IBM Security QRadar Reviews

There is a Pulse dashboard that they have. From a reporting perspective, we'll be creating dashboards based on the pulse functionalities. 

There are other third-party plugins that we can use as well. We can initiate in the QRadar platform, however, Pulse is one of the most user-friendly options. 

Along with that, there are out the box rules and out the box dashboards that we have available to us. Mostly what we are concentrating on is creating the rules and fine-tuning the rules to align properly with the customer infrastructure depending upon the customer's requirements. Pulse, UEBA, and NBAD are the features that are the best. They are the most useful from a SOC manager perspective.

The AQL queries could be better. With the queries, there's an option for you to create dashboards based on the queries that they have. The documentation that is available for AQL queries is not well received. They could maybe look at how Microsoft is leveraging AQLs from a Sentinel perspective and create more documentation and training materials and make those more available to the general public.

They have to facilitate more learning opportunities. Microsoft has something called Playground where you have some sample logs and where you can learn how to work on all this stuff, however, there is nothing like that for IBM. They really could make it more generalized and accessible to the general analyst population.

Technical support should be improved.

In terms of QRadar, I've used it for close to two years. I worked for a customer that is a managed security service provider. What we do is we will provide SOC as a service and QRadar. IBM is one of the partners that we have. Depending upon the customer considerations and customer preferences, we will either engage QRadar or Sentinel according to the customer preferences. Splunk and LogRhythm we also use on an as-needed basis. 

What they have claimed is 99.5% uptime. However, I'm not very sure whether there's an implementation problem or not. Sometimes the system gets hung and then we have to restart everything from the scratch. You have got these multi printing options, though not functionally. Sometimes it gets some jitters there. Sometimes there are cases where we are finding it very difficult to get into the system as there can be three or four people logging into the same platform at the same time and sometimes the reduces the speed a lot.

From an architect implementation perspective, the role that I have played is very limited. I'm not very sure about scaling. I'm not in a position to comment on that part. That said, once everything is implemented, I've noted that it's not as scalable as Sentinel or Splunk on the cloud, for sure. That is the same for LogRhythm and QRadar. Obviously, cloud-hosted applications will be more scalable and more resilient.

Technical support is something that has always been an issue for us. We have to raise a ticket and the products team will be available, however, depending upon the criticality, sometimes the support is not very easily accessible on weekends and on Friday evenings.

I've also worked with Sentinel, Splunk, QRadar, and LogRhythm. 

Compared to Sentinel, the initial setup is a bit complex. Depending upon whether you're going ahead with the cloud version or on-prem version, there is human involvement, however, normally everything is done by the platform engineer. I don't have to get my head into that part. Once everything is up and running, that is when we have to start working from our side. I'm sure it is more complex than a plug-and-play Sentinel, where connectors are easily available and just have to click, click and get things done.

The administration and maintenance would be two or three people depending upon the availability. I'm not very sure about troubleshooting. I'm coming at the solution from a user perspective. I'm more concerned with the rule fine-tuning and rule-building part. That kind of troubleshooting will be done with the platform team, which specializes in that. 

Licensing is mostly dependent on the EPS, events per second. Depending upon the number of products that are integrated with the platform, we have to come to an optimal EPS value. I'm not very sure about the financials, however, the licensing cost cannot be as much as that for Sentinel, which is not very low. For customers who need medium EPS values, we advise QRadar.

The basic out the box cost covers, the EPS value that you have specified, and then some archiving maybe. It should include at least six months of archiving and other functionalities. Most of the customers will go for the standard package and we don't have to go for extra archival or enhanced DPS. 10% to 15% of DPS can always be increased. It will not completely shut down the system, however, it'll start sending us notifications that the DPS is getting increased and then we can go for a higher licensing.

The version we use depends on when the customer is onboarded. Whenever recent onboarding takes place, we use the most up-to-date versions. However, there are customers that we have been facilitating for the past two or two and a half years and they might be using the previous versions. There are proper version upgrades that happen on a quarterly basis. 

I'd rate the solution seven out of ten.

I'm an administrator. I have been leading the security operation center for the past four years. I have more than 12 members or SOC analysts for our 24/7 operations. I have been pitching the solutions to multiple customers, and I have also designed, implemented, and administered customer projects and completed them at the specified timeline.

We have many use cases. The most common use cases are related to insights into any threats from the inside and outside. I have also configured X-Force with QRadar, and we are getting all the feeds showing malware-based IPs, etc. I also have designed some anomaly-based rules in case anyone has logged in from outside Pakistan. Most of the rules are custom-based.

The QNI feature is the one I am very interested in, and I have also been interested in Watson. From the log analysis and the security perspective, we are able to dive deep into any of the logs and anomalies.

It is user-friendly, and it is easy to develop. If you know the architecture, what to develop, and how to get the output for your results, you can easily work with it.

I have also been working with other SIEM solutions, and I have observed that they have extensive Linux-based and Unix-based integrations. They have been able to support some of the Linux-based agents, which is useful to investigate and process the information on the Linux and Unix side.

It could have pre-defined automation and integration of all those device parameters that analysts have to share manually.

It is stable.

I would rate them a 3.5 out of 5.

It is not very difficult. I have done more than 10 deployments, and I have integrated and developed custom applications. I have also developed a Python-based script to support me with the things that IBM cannot support. I am using that script from the health check perspective. It gives me a high-level and low-level overview of QRadar with respect to the rules that have been triggered and the notifications that have been generated and how to tune them.

I would rate it an eight out of 10.

When it sends the log source, QRadar generates a lot of noise and false positives. LogRhythm logs when the alarm rules are disabled, so it doesn't generate any noise when sending the log source. I think LogRhythm's one, this one too. QRadar, we have to cure it all the time. It's only this advantage with QRadar.

I would also like to see more integration with other vendors. IBM doesn't integrate well with products from China, like Huawei. Many Middle Eastern customers are switching to Huawei from American vendors like Cisco because of the price. In most RFPs, Huawei wins because it costs less. 

IBM needs to integrate better with Huawei. I opened one case with IBM, and they told me to submit a request for enhancement so they could write the correct DSMs to integrate with Huawei. We were very disappointed. Customers who want to implement QRadar or LogRhythm need to consider all the other components. The environment needs to be homogenous to avoid problems due to a lack of integration.

My old company used QRadar, so I still use it sometimes when I consult for them. They get stuck on a few things. I also worked on vulnerability discovery. Right now, my current customers are migrating from QRadar to LogRhythm.

QRadar is built around Red Hat Linux, which is highly robust.

IBM's support for QRadar could be improved. Sometimes it takes them two days to reply to a low-priority case. However, it tasks them about 1.5 hours to respond to a more serious case. Sometimes our customer service will think it's a priority one case, so he asks me to open it as priority one, then IBM reduces it to two or three. 

We don't have any security appliances from Huawei, but they have the best technical support. We have engineers everywhere with CRM, and they call you after the problem is resolved. IBM closes the case, and that's it. It's a very restricted environment. 

QRadar is reasonable compared to LogRhythm.

I rate IBM QRadar nine out of 10. If you're going to use QRadar, you have to be familiar with it and know all the components. IBM offers free appliances, like data nodes, that offload many processes from the collectors and the processors. 

Every engineer must understand the overall portfolio to add some value to the solutions. If a solution isn't integrated with other solutions, they are only collectors. You need to tune the rules and be up to date with the Mitre Att&ck framework all the time.

QRadar is our SIEM solution. Our use cases include authentication between logins, database security, monitoring, and user behavior analytics.

QRadar is helping us to identify ongoing, day-to-day threats. We use it to analyze the risk in our environment, including user behaviors. We can easily monitor many things using this tool.

All of the features offered by this product are useful for analysis. Essentially, everything that it offers is critical and we use it.

Several things need to be improved.

We have been struggling with the QRadar support team for quite a long time. There are things that they can reproduce in their lab environment and can fix, yet we struggled with them trying to get this done. These issues included things like custom logs. There are many things that they need to improve upon.

This product should support multiple log sources.

They need to improve their threat intelligence feed and they need to improve their user behavior analytics modules.

The risk manager module needs to be improved.

It's not a very user-friendly interface.

I have been working with IBM QRadar for seven years.

IBM QRadar is quite stable.

We have approximately 50 users and we keep expanding its usage. It is growing on the infrastructure level, as well as the EPS level.

Three or four administrators are all that is required for the maintenance.

I recommend this product for large enterprises.

We have had a lot of trouble with technical support. As of late, they take too long to respond to our issues. For 99% of our issues, they take too long to respond. It's not instant.

I do not have any experience with other SIEM solutions. QRadar is the first one for me.

The initial setup is complex because it is not managed properly.

Our implementation strategy is based on it being a distributed environment.

We completed the implementation and deployment ourselves.

We did not evaluate other options prior to selecting QRadar.

This is a good product for large enterprises. Smaller companies should implement an open-source solution but for a large enterprise, QRadar is a good product.

I would rate this solution a seven out of ten.

We are a product-based organization. We use this solution for a shared SOC service and security audits and compliance.

There are a lot of features in QRadar. App Exchange is the most valuable feature. User behavior analytics (UBA) is also a very good feature. Watson is also there, but we are not currently using Watson.

It is versatile and quite easy. It also has an all-in-one-box feature and good integration with AWS. 

SOAR is what is expected the most from QRadar. They have something called SOAR Resilient, and it would be great if that gets induced in SIEM. IBM QRadar (as well as McAfee ESM) should have analytics platform integration. Currently, SIEMs don't have full-fledged integration with analytics where we are able to dump our data in SIEM, and the same data can be called from different analytics applications. We should be able to bring this data to a platform like Hadoop for big data and run the analytics there. Currently, people are seeing the past data and taking some actions in the present, but when it comes to analytics, there should be futuristic data where you can predict something out of your present and past data. Apart from that, I would like to see a full-fledged ITSM tool in QRadar.

It sometimes has some technical issues that need to be checked. It requires a dedicated QRadar engineer to completely manage it. It has different module sets, such as event collector and event processor, and some technical glitches come in between. It takes the log but doesn't exactly process it in the way we want. 

If its pricing can be reduced, it would help a lot of customers in bringing in a new SIEM environment.

It is stable. There are no incidents when SIEM completely stopped. 

I have expanded it. It is very good in terms of scalability. Because it is on the cloud, it can be scaled anytime. If I want to increase my CPU's RAM, I can do it. At any point in time, if I want to get additional licenses, I can just call support, and they will provide that.

I have around six customers who are using QRadar in a shared model. We do have plans to increase its usage. We are looking after different customers, and when they're ready, we can integrate it.

They are good and responsive. However, because of COVID, of late everyone is working from home, and sometimes, their response has been a little bit slow for incidents. They did apologize for that.

It is straightforward. AWS has a feature called Marketplace in its environment. When we click it, we can load it directly. It doesn't take more than two to three days to completely deploy the infrastructure. 

They can give us some scalability and flexibility on pricing. If its pricing can be reduced, it would help a lot of customers in bringing in a new SIEM environment and grow business in the market. If I start a license today and take around 10,000 EPS, and after a month, there is an increase in the number of clients on my platform, I can increase the number of licenses. I can add 5,000 EPS on a yearly basis.

We chose QRadar over McAfee ESM.

It has good integration with AWS. AWS has come up with a Marketplace click-in option that provides direct integration between your AWS and data centers or cloud solutions through a small VPN. It allows you to bring up small environments with 5,000 EPS or 6,000 EPS or even 3,500 EPS or 2,500 EPS very quickly. It is very flexible and not at all tough for a startup engineer to click and bring solutions inside. It is quite easy.

I would rate IBM QRadar an eight out of ten.

I am a system integrator. We have installed it on-premises, on the cloud, in distributed environments, and all other environments for our clients.

We have worked with other solutions, such as LogRhythm and Splunk. Compared to others, IBM QRadar has the best price-performance ratio so that you are able to reserve minimum costs. It starts settling in fast and gets the first results very quickly. It is also very scalable.

There are a lot of things they are working on and a lot of technologies that are not yet there. They should probably work out a better reserve with their ecosystem of business partners and create wider and more in-depth qualities, third-party tools, and add-ons. These things really give immediate business value. For instance, there are many limitations in using SAP, EBS, or Micro-Dynamics. A lot of things that are happening in those platforms could also be monitored and allowed from the cybersecurity risks perspective. IBM might be leaving this gap or empty space for business partners. Some larger organizations might already be doing this.

It would be very nice if IBM can make some artificial intelligence part free of charge for all current QRadar users. This would be a big advantage as compared to other competitors.

There are companies that are going in different directions. Of course, you can't do everything inside QRadar. In general, it might be very good for all players to provide more use cases, especially regarding data protection and leakage prevention. There are some who are already doing some kind of file integrity or gathering some more information from all possible technologies for building anything related to the user and data analysis, content analysis, and management regarding the data protection.

I have been using this solution since 2011.

If the engineers are missing some technical knowledge from IBM documentation, then it might get interesting, but you can always rollback. Usually, when you are implementing innovations, as a system integrator, you usually do less on the test environment, and then you check if this works. If bigger organizations and customers want to do it by themselves, they should really stick to this approach and use a lot of material, community pages, and channels.

There is absolutely no problem with scalability. It works very fine, especially when you are running just clients. It doesn't matter how many variants you have all across the culture. You can practically have different continents. It doesn't matter how many collectors are running. You can easily distribute the current license to multiple users, and all the collectors can upload it without any restrictions.

We have worked with other solutions. Splunk is a long-term trap because it is very expensive, and it gets more and more expensive. It has different times, and it is integrated with different products. When you combine that together with licensing, it obviously fails. You are paying a lot more than QRadar.

LogRhythm has some problems with stability. We were the first partner to do some integrations with LogRhythm, but we had some problems. ArcSight was smaller at the time but not anymore. It is now a competitor. Fortinet is very good for those who are already using some software products from them.

It usually happens within two or three hours, but it also depends on the preparation. If good homework is done, then the initial setup is totally flawless. It is ready very soon. We then try it and wait for maybe a couple of days more. After that, we start fine-tuning, and then we do advanced installations.

For us, such projects usually don't start without any experience with technology and the concepts. When you are buying it, you need to know all the information systems, create a list of tasks and priorities, and understand the use case better. 

A lot of such innovations or implementations initially can be done by one person, two persons, or maybe a team of five dedicated administrators who later on will be using this technology or solution. You need to understand that there are different roles of people who are working with cybersecurity and threat management, such as an analyst, a simple technical maintenance performer, an administrator, a user behavior analyst, etc.

It is not something like a next-generation firewall, next-generation intrusion prevention, or the most complex tool that you have got, which you can install and configure and then see if it runs smoothly. It is a completely different story in QRadar or any similar technology. These solutions or technologies have to be managed continuously. 

The biggest mistake that innovations people usually make is that they don't plan the total cost of the technology tools for a period of five years, especially because they don't know what kind of new threats are coming out. Despite that, IBM is very early in doing some kind of new content packs and including data enforcement, etc. When new threats are coming in, you effectively need to adjust. The more complex use cases you have, the more complex the responses will be. You might have different systems or you might be working in different time zones.

When buying, people think that 70% to 80% percent of the initial purchase is the total they are going to spend within next year at this time, and then every next year, they will spend like 20% or 25% on the technical support, maintenance, development of the system, etc. When you are talking about a huge, complex, and central cybersecurity threat management system, it is more likely that you are implementing a document management system and some complex CIP systems, etc. The cost of the license and the cost of the hardware initially can make up around 20%, 30%, or less percent of the total budget that is needed for quality management of such solutions for a longer period of time. 

Some people think that if they buy this for 100,000 pounds or euros, the next year, they can buy just annual subscriptions for 25,000 or 20,000. You may have some internal costs for the license, etc. If you are buying for, let's say, 100,000, you might have to make your budget for 200,000 more, because it needs to have certain people who are doing everything with the solution. You need to train them and send them to the IBM international technology academies and events such as Visor to know about its management and maintenance. You probably also need to do some certification, so you need to go for a course for implementation. A lot of internal work should be done to adjust the solution with other departments, and those other departments usually don't like such central, overseeing, and controlled solution. They, later on, learn that they can get a lot of different, useful reports out of it without doing additional work. 

I would rate IBM QRadar an eight out of ten. Every technology has some weaknesses and strengths. It has a lot of points to improve, but based on everything that we have seen in the market and from other customers, this is, so far, at least in Europe, the best solution.

We use this solution for deploying and integrating log sources and use cases.

We use it to generate offensives based on normal behavior and suspicious behavior from our security tools, firewalls, and other solutions.

We have applied a set of old and new rules to QRAdar that aim to detect persistent abnormalities in our environments.

Within our organization, our security operations center and users from our local security team — roughly 10 to 12 users — use QRadar. We plan to expand to other areas of the company so that other people can use QRadar for different use cases. But right now only the security teams use it.

It's more of what it has provided for our company. We have much better visibility into our environment now. It has become much easier to create an alert for suspicious behavior, to operate on security incidents when they happen, and to drill down on specific events and figure out exactly which machines and users were involved.

I think the log search is pretty good. It's very easy to create complex searches and aggregate results and create graphics, etc. 

The rule engine is very easy to use — very flexible. We can create rules based on whatever behavior we want. It's very easy to use compared to Splunk. 

When we analyzed Splunk, that was the criteria that we looked at. Splunk was a lot more difficult to use and to create rules.

The standard rules they have are very comprehensive. There are many content packs in the apps that enrich those rules. We are still using the native rules from QRadar because there are many useful rules there. I think we're going to have a very good experience with them.

One thing one has to be aware is that qRadar doesn't have a standard UI style, but older (clunkier) and newer (more modern and easy to use) screens. The QRadar UI involves a lot of clicks and pop-ups to get where you want, which is certainly not the best UX, but isn't totally a pain also. Although it's a bit difficult to navigate through screens at first, the UX is pretty good once you learn the "qRadar way", which takes about a few weeks to master.

I have been using this solution for the last three months.

We had some bugs and we had to handle them. They impacted our deployment timeline, but all of the bugs that we had were quickly solved by engineers from IBM. Currently, we are not fully satisfied with the stability, but the support from IBM is very good and they can solve our problems very, very quickly.

There seems to be a cap-limit regarding scalability. IBM limits the amount of data you can send into the collectors so scalability-wise, it's not that optimum because sometimes we have a resource or a machine that tends to think it gets more events per second than it actually gets. Because of how the solution is made, If we send a large number of events to these event collectors, then they will start dropping events because we can't queue them. That seems to be by design — we aren't entirely satisfied with that. In this way, IBM kind of forces their customers to buy a larger license.

IBM's customer support is very good. 

We don't have any comments about community support because we don't know any communities that we can use to look up information about QRadar; however, in general, we have used IBM's documentation extensively — I think it's very useful, it's very complete, but sometimes it's a bit outdated. 

We used to use ArcSight. I can't even begin to compare these two products because ArcSight was a solution managed entirely by our security operations center team. We didn't have full knowledge of what the solution was capable of. Now we're seeing a much larger universe with QRadar — I think it's a completely different thing. QRadar is much more capable than ArcSight.

Deployment-wise it's pretty easy already; it took us one hour to get QRadar running, and then a couple of days later, we had full deployment. We then began onboarding log sources — the process of onboarding log sources has been almost painless for 90% of our log sources, which are from different vendors and different tools, and within a month we had about 70% of all of our relevant security logs in qRadar, generating many interesting offenses on a daily basis. So that has been very positive.

We had little interaction with qRadar during the process of onboarding log sources — most log sources were automatically discovered, their events were mapped correctly and parsed to extract relevant fields. A few log sources required manual intervention or installation of content packs, and some of IBM's DSMs were a bit outdated, but these issues were rather quick to fix within qRadar itself.

We used a partner company here called IT.eam, which helped us with the deployment. They are very capable and professional and it's been overall a great experience.

It's very expensive but it fits our budget. Because it's very expensive, we had to come up with ways of filtering our logs before they get into QRadar because otherwise, we'd have to buy a much greater amount of events per second, and that would be very expensive.

Splunk is virtually the same price.

I'd recommend QRadar for security teams that are more from the IT world and not so much from the development or data-science world. I think other tools, such as Splunk, are really great too, but QRadar is natively concerned with providing security rules and use cases. If you're looking for a reliable solution for security purposes only, QRadar is probably the way to go.

Overall, on a scale from one to ten, I would give this solution a rating of eight.

The tool helps with infrastructure, application, and network monitoring. 

There are areas in IBM Security QRadar that could benefit from improvement. Its ability to customize knowledge for specific purposes could be enhanced. Also, it lacks clarity in presenting details. It is also difficult to see the reports. 

I have been using the product for a year. 

The tool's technical support is good. 

Neutral

Implementing IBM Security QRadar is not overly complex. 

The product is expensive. We have purchased the perpetual license, but we pay for the support. 

I rate the tool a seven out of ten. It is a tough product.