadar. 

Our company has been using QRadar for the last five years. We implemented it in 2017.

QRadar's performance has room for improvement because it cannot handle the volume. I need massive amounts of logs from various devices in our existing network architecture. IBM needs to improve QRadar's capacity to handle more logs. 

Usually, disk space is the issue. When it runs out of space, we need to stop logs from different network devices, especially the firewall, before it starts working. 

It's hard for me to estimate the number of QRadar users because all of our banking traffic and user activity will pass through QRadar. At the higher end, more than 25,000 active users might use QRadar.

I was directly involved with the IBM support team during the implementation, and we received training for some time after. The service has been excellent and supportive. 

When we needed to upgrade, our security team invited the IBM technician back, and it was very smooth. Now, they are planning to set up redundancy in our second data center. Generally speaking, the support is good, and they check in about once a month remotely. I am directly involved with them, but I hear positive feedback from the team. 

The initial setup was configured in Linux on the server. We had a technical guy from IBM who came from Kenya. We only prepared the environment, like setting up the rack, but an IBM technician took care of the implementation. We also rely on the vendor for support and activities that require professional expertise.

I rate QRadar eight out of 10 for return on investment. We get a lot of valuable data from QRadar.

I rate QRadar eight out of 10. 

We use this solution for deploying and integrating log sources and use cases.

We use it to generate offensives based on normal behavior and suspicious behavior from our security tools, firewalls, and other solutions.

We have applied a set of old and new rules to QRAdar that aim to detect persistent abnormalities in our environments.

Within our organization, our security operations center and users from our local security team — roughly 10 to 12 users — use QRadar. We plan to expand to other areas of the company so that other people can use QRadar for different use cases. But right now only the security teams use it.

It's more of what it has provided for our company. We have much better visibility into our environment now. It has become much easier to create an alert for suspicious behavior, to operate on security incidents when they happen, and to drill down on specific events and figure out exactly which machines and users were involved.

I think the log search is pretty good. It's very easy to create complex searches and aggregate results and create graphics, etc. 

The rule engine is very easy to use — very flexible. We can create rules based on whatever behavior we want. It's very easy to use compared to Splunk. 

When we analyzed Splunk, that was the criteria that we looked at. Splunk was a lot more difficult to use and to create rules.

The standard rules they have are very comprehensive. There are many content packs in the apps that enrich those rules. We are still using the native rules from QRadar because there are many useful rules there. I think we're going to have a very good experience with them.

One thing one has to be aware is that qRadar doesn't have a standard UI style, but older (clunkier) and newer (more modern and easy to use) screens. The QRadar UI involves a lot of clicks and pop-ups to get where you want, which is certainly not the best UX, but isn't totally a pain also. Although it's a bit difficult to navigate through screens at first, the UX is pretty good once you learn the "qRadar way", which takes about a few weeks to master.

I have been using this solution for the last three months.

We had some bugs and we had to handle them. They impacted our deployment timeline, but all of the bugs that we had were quickly solved by engineers from IBM. Currently, we are not fully satisfied with the stability, but the support from IBM is very good and they can solve our problems very, very quickly.

There seems to be a cap-limit regarding scalability. IBM limits the amount of data you can send into the collectors so scalability-wise, it's not that optimum because sometimes we have a resource or a machine that tends to think it gets more events per second than it actually gets. Because of how the solution is made, If we send a large number of events to these event collectors, then they will start dropping events because we can't queue them. That seems to be by design — we aren't entirely satisfied with that. In this way, IBM kind of forces their customers to buy a larger license.

IBM's customer support is very good. 

We don't have any comments about community support because we don't know any communities that we can use to look up information about QRadar; however, in general, we have used IBM's documentation extensively — I think it's very useful, it's very complete, but sometimes it's a bit outdated. 

We used to use ArcSight. I can't even begin to compare these two products because ArcSight was a solution managed entirely by our security operations center team. We didn't have full knowledge of what the solution was capable of. Now we're seeing a much larger universe with QRadar — I think it's a completely different thing. QRadar is much more capable than ArcSight.

Deployment-wise it's pretty easy already; it took us one hour to get QRadar running, and then a couple of days later, we had full deployment. We then began onboarding log sources — the process of onboarding log sources has been almost painless for 90% of our log sources, which are from different vendors and different tools, and within a month we had about 70% of all of our relevant security logs in qRadar, generating many interesting offenses on a daily basis. So that has been very positive.

We had little interaction with qRadar during the process of onboarding log sources — most log sources were automatically discovered, their events were mapped correctly and parsed to extract relevant fields. A few log sources required manual intervention or installation of content packs, and some of IBM's DSMs were a bit outdated, but these issues were rather quick to fix within qRadar itself.

We used a partner company here called IT.eam, which helped us with the deployment. They are very capable and professional and it's been overall a great experience.

It's very expensive but it fits our budget. Because it's very expensive, we had to come up with ways of filtering our logs before they get into QRadar because otherwise, we'd have to buy a much greater amount of events per second, and that would be very expensive.

Splunk is virtually the same price.

I'd recommend QRadar for security teams that are more from the IT world and not so much from the development or data-science world. I think other tools, such as Splunk, are really great too, but QRadar is natively concerned with providing security rules and use cases. If you're looking for a reliable solution for security purposes only, QRadar is probably the way to go.

Overall, on a scale from one to ten, I would give this solution a rating of eight.

The UBA component is something that is there. However, it's something that honestly hasn't been leveraged as much. It's probably not a UBA feature like the ones we’ve used in the past. In any case, the UBA feature is there. You can look at the users and look at any risky activity or use cases. I tend to look at it. However, it's not my main source in terms of leveraging it as a UBA.

I equate QRadar to a robust solution. You get all the live sources. If you have someone there fine-tuning the solution and creating rules for the team to ensure the fence is alert. It's a robust solution.

In the past, I've heard the term that it's like a Cadillac, a trusted Cadillac. It'll get you from point A to B. It does what integration is supposed to do.

It needs a little bit perhaps more fine-tuning on the SIM aspect of it. Out of the box, it's just not one of those things that I leverage as a single source of truth regarding the user behavior analytics aspect of it.

With QRadar, IBM has had ample time to innovate, make changes to the interface, and keep up with some of the competitors. Yet, IBM delays innovating QRadar, since, once people are tied into it, they stick to the SIM as that's what they're used to. Right now, you have many other players in the market, like Datadog, Sumo Logic, and Splunk. Splunk has a ton of connectors as well, which is making it more appealing for other people to look at other solutions, especially when they're trying to look at a cloud-native solution.

There should be more opportunity for community kind of distribution where, for example, if there was a zero-day threat targeting companies. I know that many other solutions now provide ease of use in terms of sharing rules and for identifying and tracking some of these zero-day vulnerabilities out there. Radar needs to do the same.

I’ve been using the solution for about four years or so.

The stability's great. The solution is robust. It's trusted. Depending on how you have it deployed if it's a standalone appliance or it's high availability paired so that you have redundancy, the solution is reliable.

Anywhere from 25 to 50 users are using it. The primary users are security operations. However, then you do have some folks on the infrastructure side that also leverage QRadar. It wasn't always the case. That said, once we provided access to the infrastructure team, they enjoy using QRadar for looking at logs, and troubleshooting. That would involve the networking team and the server team. They also leverage it as well.

Overall, the IBM team is responsive in regards to ticketing. Obviously, you have to create a ticket with IBM and they will get someone to get on a WebEx with you within a reasonable amount of time depending on the urgency.

They will help resolve issues and create cases. The support is there in terms of having any issues or QRadar is generating errors. Support will guide you and record the session and help remove any issues or obstacles that you have, so I definitely would rate them high on the support aspect of it.

I didn't set it up. Probably part of the engineering team set it up.

I do not know the exact cost. It's a bit tricky as some of it is tied into pre-contracts that we have. Some parts of the company do prepaid funds for certain solutions. It's different. It varies.

While I use QRadar, I'm in a managerial role, so I'm not living in it every single day as my team members are.

Every situation is different. I know a lot of organizations or a lot of C-suite executives all go to the same kind of conferences each year. Then they all come back singing the same song: "We all have to go to the Cloud."

I’d rate the solution six out of ten.

We analyze all our authentication traffic in QRadar UBA using the solution's AI module to detect and understand uncommon authentication patterns. There is also the rule logic, but we don't use that much. Instead, we mostly rely on AI to do that. In that respect, I wouldn't say we are using the product to the fullest extent because we only have the AI and what the CM is providing. We have a suite of security products, and QRadar UBA is only one source of information that we rely on.

QRadar UBA collects information on 16,000 employees in the company, including when they log in and out or when they launch applications. We have a team of 10 security analysts who go into the solution to check the alarms. IBM has set the solution up so that we only need to react to the alarms. The UBA will flag it if someone does something weird, and our security team will investigate the anomaly to see if that was valid or malicious. 

We are currently on QRoC — short for QRadar for Cloud — so it's the latest and greatest solution. It was originally on a private cloud, but we moved to the public cloud three years ago.

It's hard for me to pinpoint any one feature that's most valuable because it is all about consuming logs and analyzing them. We started using QRadar UBA because we needed something that could analyze Linux authentication information. Other products take care of the Windows platform.

Better algorithms or AI would always be appreciated, but this product does what it's supposed to do. And maybe there is something behind the scenes that could be improved, but I don't know. 

UBA is a plugin for QRadar SIEM. If we're talking about the SIEM solution as a whole, there is a lot I can talk about, but there isn't much to say about UBA as a standalone. I'm not in a position to criticize or comment on the underlying code.

I have been using QRadar UBA for six years.

I haven't had any problems. We have never needed to add more memory or CPU. 

IBM technical support is excellent. 10 out of 10. IBM is highly professional when it comes to security support. IBM's support for other types of solutions isn't quite as good, but the security domain is a different world. I've worked with IBM in other areas, and it's different. Security support is on a tier by itself inside IBM. 

Positive

We are also using a Microsoft solution called Azure Advanced Threat Protection. It provides similar UBA features but only for a Microsoft environment.  Most UBA products do exactly the same thing. I haven't tried many other solutions besides QRadar, Microsoft, and Splunk.

Splunk is brilliant. It does the same thing, but it's slightly more expensive, so we selected IBM. Microsoft's solution is a little cheaper, but it lacks Linux support currently. There are minor differences, but we went with IBM in this case because it has the best support.

IBM did the setup. I called them to ask for UBA, and it was available the next day. They handled all the deployment and maintenance. 

I have not calculated ROI for this product. QRadar UBA is a tiny part of the entire security portfolio. In the context of the SIEM as a whole, the cost is so low that it's hard to defend not doing it.

I have no idea what QRadar UBA costs as a standalone solution because it is bundled with the QRoC security operation center and several other modules that we pay for in a big lump sum. However, I don't think that part is too expensive. It's a plugin to the QRadar SIEM that feeds off the same data. We have X-Force Threat Exchange, so IBM is operating the SIEM for us. I say to them, "I want UBA," and there it is.

I rate QRadar UBA eight out of 10. It's a small product doing exactly what it's supposed to do as an integrated part of our SIEM. It looks good and works well. I don't give it a 10 because it is something we have to request. I would love it if UBA was included out of the box like Microsoft.

Regardless of which solution you use, I recommend user behavior analytics. It provides valuable information to the security team. It doesn't matter whether you use Splunk or Microsoft— you should use a UBA solution. 

We will probably stick with QRadar for the foreseeable future. It depends on the developments in the SIEM market. We will probably continue with IBM because changing SIEM is not something you do lightly. As long as we keep the IBM SIEM, we will continue to use QRadar UBA.

I’m working with the on-prem version of IBM Security QRadar. We initially deployed it with the help of IBM’s professional services for a client, but now we handle deployments ourselves. The process is quite straightforward for us because we gained knowledge from our first implementation and used the available documentation. Deployment takes a couple of hours the first time, including configuration and integration with third-party devices. I usually work with a colleague, so two people handle the deployment. Our environment is well-suited for this, and we’re using it on a virtual appliance. The experience has been smooth and efficient.

We are promoting QRadar to various financial institutions, including banks and microfinances, as a superior option compared to other vendors like Fortinet. While some institutions are using other solutions, we are encouraging them to switch to QRadar for better security.

We monitor tweets and other activities on the IBM Security QRadar portal. Once, we noticed unusual traffic patterns, like tweets triggering alerts, and we blocked that traffic. We also detected some security issues on the APM through the portal, which was a great experience. As for integration, we’ve successfully integrated QRadar with other security products like Cisco, Fortinet, and Check Point. Initially, we worked with IBM’s professional services to guide us through the integration process, and after that, we were able to follow their steps to integrate third-party devices ourselves.

QRadar has a significant impact on operational costs for clients. For example, we’re recommending QRadar to several banks due to its effectiveness in handling high traffic and preventing scams. The banks we’ve worked with are very satisfied and are encouraging others to deploy QRadar as well.

I think QRadar is great overall. We’ve had a positive experience with it and recommend it for deployment. However, there are areas for improvement. The technical support is good, and the documentation is valuable, but it could be enhanced, especially regarding integration with other systems.

In terms of support and updates, QRadar’s capabilities are crucial for maintaining high security standards. Network and software administrators can monitor all traffic effectively, which reassures clients and drives further adoption.

I have been using IBM Security Qradar for last one years.

As for licensing costs, I haven't seen the exact figures, but it is considered somewhat costly. On a scale from one to ten, where one is very expensive and ten is very cheap, I would rate it a six—it’s costly but worth the money.

Overall, I would rate IBM QRadar as a ten.