IBM Security QRadar Reviews

I use IBM Security QRadar in my company for authentication of users and to block the access of a user to the internet. In my company, we have only used the basic version of the solution, and currently, we don't have a license for the product since we didn't renew it. The basic version of the solution fits my company's basic requirements.

IBM Security QRadar is not hard to implement and administrate. To serve new use cases or do the tuning and allow correlation rules, you may need training since it is necessary to know the solution. With IBM solutions, you need training to know how to use the different features of the solution. IBM needs to provide training to its users to teach them how to use the case manager and how to tune rules.

I have been using IBM Security QRadar since 2020, so I have experience with it for three years. I am a customer of IBM.

It is a scalable solution.

With IBM Security QRadar, my company faced issues with the support we received for the product. Basically, my company faced problems due to the delays or mistakes made by IBM's support team.

I rate the technical support a six out of ten.

Neutral

The solution is deployed on an on-premises model.

For the product's implementation, my company took two months. To implement all log sources, my company took somewhere between three to five months.

IBM Security QRadar is a very expensive tool.

In the future, my company would want the cloud version of the solution and not its on-prem version.

I rate the overall tool a seven out of ten.

My use case for IBM QRadar User Behavior Analytics is to consolidate all the logs and events from a different tool so that I can see the alerts from that other tool on the dashboard.

My company connects the Windows event logs to the Xfinity router deployed on the main server, but I have to make some configurations to detect activities.

My team is working on reinforcing IBM QRadar User Behavior Analytics features since the solution has not been used for a while because there's a new generation of engineers in my company. My team has to reconfigure almost every screen, including IBM QRadar User Behavior Analytics.

What's most valuable in IBM QRadar User Behavior Analytics is its higher availability than other tools. It consolidates all alerts and detections from the other tools, but my team has to check each tool. As my company lacks the manpower to do that, my team has to do monitoring while working on making each function clear.

As a product, IBM QRadar User Behavior Analytics does everything mentioned on the datasheet for my company's version. Still, compatibility is a problem because my company needs to use an updated version of the tool. That version doesn't integrate with many new-generation tools, so this is an area for improvement.

You can scale IBM QRadar User Behavior Analytics, but it has room for improvement.

I've been using IBM QRadar User Behavior Analytics for years.

IBM QRadar User Behavior Analytics has been stable, and my team has made no significant changes since 2015. The team is working on utilizing it most efficiently.

The scalability of IBM QRadar User Behavior Analytics is a six out of ten.

My company doesn't get support from IBM because it's on a perpetual usage type of contract. My team can configure IBM QRadar User Behavior Analytics but cannot contact IBM for help.

When I used to get technical support for IBM QRadar User Behavior Analytics, I'd say it was a seven out of ten.

The version of IBM QRadar User Behavior Analytics, which my company uses, is a little outdated from 2013. That version doesn't have the log collection feature.

My rating for the version of IBM QRadar User Behavior Analytics I'm using is a seven overall.

Our primary use case is in the banking industry in two banks here in Egypt. We generally are monitoring the user behavior of the employees, For example, working after working hours, and signing into the machines after working hours.

The most valuable feature is the machine learning module.

I would like to see the interface improved along with the tuning and any adjustments when it comes to maintenance. It is not straightforward. I would also like to see some artificial intelligence and alternative solutions.

I have been using IBM QRadar User Behavior Analytics for almost five years now.

I would give stability an eight on a scale of one to ten.

The scalability is not a problem and we have above three thousand in our organization.

The initial setup is extremely easy and straightforward.

The deployment took around two to three days and we did it ourselves in-house. We simply downloaded the application and went from there following the deployment process.

We are seeing a return on investment when it comes to profiling the employees.

The pricing is higher but cheaper than others and there are no additional costs.

We looked at ArcSight but the cost is more expensive than IBM. ArcSight did have the artificial intelligence model.

I would recommend tuning it to the maximum before going live. I would rate IBM QRadar User Behavior Analytics a seven on a scale of one to ten.

The primary use case of this solution is to help customize the workflows and dashboards for our clients in a secure manner.

The solution has helped improve our organization by providing the comfort and visibility that we are, meeting compliance, and doing our due diligence in analyzing events from multiple sources and correlating threat activity. 

The most valuable features are the AI assistant, which is good at detecting known types of behavior. The solution can analyze different logged events, and network activity and create a correlation. The solution is easy to customize and tune compared to other products.

The solution can be improved by lowering the cost and bettering their technical support.

I have been using the solution for three and a half years.

The stability of this solution is rock solid, a ten out of ten.

The solution appears to be scalable. I have used the solution in organizations with users ranging from 2000 to 10,000.

The technical support eventually gets the job done.

Positive

Depending on what the client is looking for I have used and recommended ArcSight, Splunk, and Cisco.

The initial setup is in-between straightforward and complex. Any SIEM solution is complex, but compared to other products, it is the middle of the road. It's not as difficult or cumbersome, especially when you compare it to ArcSight being the most difficult where you require a whole team of people to really derive any value.

Most of our clients have seen a return on investment because compared to other solutions it does not require a busload of people to operate it and it is reasonably priced.

The solution is costly and the price differs depending on the vendor you use.

I give the solution an eight out of ten.

The solution is fairly easy to maintain and the learning curve is reasonable compared to other products to customize the workflow dashboards and get meaningful insight as far as what is happening within our organization. The solution is also fairly straightforward to integrate with different data log sources.

The solution requires three to five people to maintain including one analyst, an engineer, and an architect.

I suggest before using the solution you know what your process is, know what your logging sources are, and plan well because It's really a leadership challenge. The solution is better deployed than other models.

Our company includes 20 senior engineers and analysts who use the solution to detect viruses on Windows servers and critical assets.

We also track user activity such as connections during travel. 

We have many use cases and playbooks in our portfolio. 

Our company uses the solution as our main CM to detect malicious activity. There are many campaigns targeting Europe and other countries so it is important that we remain vigilant about suspicious activity inside our organization. 

The solution uses rules to identify suspicious activity that needs to be investigated. We conduct advanced forensic investigations based on the solution's output, including collecting logs from devices and correlating them for processing by a security analyst. 

Blocks of predefined conditions can be used to configure detection rules without having to write complicated script. 

Real-time detection is quite efficient and valuable. Other products such as Splunk focus only on running searches to detect a particular behavior.

The Vulnerability Manager module is useful and quite efficient. 

The dashboard and reports are not user-friendly or efficient so are of little help with threat hunting activity. We deal with large data sets so need to have great visibility for detection of malicious activity and indicators for cybersecurity. 

For example, the dashboards for Power BI and Splunk are very efficient and it is easy to observe suspicious activity. 

I have been using the solution for five years.

The solution is stable and easy to use if deployed well.

On occasion, you might get an error when running advanced analytics but reboots are not needed. 

The solution is scalable and it is easy to add appliances or expand your license. 

Engineers used technical support regularly between 2016 and 2019 and found them to be very helpful and responsive. If a situation was urgent, technical support intervened immediately. 

I rate technical support an eight out of ten. 

Positive

I used the solution, switched to Splunk, then switched back to the solution. 

The ease of setup is based on the complexity of your environment and network architecture.

The initial setup is not complicated and should go smoothly if you set all predefined requirements prior to installing the solution.  

It took us two weeks to prepare all requirements and a few hours to deploy which included installing all resources. 

Documentation for the installation process is pretty straightforward. 

An in-house team that handles integrations was responsible for implementing the solution. Myself and other cybersecurity analysts participated with the team.

A team of three engineers handle ongoing maintenance for our large environment. 

The solution has a licensing model that is based on events per second so it scales to need and budget. 

At the time of deployment, we were premium partners with IBM so received advantageous pricing. 

The on-premises solution and its license are not impacted by the number of users so it is easy to add staff. 

In my experience, Splunk is efficient because it is customizable. You can create scripts to detect multiple behaviors based on scheduled jobs. 

I rate the solution a seven out of ten because it is difficult to write script for advanced detection cases and the dashboard is insufficient. 

We use the blocking mode and spam mode for the IPS - XGS 5000 series and use of QRadar as a SIEM Solution for logging and monitoring network security, security analysis, and monitoring for network-related attacks. 

The playbook is defined with identified use cases. IPS acted as an inline to the firewall. It helped to track and sniff the packet and match the details. It helped to reduce the insider and outsider attacks. The traffic is analyzed and helped users to know the patters and access level in the network and resource being used.

It helped our organization to identify and prevent security attacks.

We need to come with new releases and understand what will happen and how the customer will be able to manage and update the system what are ways in which user behavior and access to various resources in the network could be tracked and alerted in more robust manner. 

There needs to be proper patch management which is done in a controlled environment with a proper newsletter update. The new releases from the company in terms of product and services needs to be updated to product managers in organization.

The monitoring and dashboards are great. 

The user behavior analysis could be better. The playbook guide which specifies the rules for security use cases needs to be provided to support in case the organization needs help. The security playbook needs more help when it comes to QRadar. The QRadar implementation guide, especially in cluster environment, is complicated to deploy in an enterprise level. The support of SIEM of QRadar is complicated and when we encounter implementation issues it needs quick response. The skilled resources are really important for support.

I have deployed the solution for 230 sites across globe using for past seven years.

There is a Pulse dashboard that they have. From a reporting perspective, we'll be creating dashboards based on the pulse functionalities. 

There are other third-party plugins that we can use as well. We can initiate in the QRadar platform, however, Pulse is one of the most user-friendly options. 

Along with that, there are out the box rules and out the box dashboards that we have available to us. Mostly what we are concentrating on is creating the rules and fine-tuning the rules to align properly with the customer infrastructure depending upon the customer's requirements. Pulse, UEBA, and NBAD are the features that are the best. They are the most useful from a SOC manager perspective.

The AQL queries could be better. With the queries, there's an option for you to create dashboards based on the queries that they have. The documentation that is available for AQL queries is not well received. They could maybe look at how Microsoft is leveraging AQLs from a Sentinel perspective and create more documentation and training materials and make those more available to the general public.

They have to facilitate more learning opportunities. Microsoft has something called Playground where you have some sample logs and where you can learn how to work on all this stuff, however, there is nothing like that for IBM. They really could make it more generalized and accessible to the general analyst population.

Technical support should be improved.

In terms of QRadar, I've used it for close to two years. I worked for a customer that is a managed security service provider. What we do is we will provide SOC as a service and QRadar. IBM is one of the partners that we have. Depending upon the customer considerations and customer preferences, we will either engage QRadar or Sentinel according to the customer preferences. Splunk and LogRhythm we also use on an as-needed basis. 

What they have claimed is 99.5% uptime. However, I'm not very sure whether there's an implementation problem or not. Sometimes the system gets hung and then we have to restart everything from the scratch. You have got these multi printing options, though not functionally. Sometimes it gets some jitters there. Sometimes there are cases where we are finding it very difficult to get into the system as there can be three or four people logging into the same platform at the same time and sometimes the reduces the speed a lot.

From an architect implementation perspective, the role that I have played is very limited. I'm not very sure about scaling. I'm not in a position to comment on that part. That said, once everything is implemented, I've noted that it's not as scalable as Sentinel or Splunk on the cloud, for sure. That is the same for LogRhythm and QRadar. Obviously, cloud-hosted applications will be more scalable and more resilient.

Technical support is something that has always been an issue for us. We have to raise a ticket and the products team will be available, however, depending upon the criticality, sometimes the support is not very easily accessible on weekends and on Friday evenings.

I've also worked with Sentinel, Splunk, QRadar, and LogRhythm. 

Compared to Sentinel, the initial setup is a bit complex. Depending upon whether you're going ahead with the cloud version or on-prem version, there is human involvement, however, normally everything is done by the platform engineer. I don't have to get my head into that part. Once everything is up and running, that is when we have to start working from our side. I'm sure it is more complex than a plug-and-play Sentinel, where connectors are easily available and just have to click, click and get things done.

The administration and maintenance would be two or three people depending upon the availability. I'm not very sure about troubleshooting. I'm coming at the solution from a user perspective. I'm more concerned with the rule fine-tuning and rule-building part. That kind of troubleshooting will be done with the platform team, which specializes in that. 

Licensing is mostly dependent on the EPS, events per second. Depending upon the number of products that are integrated with the platform, we have to come to an optimal EPS value. I'm not very sure about the financials, however, the licensing cost cannot be as much as that for Sentinel, which is not very low. For customers who need medium EPS values, we advise QRadar.

The basic out the box cost covers, the EPS value that you have specified, and then some archiving maybe. It should include at least six months of archiving and other functionalities. Most of the customers will go for the standard package and we don't have to go for extra archival or enhanced DPS. 10% to 15% of DPS can always be increased. It will not completely shut down the system, however, it'll start sending us notifications that the DPS is getting increased and then we can go for a higher licensing.

The version we use depends on when the customer is onboarded. Whenever recent onboarding takes place, we use the most up-to-date versions. However, there are customers that we have been facilitating for the past two or two and a half years and they might be using the previous versions. There are proper version upgrades that happen on a quarterly basis. 

I'd rate the solution seven out of ten.

Currently, we are using only Amazon Web Services for monitoring. We have CloudTrail, GuardDuty, Avast, and some Kubernetes security we have installed on Amazon AWS. By getting these logs, we have created the uses for these components.

I have used IBM QRadar User Behavior Analytics in a Cloud Pak on Amazon, and there it runs on top of it and is easy to assess. Additionally, I have installed processes and characters.

The most useful feature of IBM QRadar User Behavior Analytics is the User Behavior Analytics aspect. For example, whoever logs into the Amazon AWS to the interface, if someone is logging in for the first time that the administrator has created, or someone is logging in, we receive an email notification saying that they have logged in, we need to check. Based on that, we will start checking to see if the visit was a valid one or a malicious one. Even if we only have a few users, such as 25 to 30 Amazon AWS records.

Whenever we are upgrading or installing any type of patch, at that time we have some delays. 

 Sometimes by mistake, AWS has migrated some other accounts to my enrollment. At that time, we receive a notification special for that. We have created one rule and a case. We receive a notification and we are informed that the Amazon AWS team, sent an email apologizing for this happening. They have confirmed that going forward we will not receive this type of account modification issue. They have sent an email to us. 

If you are searching for three to four months back it takes and there is a time delay. If I compare it to Splunk, it is a little bit delayed. It is because Splunk is using Elasticsearch, while IBM QRadar User Behavior Analytics uses a normal one. For example, if Splunk takes two minutes, it will take IBM QRadar User Behavior Analytics approximately three minutes.

I have been using IBM QRadar User Behavior Analytics for approximately seven years.

I have used many other solutions previously, such as Splunk and McAfee SIEM tool.

The initial setup of IBM QRadar User Behavior Analytics is straightforward. We only have to activate a few aspects. We directly installed our process characters, and an all-in-one setup with it to do the installation. The deployment took use 30 to 40 minutes. However, if you want to add components it will take more time.

We have seen a good return on investment with IBM QRadar User Behavior Analytics.

We pay approximately $40,000 to use the solution annually. This solution is a lot less expensive than Splunk.

I rate IBM QRadar User Behavior Analytics an eight out of ten.