IBM Security QRadar Reviews

We have a lot of use cases with IBM QRadar, but our primary use is for monitoring traffic and detecting tricks.

In terms of how IBM QRadar has improved our company, on peak days it helps us monitor and generate statistics that help to illustrate what is going on in the company. For example, SMB detects ransomware and invalid log-on. If a user is located in the United States, or we expect a login in Russia, or Ukraine, or Kenya, it is very important for us because we can detect what application they are using there, or if a hacker is trying to log in by mobile or another device.

I have found its network traffic log, network bit log, and QBI most valuable.

We have a lot of domain controllers in QRadar tracking all the security. It is also useful for identity management.

In terms of where it could be improved, this includes its forensics, incident response, and security operation center features. Additionally, some also struggle with the rules. We need more features in order to create rules to detect or to meet some requirements for other areas, such as catching the event from other authentication tools, like in Okta, for example.

In some cases, I have issues because some tools are not integrated in QRadar, such as other tools similar to DLP (Data Loss Prevention). We need to create all the integrations manually because they are not integrated in QRadar. We have a problem, for example, because they have Symantec DLP integrated in QRadar, however, it is not working because it's not detected automatically. It is not converting all the columns, but we do have the option to create manually. This is not difficult because it's very clear in the procedures.

I have been using IBM QRadar for seven years.

QRadar's stability is great because it is always live and is always catching and monitoring all the information that we need. When we need information, it is here in QRadar. 

In terms of maintenance of QRadar, my internet is secured by IBM.

For me, the scalability is good.

At the moment, we have no more than 15 people working on QRadar. This includes analysts, forensics, internet response, and active directory.

Tech support is good. Additionally, I can find all the information at IBM.

In some cases, the system or the hardware do not meet the requirements to install one flow collector. Or the menu is not displayed. The menu has 10 options. If the CPU and memory are not enough, the menu shows only five or six options. But this information is not mentioned in the installation process. But it is not complex because the installation is very clear as long as we are meeting all the requirements for the CPU, memory, or the space.

The solution takes maybe four months because we have a lot of integrations.

I would absolutely recommend QRadar because it has a lot of options to improve or detect some information.

On a scale of one to ten, I would give QRadar a 10.

We are using it from the compliance perspective. We need this solution to comply with HIPAA and PCI because our clients require HIPAA and PCI DSS compliance. We also use it for log management, primarily security logs, and to some extent, for operational activities, even though this tool is actually not meant for operational tasks. We do keep track of errors in our appliances like hardware, storage, and network switches through QRadar.

The main or core solution is on-premises. There is an extended arm, which is in the cloud as well for cloud integration.

Security incident and event management are actually the core functionalities of this solution. We receive security logs on this product and based on the received logs, we can create offense tickets that are forwarded to Netcool, which is another solution that we have. I don't have experience with that, but our integration is there so that any offense or security event is forwarded to Netcool, and a ticket is automatically generated in ServiceNow for that offense. This level of automation that we have for security-related events is done through this solution. There's no manual work involved, which obviously takes away a lot of load from the individuals who are managing the security side of it.

It is a pretty solid product for the type that it is representing i.e. SIEM. It can do automatic correlation based on the traffic that you are receiving to some extent. It has plethora of options available for third party application integration. For e.g CISCO Firepower, Palo Alto Dashboard for CISCO and Palo Alto Firewall respectively. Integration with Cloud based Log Sources is also supported via. parsers that support API Connect. This is helpful when pulling in Logs from AWS, Azure, GCP or other Cloud Based Solution like Carbon Black, Imperva etc.

A lot of information that we receive for the devices is IP-based, but it would help if we could have a default dashboard in which we can add more details about the assets for which we are receiving the information. For example, if it is a Windows or Linux device, we only get the IP for that particular device. We don't really get the name and other details of that particular device. For that, you have to drill down into your own asset management system. It would be good to have a place where we can probably add this information so that we don't have to look into other tools.

I have been using this solution for about six months.

It is very stable. As long as you have the proper connectivity availability, it is pretty stable.

Our deployment covers North America, South America and part of Europe. The product is easy to deploy and scale. Almost everyone in our organization is using this solution because most of our projects rely on this. Because of the compliance requirement, most of our projects have to be integrated with QRadar. Each business unit or each program that we have in another environment has independent access to the solutions. They might not be the end users, of course, but at least every admin team of every program unit has access to this tool so that they can see what's happening in their environment.

It also supports multi-tenancy. So, if you have multiple clients or multiple tenants in your environment, you can create logical containers for them. From a logical point of view, you can create separate disconnected containers for each client so that they can only see their data.

Their technical support is quite good. I would rate them a nine out of ten.

Yes, we switched over from NNT to QRardar. This product is more detailed. Expensive but definitely more detailed! :)

It was pretty straightforward. These are hardware appliances. So, you need to rack and stack them. If the rack space, cabling, and other things are already done, which would typically be the responsibility of a data center team, it essentially takes three to five days. But this is only the core deployment. The fine tuning on top of it would take extra time based on the environment and how complex it is.

It was implemented by team that included me. We have an external team for its maintenance.

The IBM QRadar Licensing for the core Events(EPS) and Flows(FPS) is per second based. The licensing is perpetual and surely expensive but the output of the Product makes it worth your money. 

I would absolutely recommend this solution. I am pretty okay with it, and I don't have any issues with it. It has some competitors like Splunk and LogRhythm. Symantec has its own SIEM solution. ArcSight, LogRhythm, and Splunk are in the first quadrant for the Gartner research. They are leaders in their products, and they know what they're doing. It also comes down to what your company is into, how does it fit into a particular environment, and how compatible it is with a particular environment. I could have gone on the Splunk path and probably said the same thing for it as well. 

I would rate IBM QRadar a nine out of ten. It is a pretty solid product.

We use the solution for a variety of tasks. We use it, for example, for authentication, network-related authentication, user-related tasks, and Windows UNIX servers. It's a lot. There's a ton of use cases. I really can't sync right now about every single use case, however, the main things are authentication and network-related systems and all flavors of UNIX Windows. 

It helped our organization in the sense that having it was better than nothing. However, I did not enjoy the product overall and I advised we switch to something else.

The user behavior analytics as part of our deployment was okay, even though it was clunky.

The solution can scale.

I really didn't like QRadar to be honest. I inherited it. I was part of the reason that we moved over to LogRhythm. The solution just isn't user friendly.

The solution is clunky. 

The interface could be much better.

The integration capabilities within the product are not that great.

I've been using the solution for about two years at this point. My team has been using it for two to three years, so we have a total of about five years of experience in all.

I wouldn't describe the solution as stable. 

It was really buggy. Like other app integrations, it wasn't straightforward. It was pretty clunky. We tried to integrate Qualys with it and it wasn't effective. To integrate anything took quite a bit of time and energy. It wasn't easy. When it did, it didn't work properly. It wasn't really pulling in the data correctly.

Scalability was hard as it was on-prem. We needed to add more modules, and had to add more of the servers to stack it. It wasn't that a simple task at all. I wouldn't say that it scales well, although technically, you can scale it.

When we were using the solution, we had ten to 15 users on it. They were anyone from Information Security Engineers to regular IT admins.

Technical support was awful. We often didn't even have any assistance available to us. On a scale from one to ten, I'd rate them at a three. We were very unsatisfied with the level of support we received. They just simply weren't helpful when it came down to it.

The organization didn't previously use a different solution before choosing QRadar.

We actually switched to LogRhythm as I didn't like how the solution was working for the organization.

I didn't handle the initial setup. It was handled before I arrived at the organization.

I'm not sure of which version of the solution we're using.

I wouldn't recommend the solution. I'd probably tell others to shy away and look at other products like possibly Splunk, however, it's a pricey option. LogRhythm is pretty good. We're having some issues with it. That said, for the most part, it's okay. 

Exabeam also seems like it might be a good option. I haven't worked with it personally, however, I've had some experience with a POC.

Overall, I would rate the solution at a three out of ten. We didn't have a good experience with it. If it offered, for example, easier behavior analytics, easier integrations, better interface, supported model integration, and a good user interface to perform analysis I might rate it higher. Basically, it just needs to be much more user-friendly.

We use this solution for deploying and integrating log sources and use cases.

We use it to generate offensives based on normal behavior and suspicious behavior from our security tools, firewalls, and other solutions.

We have applied a set of old and new rules to QRAdar that aim to detect persistent abnormalities in our environments.

Within our organization, our security operations center and users from our local security team — roughly 10 to 12 users — use QRadar. We plan to expand to other areas of the company so that other people can use QRadar for different use cases. But right now only the security teams use it.

It's more of what it has provided for our company. We have much better visibility into our environment now. It has become much easier to create an alert for suspicious behavior, to operate on security incidents when they happen, and to drill down on specific events and figure out exactly which machines and users were involved.

I think the log search is pretty good. It's very easy to create complex searches and aggregate results and create graphics, etc. 

The rule engine is very easy to use — very flexible. We can create rules based on whatever behavior we want. It's very easy to use compared to Splunk. 

When we analyzed Splunk, that was the criteria that we looked at. Splunk was a lot more difficult to use and to create rules.

The standard rules they have are very comprehensive. There are many content packs in the apps that enrich those rules. We are still using the native rules from QRadar because there are many useful rules there. I think we're going to have a very good experience with them.

One thing one has to be aware is that qRadar doesn't have a standard UI style, but older (clunkier) and newer (more modern and easy to use) screens. The QRadar UI involves a lot of clicks and pop-ups to get where you want, which is certainly not the best UX, but isn't totally a pain also. Although it's a bit difficult to navigate through screens at first, the UX is pretty good once you learn the "qRadar way", which takes about a few weeks to master.

I have been using this solution for the last three months.

We had some bugs and we had to handle them. They impacted our deployment timeline, but all of the bugs that we had were quickly solved by engineers from IBM. Currently, we are not fully satisfied with the stability, but the support from IBM is very good and they can solve our problems very, very quickly.

There seems to be a cap-limit regarding scalability. IBM limits the amount of data you can send into the collectors so scalability-wise, it's not that optimum because sometimes we have a resource or a machine that tends to think it gets more events per second than it actually gets. Because of how the solution is made, If we send a large number of events to these event collectors, then they will start dropping events because we can't queue them. That seems to be by design — we aren't entirely satisfied with that. In this way, IBM kind of forces their customers to buy a larger license.

IBM's customer support is very good. 

We don't have any comments about community support because we don't know any communities that we can use to look up information about QRadar; however, in general, we have used IBM's documentation extensively — I think it's very useful, it's very complete, but sometimes it's a bit outdated. 

We used to use ArcSight. I can't even begin to compare these two products because ArcSight was a solution managed entirely by our security operations center team. We didn't have full knowledge of what the solution was capable of. Now we're seeing a much larger universe with QRadar — I think it's a completely different thing. QRadar is much more capable than ArcSight.

Deployment-wise it's pretty easy already; it took us one hour to get QRadar running, and then a couple of days later, we had full deployment. We then began onboarding log sources — the process of onboarding log sources has been almost painless for 90% of our log sources, which are from different vendors and different tools, and within a month we had about 70% of all of our relevant security logs in qRadar, generating many interesting offenses on a daily basis. So that has been very positive.

We had little interaction with qRadar during the process of onboarding log sources — most log sources were automatically discovered, their events were mapped correctly and parsed to extract relevant fields. A few log sources required manual intervention or installation of content packs, and some of IBM's DSMs were a bit outdated, but these issues were rather quick to fix within qRadar itself.

We used a partner company here called IT.eam, which helped us with the deployment. They are very capable and professional and it's been overall a great experience.

It's very expensive but it fits our budget. Because it's very expensive, we had to come up with ways of filtering our logs before they get into QRadar because otherwise, we'd have to buy a much greater amount of events per second, and that would be very expensive.

Splunk is virtually the same price.

I'd recommend QRadar for security teams that are more from the IT world and not so much from the development or data-science world. I think other tools, such as Splunk, are really great too, but QRadar is natively concerned with providing security rules and use cases. If you're looking for a reliable solution for security purposes only, QRadar is probably the way to go.

Overall, on a scale from one to ten, I would give this solution a rating of eight.

Our clients who are implementing or trying to implement a Security Operations Center use the IBM QRadar SIEM solution. This solution helps automate incident processing and provides visibility into the incident management process.

The playbook engine is flexible and allows for the graphical visualization of processes, enabling the implementation of dynamic playbooks for incident response or testing.

The integration of our customer's infrastructure with other security management systems, such as Active Directory, firewalls, and vulnerability management systems, is effective.

The solution is difficult to understand in the beginning and has complex management configurations that can be improved.

The stability has room for improvement.

The cost has room for improvement.

I have been using the solution for two years.

I give the stability a seven out of ten. There is sometimes unexpected behavior within the logic of the playbook engine and features.

I give the scalability an eight out of ten.

We have had issues that were not resolved by technical support.

Neutral

For the most part, the initial setup is straightforward and I give it a seven out of ten. The initial deployment and configuration require one month, followed by an additional 11 months of implementing various use cases and processes that need to be automated.

I give the price of the solution a four out of ten. The solution comes with a high price tag, while some of the competitors provide identical functionality in their offerings at no extra cost.

I give the solution a seven out of ten.

We have around 20 users.

The solution is of good quality and can be implemented successfully. However, in order to fully utilize its benefits, one must possess expertise in Python programming.

We are implementors and implement this solution for our clients, who use it for analytics. 

It offers good machine learning. The analysis is very helpful. 

The user activity is effectively flagged. It can pinpoint strange activity. 

It is stable and reliable.

The product can scale.

Technical support is good. 

The product can be a bit complex. A lot of things, like visualization, could be better. It would help the customer gain a better understanding. 

I've used the solution for five to six years. I've used it for a while now at this point. 

It is stable and reliable. There are no bugs or glitches. It doesn't crash or freeze. I'd rate the stability eight out of ten. 

The solution is scalable. It can handle thousands of users or maybe even more. I'd rate the scalability nine out of ten. 

We mostly deal with small or medium enterprises. 

Most of the time, technical support is helpful. I am satisfied with the level of service we receive. 

Positive

It is easy to implement. I'd rate the ease of implementation seven out of ten. 

The deployment only takes no more than a few hours. There are configurations and fine-tuning that have to happen after that, and everything could take about a week. 

As implementors, we can implement the solution for our clients. 

The pricing is reasonable. It's not expensive compared to other solutions. If you get the console and other licenses, you can easily use it with other QRadar solutions. 

New clients should know that it does give good analytics and it will help them save time.

I'd rate the solution seven out of ten. It's a good product.

The simplicity of the solution is the best feature.

The dashboards are all legacy and old. Their cloud support and the content available for cloud and containers are also minimal.

We have been using this solution since 2019.

I rate the stability a nine out of ten.

I rate the scalability an eight out of ten, and we have about 35 people using it.

I rate the technical support a five out of ten. They need to improve their availability. They have global support, which means we need to wait longer for a response.

Neutral

I rate the initial setup a seven out of ten, and it is deployed on-premises. The deployment took about four to six weeks, and we did it in-house.

We have seen an ROI.

I rate the price a six out of ten, with ten being affordable and one being expensive. They recently changed their licensing model, and it's more complex.

I rate this solution a six out of ten. Regarding advice, using this solution purely depends on the use case. If it meets your use case, then IBM QRadar is good, but other solutions like Securonix are much better.

We are using IBM QRadar for log reviews, particularly logs that come and go from the IPS, firewall, etc.

We have different dashboards for different technologies such as our firewall, IPS, and domains for our main website, so we use IBM QRadar to observe the logs from our website, and we try to make internal and external connections for better domain security.

The best feature of IBM QRadar is visualization which shows you when there's a spike in the system, and this makes you realize that there's something wrong with the log.

IBM QRadar has outdated technology, and this is its area for improvement. When you try to implement an analytic expression, it's not updated. The solution doesn't support newer technologies, and it doesn't update regularly. For example, around the world, others implement new technologies, while IBM updates later than others.

There isn't any additional feature I'd like added to IBM QRadar at this point because it's sufficient for visualizing the logs.

I've been with the company for one and a half months, and I've been using IBM QRadar almost daily, but the solution was deployed five or six months ago.

IBM QRadar is a stable solution.

IBM QRadar is a scalable solution. My company currently has seven to eight different accounts on IBM QRadar, so it's a scalable technology. It has no problems with scalability.

I didn't have any problems with IBM QRadar, so I never contacted the technical support team.

I'm assuming that the main reason my company chose IBM QRadar is that IBM is one of the biggest tech companies in the world, so IBM products would be more secure and more reliable than other solutions.

As I didn't set up or deploy IBM QRadar, I have no information on whether it was easy or complex to set up.

I have no information about the licensing costs of IBM QRadar, and whether or not it requires a license.

I'm an intern at one of the biggest telecommunication companies, and my company uses IBM QRadar.

My advice if you want to use IBM QRadar is that you should use it because it's very scalable and it's easy to use. The solution also has many dashboards, and you don't have to write any code or write different scripts to get the information you need. You can do it from the UI of IBM QRadar. The only room for improvement in the solution is that it doesn't support newer technologies, and it's late when it comes to updates.

I'm rating IBM QRadar nine out of ten because my experience with it has been excellent. The only downside to it is that IBM is late with adding new features or supporting new technologies compared to its competitors.

My company is an IBM QRadar customer.