IBM Security QRadar Reviews

We primarily use QRadar for monitoring and preparing use cases. 

This solution is deployed on-prem. 

The most important and valuable feature of QRadar is how useful it is for preparing use cases. It's also easy to use. 

The GUI of QRadar should be improved. 

I have been using IBM QRadar for one year. 

QRadar is stable. 

This solution is scalable. 

I have contacted IBM's technical support—it was great. They are very knowledgeable. 

QRadar is very easy to install, and I can do it myself. The time period will depend on the organization itself, since it depends on the environment and the number of servers and endpoints. 

I implemented this solution myself. 

I pay for licensing yearly. 

I also evaluated a lot of SIEM solutions, but I like LogRhythm and QRadar. 

I rate QRadar an eight out of ten. I would recommend QRadar, as well as LogRhythm, to others considering implementation. 

We have a lot of use cases with IBM QRadar, but our primary use is for monitoring traffic and detecting tricks.

In terms of how IBM QRadar has improved our company, on peak days it helps us monitor and generate statistics that help to illustrate what is going on in the company. For example, SMB detects ransomware and invalid log-on. If a user is located in the United States, or we expect a login in Russia, or Ukraine, or Kenya, it is very important for us because we can detect what application they are using there, or if a hacker is trying to log in by mobile or another device.

I have found its network traffic log, network bit log, and QBI most valuable.

We have a lot of domain controllers in QRadar tracking all the security. It is also useful for identity management.

In terms of where it could be improved, this includes its forensics, incident response, and security operation center features. Additionally, some also struggle with the rules. We need more features in order to create rules to detect or to meet some requirements for other areas, such as catching the event from other authentication tools, like in Okta, for example.

In some cases, I have issues because some tools are not integrated in QRadar, such as other tools similar to DLP (Data Loss Prevention). We need to create all the integrations manually because they are not integrated in QRadar. We have a problem, for example, because they have Symantec DLP integrated in QRadar, however, it is not working because it's not detected automatically. It is not converting all the columns, but we do have the option to create manually. This is not difficult because it's very clear in the procedures.

I have been using IBM QRadar for seven years.

QRadar's stability is great because it is always live and is always catching and monitoring all the information that we need. When we need information, it is here in QRadar. 

In terms of maintenance of QRadar, my internet is secured by IBM.

For me, the scalability is good.

At the moment, we have no more than 15 people working on QRadar. This includes analysts, forensics, internet response, and active directory.

Tech support is good. Additionally, I can find all the information at IBM.

In some cases, the system or the hardware do not meet the requirements to install one flow collector. Or the menu is not displayed. The menu has 10 options. If the CPU and memory are not enough, the menu shows only five or six options. But this information is not mentioned in the installation process. But it is not complex because the installation is very clear as long as we are meeting all the requirements for the CPU, memory, or the space.

The solution takes maybe four months because we have a lot of integrations.

I would absolutely recommend QRadar because it has a lot of options to improve or detect some information.

On a scale of one to ten, I would give QRadar a 10.

We are a telecom company, and we use it for IT systems, for telecom systems and on various different levels of applications. We use it for web servers, routers, firewalls, and other security components. Our SIEM solution serves technical and non technical business units including customer care, engineering, revenue assurance, and anti fraud. 

Instant continuous monitoring so that we can take action immediately and be proactive as much as possible with handling hacking and attacking attempts. Also, It has improved comprehensive visibility for what is going on in the perimeters, and on the inside, as well. We also use it for testing our controls if it is performing well or not. We can say that the visibility, monitoring, testing and reliability of our controls is all assisted by this solution. The most important benefit we get is from the SIEM solution.

The most valuable features are the diversity of logs type that enable us to monitors what is going on from different perspectives and reduces the likelihood that we will miss important attempts. There are different events and flows, and there is diversity from getting the information from different sources. We can also see that there are no false positives. It is well-tuned and the rules are covering everything that we need.

There are some weaknesses with the QRadar Risk Manager. It has some weaknesses because of the connectivity with other vendors. It is limited. There are some vendors that you cannot connect QRadar Risk Manager with, so we you cannot get the maximum benefit of the product.

It is very stable. We have not faced interruptions in the past four and a half years.

It's great! This is one of the major features of the solution.

Technical support is good, but not great. 

It was straightforward, but we had to do some customization. 

When choosing a vendor, we always consider:

• Scalability
• Diversity of Connecting Systems
• Storage

We considered another solution from HP and ArcSight.

QRadar improved risk assessment and vulnerability, plus it has reduced some staff. It has also improved the training abilities of the people who use it, e.g., IR teams. It is the core of our entire SOX. Therefore, we use it for everything through training all the way up through management. 

Due to the skills shortage, we are able to use it from the standpoint of bringing in a lower level employee or a person who may not have security knowledge. We can put them in front of the product and they will still have the information that they need and have them at a level where they can run the system. Also, products, like Watson, make it work better.

The overall workload automation should be built into it. Part of the efficiency side of it is the ability to take the information as it comes in and assign it into a group. Now, the team leader no longer needs to assign it manually. He manages the workflow as it comes in directly to the individuals. Then, the individuals respond on it. As it closes, it goes back to the workflow, recording the amount of time it took for them to close it. It should show: 

• How long did it take to get assigned?
• How long did it take for the person to open it?

Then, you can show that a person may have issues opening network problems.

We have not suffered a network breach.

The solution has improved the efficiency of our security team.

We are at 115,000 events per second.

We run 65 servers with just two people: an engineering person and me.

We have 65 servers globally, and I just got my own.

The technical support is poor. Mostly because when I open a PMR for IBM, I am stuck with Level 1 staff. As an engineer, nothing that I am bringing them does not require Level 2 or Level 3 support. Most of the stuff that I open ends up code changes or bug fixes.

Our company is far more mature than most. Our issue is that the support is slow.

It was a whole different product when we installed it.

The most important criteria when selecting a vendor: stability. The security space is tough. Unlike a lot of other spaces, IBM will not be bought anytime soon as a 100 year-old company.

As a PS consultant on projects where the customer is transitioning from a competitor's SIEM to QRadar, they are very pleased when they see the number of quality offenses being caught soon after implementation and integration of log sources just from the out-of-the box rules enabled by default.

As a Professional Services consultant, I have heard many reports of how QRadar SIEM has quickly identified offenses which the users were unaware of previously. In addition to giving CISO’s gained visibility and increasing security posture, QRadar adheres to an organization's regulatory compliance across a number of  industries (i.e. Healthcare, Financial, Retail, Energy and Government)

• Correlation Rule Engine, built-in use cases: QRadar has the highest number of built-in use cases among any SIEM on the market. There are many built-in rules that are enabled by default and easily tunable to meet the specific needs of each organization. The correlation engine automates what is a manual process for many SIEM platforms.
• Network-Based Anomaly Detection (NBAD): Using NetFlow, JFlow, SFlow, or QFlow (all 7 layers), offenses are detected as a response when a rule is triggered.
• QRadar Vulnerability Management: Built-in vulnerability scanner or leverage for other supported scanners to either schedule a scan and/or import the results from a scan. Importing the results enriches the assets profile database to quickly identify assets that have known vulnerabilities.
• X-Force Threat Intelligence: Threat intelligence IP reputation feed which leverages a series of international data centers to collect tens of thousands of malware samples, to analyze web pages and URLs, and to run analysis to categorize potentially malicious IP addresses and URLs.
• App Exchange: Many vendors have written apps to enhance QRadar. The apps are free and enhance your SIEM experience by adding rules and custom event properties. In some cases a new tab. You will need to have purchased the third party solution. For example, if you have Palo Alto or Blue Coat, there's a free app for better integration.

Some UI enhancements would be nice, such as exporting custom event properties and the ability to export rules.

We did not encounter any issues with stability.

We did not encounter any issues with scalability.

The technical support is very good.

We had limited experience with RSA enVision, LogRhythm, and HPE ArcSight. QRadar is much easier and takes less time to implement and maintain.

The initial setup was straightforward.

Go through a vulnerability assessment review for price breaks. A virtualized solution will also cut down on cost.

We did not evaluate any other options.

Every SIEM tool has a certain degree of complexity, especially where use cases and rules are concerned. I advise using Professional Services so your SIEM is configured by trained professionals.

Our clients who are implementing or trying to implement a Security Operations Center use the IBM QRadar SIEM solution. This solution helps automate incident processing and provides visibility into the incident management process.

The playbook engine is flexible and allows for the graphical visualization of processes, enabling the implementation of dynamic playbooks for incident response or testing.

The integration of our customer's infrastructure with other security management systems, such as Active Directory, firewalls, and vulnerability management systems, is effective.

The solution is difficult to understand in the beginning and has complex management configurations that can be improved.

The stability has room for improvement.

The cost has room for improvement.

I have been using the solution for two years.

I give the stability a seven out of ten. There is sometimes unexpected behavior within the logic of the playbook engine and features.

I give the scalability an eight out of ten.

We have had issues that were not resolved by technical support.

Neutral

For the most part, the initial setup is straightforward and I give it a seven out of ten. The initial deployment and configuration require one month, followed by an additional 11 months of implementing various use cases and processes that need to be automated.

I give the price of the solution a four out of ten. The solution comes with a high price tag, while some of the competitors provide identical functionality in their offerings at no extra cost.

I give the solution a seven out of ten.

We have around 20 users.

The solution is of good quality and can be implemented successfully. However, in order to fully utilize its benefits, one must possess expertise in Python programming.

We are mainly using predefined rules on IBM QRadar User Behavior Analytics

When we started using IBM QRadar User Behavior Analytics's add-on or extension, we received more than 17 new use cases. Our organization has benefited from using IBM QRadar User Behavior Analytics.

IBM QRadar User Behavior Analytics's most important feature is its ease of use. 

IBM QRadar User Behavior Analytics could improve machine learning use cases because they are limited and most of the use cases are rule-based. They should develop more use cases, such as in Securonix or Exabeam because they will detect a threat. Using machine learning is mainly on the correlation rules, but if you think about Exabeam or Securonix, they detect using machine learning or machine learning-based algorithms.

Using the interface of IBM QRadar User Behavior Analytics is the same for years, they should redesign the interface to make it more modern. Some historical queries take a long time, they should improve or change their database. There are some missing operators on the correlation side. For example, some before operated.

I have been using IBM QRadar User Behavior Analytics for approximately three years.

IBM QRadar User Behavior Analytics is stable most of the time. However, it works on the client-side which requires a lot of system resources, such as RAM. In some cases, if the work is high, the stability deteriorates, but mainly it is stable.

The scalability of IBM QRadar User Behavior Analytics is good. 

We have two people using this solution. We do not have plans to increase usage.

We use a consultancy company for support and are not directly connected to IBM support.

The deployment of IBM QRadar User Behavior Analytics is very easy when compared to other machine learning solutions. The full deployment took approximately three weeks with less than 5,000 EPAs.

We used a consultant that help us deploy and do maintenance for IBM QRadar User Behavior Analytics.

I rate the return on investment of IBM QRadar User Behavior Analytics a four out of five.

IBM QRadar User Behavior Analytics is an application framework and you can install many applications without any additional costs.

I rate the price of IBM QRadar User Behavior Analytics a four out of five.

IBM QRadar User Behavior Analytics is a good solution. If there is a big enough budget they might be able to afford the solution since it is expensive. If the conditions are okay, then they should select the solution.

I rate IBM QRadar User Behavior Analytics a six out of ten.

We use the solution for network behavior and log analytics. We wish to procure one for behavior analytics.

I am not certain which version we are using. 

There is a need for a behavior analytics solution in the environment. We use the solution to highlight unusual traffic for a single particular link or even single particular user traffic. 

The solution will not provide alerts in the event of any particular traffic. It will only alert in the case of a security threat. 

I am looking for a solution to replace IBM QRadar. We use it for incident reporting, but I need one for behavior analytics. I need one which will send alerts in the event of any behavior. 

The solution is fine for analyzing logs. We already have basic modules. We require more modules for getting so that we may obtain further details. We essentially use IBM QRadar for analyzing particular logs. 

There are no additional features which should be added or upgraded in the next release. 

The solution is reliable. 

The scalability is fine. 

Technical support is okay. We have had no issues with them. 

The license is not subscription-based. We have been doing the same deployment for more than ten years. 

The pricing is alright. 

Our environment is binding. We have only monitoring and data central traffic.

I would recommend the solution to others. It is fine for analyzing logs.