IBM Security QRadar Reviews

Currently, we are using only Amazon Web Services for monitoring. We have CloudTrail, GuardDuty, Avast, and some Kubernetes security we have installed on Amazon AWS. By getting these logs, we have created the uses for these components.

I have used IBM QRadar User Behavior Analytics in a Cloud Pak on Amazon, and there it runs on top of it and is easy to assess. Additionally, I have installed processes and characters.

The most useful feature of IBM QRadar User Behavior Analytics is the User Behavior Analytics aspect. For example, whoever logs into the Amazon AWS to the interface, if someone is logging in for the first time that the administrator has created, or someone is logging in, we receive an email notification saying that they have logged in, we need to check. Based on that, we will start checking to see if the visit was a valid one or a malicious one. Even if we only have a few users, such as 25 to 30 Amazon AWS records.

Whenever we are upgrading or installing any type of patch, at that time we have some delays. 

 Sometimes by mistake, AWS has migrated some other accounts to my enrollment. At that time, we receive a notification special for that. We have created one rule and a case. We receive a notification and we are informed that the Amazon AWS team, sent an email apologizing for this happening. They have confirmed that going forward we will not receive this type of account modification issue. They have sent an email to us. 

If you are searching for three to four months back it takes and there is a time delay. If I compare it to Splunk, it is a little bit delayed. It is because Splunk is using Elasticsearch, while IBM QRadar User Behavior Analytics uses a normal one. For example, if Splunk takes two minutes, it will take IBM QRadar User Behavior Analytics approximately three minutes.

I have been using IBM QRadar User Behavior Analytics for approximately seven years.

I have used many other solutions previously, such as Splunk and McAfee SIEM tool.

The initial setup of IBM QRadar User Behavior Analytics is straightforward. We only have to activate a few aspects. We directly installed our process characters, and an all-in-one setup with it to do the installation. The deployment took use 30 to 40 minutes. However, if you want to add components it will take more time.

We have seen a good return on investment with IBM QRadar User Behavior Analytics.

We pay approximately $40,000 to use the solution annually. This solution is a lot less expensive than Splunk.

I rate IBM QRadar User Behavior Analytics an eight out of ten.

We use QRadar to collect logs and monitor user activity and traffic from one network to another. The SOC team is in a room watching the logs from the tool live most of the time. 

QRadar monitors all internet activity and the output of every device configured to send a log. All traffic from various networking devices passes through the QRadar servers, and we can view it live.

We have two data centers, and QRadar is deployed in one. It comes with two physical appliances to allow failover capability. There's a management interface that binds them together, and we set up an interface for each device connected to the network that sends a log.  

QRadar allows you to filter by the source and destination IPs and see detailed logs on that. For example, if a user is trying to access a server using a malicious port like 4.5.0, I can get valuable data and take action from other devices. 

It also has a graph that shows the traffic history. I can see what happened yesterday or today. If there's an incident, I can check the traffic behavior on QRadar.

I would like to see QRadar add more integration and interoperability. For instance, we are not able to send logs from Windows servers. We can send logs to the QRadar server from network devices and other types of servers. However, we have more than a hundred Windows servers that still don't use QRadar. 

Our company has been using QRadar for the last five years. We implemented it in 2017.

QRadar's performance has room for improvement because it cannot handle the volume. I need massive amounts of logs from various devices in our existing network architecture. IBM needs to improve QRadar's capacity to handle more logs. 

Usually, disk space is the issue. When it runs out of space, we need to stop logs from different network devices, especially the firewall, before it starts working. 

It's hard for me to estimate the number of QRadar users because all of our banking traffic and user activity will pass through QRadar. At the higher end, more than 25,000 active users might use QRadar.

I was directly involved with the IBM support team during the implementation, and we received training for some time after. The service has been excellent and supportive. 

When we needed to upgrade, our security team invited the IBM technician back, and it was very smooth. Now, they are planning to set up redundancy in our second data center. Generally speaking, the support is good, and they check in about once a month remotely. I am directly involved with them, but I hear positive feedback from the team. 

The initial setup was configured in Linux on the server. We had a technical guy from IBM who came from Kenya. We only prepared the environment, like setting up the rack, but an IBM technician took care of the implementation. We also rely on the vendor for support and activities that require professional expertise.

I rate QRadar eight out of 10 for return on investment. We get a lot of valuable data from QRadar.

I rate QRadar eight out of 10. 

We are using mixed solutions. We are currently working with IBM solutions and Azure system services. We are using two SIEM solutions: Azure Sentinel and QRadar. Azure Sentinel is covering our cloud-based solutions, and QRadar is covering our on-premise solutions.

QRadar has a lot of connectors out of the box. It has a lot of predefined and pre-deployed connectors that you can use. 

It has a lot of good correlation rules. From a customer's point of view, it is one of the best solutions because you don't need to create correlation rules from scratch. You just review them and customize them as you want. 

It supports using SQL queries. Sentinel uses KQL, but you need to learn it from scratch.

It doesn't have a SOAR system by default. You need to purchase it additionally, which is the main problem with QRadar. 

Its reporting can be improved.

I have been using this solution for approximately three years.

It is stable.

It is scalable. It works for small, medium, and large enterprises. You can have a huge SOC, and you can implement it in a big company. 

Our company has more than 5,000 assets, and we are covering them all with the QRadar system.

We are using Azure Sentinel for our cloud-based solutions. The best functionality that you can get from Azure Sentinel is the SOAR capability. So, you can estimate any type of activity, such as when an alert was triggered or an incident was found.

Azure Sentinel doesn't have many connectors for third-party SIEM solutions. Many customers are struggling with the integration of Azure Sentinel with their on-premise SIEM.

If we start to collect all logs from our on-premise SIEM solutions, Azure Sentinel will cost much more than QRadar. If we calculate its cost over the next five or ten years, it will cost more than QRadar.

You have a one-time payment, and you also can purchase it for one year as a subscription. We have it on-premise, and we have a permanent license for it. We have to pay for the support on a yearly basis.

If you compare its cost with Sentinel for one year, QRadar would seem more expensive, but if you compare its cost over five or ten years, Azure Sentinel will be more expensive than QRadar.

I would recommend purchasing a cloud-based license subscription because it doesn't have any limits on the license. You can easily install it in a cloud environment. This cloud pack can be integrated with different types of SIEM solutions. So, you can use one management console to query all of the SIEM systems that you are managing. It is like having one window to manage your SOC. For example, a SOC can operate, manage, or provide services for different types of companies, and all these companies can have different types of SIEM solutions. With the cloud subscription of QRadar, you can cover all companies, which is good in my opinion.

I would recommend both QRadar and Azure Sentinel. It depends on the use case of a customer and the environment that they are using.

I would rate QRadar a seven out of ten. 

My use case for IBM QRadar User Behavior Analytics is to consolidate all the logs and events from a different tool so that I can see the alerts from that other tool on the dashboard.

My company connects the Windows event logs to the Xfinity router deployed on the main server, but I have to make some configurations to detect activities.

My team is working on reinforcing IBM QRadar User Behavior Analytics features since the solution has not been used for a while because there's a new generation of engineers in my company. My team has to reconfigure almost every screen, including IBM QRadar User Behavior Analytics.

What's most valuable in IBM QRadar User Behavior Analytics is its higher availability than other tools. It consolidates all alerts and detections from the other tools, but my team has to check each tool. As my company lacks the manpower to do that, my team has to do monitoring while working on making each function clear.

As a product, IBM QRadar User Behavior Analytics does everything mentioned on the datasheet for my company's version. Still, compatibility is a problem because my company needs to use an updated version of the tool. That version doesn't integrate with many new-generation tools, so this is an area for improvement.

You can scale IBM QRadar User Behavior Analytics, but it has room for improvement.

I've been using IBM QRadar User Behavior Analytics for years.

IBM QRadar User Behavior Analytics has been stable, and my team has made no significant changes since 2015. The team is working on utilizing it most efficiently.

The scalability of IBM QRadar User Behavior Analytics is a six out of ten.

My company doesn't get support from IBM because it's on a perpetual usage type of contract. My team can configure IBM QRadar User Behavior Analytics but cannot contact IBM for help.

When I used to get technical support for IBM QRadar User Behavior Analytics, I'd say it was a seven out of ten.

The version of IBM QRadar User Behavior Analytics, which my company uses, is a little outdated from 2013. That version doesn't have the log collection feature.

My rating for the version of IBM QRadar User Behavior Analytics I'm using is a seven overall.

The most valuable features currently are the security behaviors and pdf files.

I would like to see more integration in place after the security lock.

I have been using IBM QRadar User Behavior Analytics for a couple of years now.

The product is very stable.

The initial setup was straightforward and took three to four months to deploy.

We used a vendor team to assist us in the process of deployment.

I would rate IBM QRadar User Behavior Analytics an eight out of ten.

Our primary use case for the solution is providing visibility for what occurs in our security system and IT assets. So all our event logs and information from a setting and criticality level go there. Additionally, there's AI used to trigger alerts when things are going bad, and then we can action them.

We find predictive analysis capabilities valuable.

The solution should include remote action capabilities.

We have been using the solution for approximately three years.

The solution is stable.

The solution is scalable. Over 1,000 people in our organization use the solution.

The initial setup is moderate, and it is neither easy nor difficult. However, it took approximately one week to complete the implementation.

We implemented it through a vendor team.

We chose this solution because it was provided to us through software as a service.

I rate the solution an eight out of ten. The solution is good but can be improved with enhanced remote control ability. I recommend the solution to new users considering it.

We use the blocking mode and spam mode for the IPS - XGS 5000 series and use of QRadar as a SIEM Solution for logging and monitoring network security, security analysis, and monitoring for network-related attacks. 

The playbook is defined with identified use cases. IPS acted as an inline to the firewall. It helped to track and sniff the packet and match the details. It helped to reduce the insider and outsider attacks. The traffic is analyzed and helped users to know the patters and access level in the network and resource being used.

It helped our organization to identify and prevent security attacks.

We need to come with new releases and understand what will happen and how the customer will be able to manage and update the system what are ways in which user behavior and access to various resources in the network could be tracked and alerted in more robust manner. 

There needs to be proper patch management which is done in a controlled environment with a proper newsletter update. The new releases from the company in terms of product and services needs to be updated to product managers in organization.

The monitoring and dashboards are great. 

The user behavior analysis could be better. The playbook guide which specifies the rules for security use cases needs to be provided to support in case the organization needs help. The security playbook needs more help when it comes to QRadar. The QRadar implementation guide, especially in cluster environment, is complicated to deploy in an enterprise level. The support of SIEM of QRadar is complicated and when we encounter implementation issues it needs quick response. The skilled resources are really important for support.

I have deployed the solution for 230 sites across globe using for past seven years.

Our primary use case is logging for any anomalous traffic in terms of access times and deviations when users are in different groups within the AD. When a user deviates from their functionality, it's flagged in the UBA and for VPN traffic. I also use it for geolocation functionality. We are partners of IBM and I'm a system engineer. 

The timeline and the machine learning features are great at quickly flagging users who have either left the organization or have dormant accounts. The way that the app has transformed over time is quite phenomenal. One of the major improvements is its capacity for creating machine models. It comes with 16 default machine learning models, where it tracks user activity and changes in profiles and authentications. There are various default machine learning models and I'm able to model those to parameters that suit my needs. It's great that I'm able to implement an unlimited number of use cases on the UBA, putting in as many different kinds of logic as I want. It's a big advantage. 

I'd like to see improved support from the vendor. In addition there are things that are not documented on the IBM site. If you'd like to do something at a high level, the information is not available in the documentation and you have to find it elsewhere. 

I've been using this solution for five years. 

The solution has never crashed or failed, it's stable. 

We haven't tested scalability and currently have around 100 users. I'm responsible for maintenance.

The customer support is helpful but that's more about it being a good solution. 

The initial setup is straightforward, it's just a download and it installs. It's a matter of configuring a few parameters in terms of tweaking the thresholds that you want the app to fire in on. Installing takes a few seconds, but in terms of letting it land so that you can tweak it and tune the various metrics, takes about a week. 

This is a free solution which is one of the main reasons we chose it. It's just a matter of getting a license for the curator as a platform.

I recommend this solution and rate it seven out of 10.