IBM Security QRadar Reviews

Our primary use case with IBM QRadar User Behavior Analytics is seeing if there are log-ins from the same ID's but from different locations, this is one use case. Or if MAC addresses keep changing, this is another use case. Lastly, if the risk level is high, like with different IP's. These are the three use cases we have.

I really like the feature we have with the logs, that if there are any credit card numbers  being used, like a PII, you can just use rejects and you can mask it. This is a really good feature in QRadar.

In terms of what could be improved, it would be easier if you didn't have to long escape for a bar sync. If you have to, the logs are not automatically barred, so you have to guide the whole atmosphere.

Additionally, there should be integration with IBM Guardian. 

Lastly, there should be an extension where we can get the reports. This could be an extension to the dashboard with the Guardian or another product with limited technology, for example IPS. Now, we only have IBM. Basically, it needs more and more integration models.

I have been using IBM QRadar User Behavior Analytics for a month or two.

In terms of stability, in my current company, QRadar is working fine. But in my previous organization that was using QRadar, we experienced some QRadar failures. There were two or three times the data was wiped out instead of transferring to EGA and we had to restart QRadar from scratch and all the data was lost. It happened a lot. Maybe it was due to lack of management since it was a new company.

We do have experience with support. We get support from the IBM people in Karachi, Pakistan.

They're good.

The initial setup was really easy, it was really straightforward. I got it done in one day.

What advice would I give? I want the certification to be very honest. I typically like the hands-on with QRadar, they're quite different.

On a scale of one to ten, I would rate IBM QRadar User Behavior Analytics a seven.

I have used other solutions, like LogRhythm, for a few use cases like ransomware detection, etc.. and there were less false positives there. With the ransomware especially, it was very thin there. We actually have very few use cases and there were lots of false positives with QRradar. If I compare the AI function and the logarithms I think it needs some improvement. 

It is a complex product compared to LogRhythm.

It has provided support for several log sources, which has historically been problematic/unsupported by competitors. It is easy to make changes on the fly to default parsers to customize fields/mappings to our use cases.

• Ease of use
• Time to value in implementation
• Single pane of glass for analysts and SIEM administrators

• User/identity modeling needs improvement. However, it seems that they are already focusing on that. 
• Needs better visualization options beyond the time series charts and a few other options that they have.

We have definitely not encountered any issues with stability.

We have definitely not encountered any issues with scalability.

Better than average versus their competitors.

We previously used McAfee and ArcSight. We made the switch to IBM QRadar for scalability, ease of administration and use.

It is incredibly easy to deploy. All the appliances are flexible in the roles that they serve and are all managed the in the same way. Adding log sources is very straightforward, along with device updates, etc., which are all centrally managed.

Pricing and licensing are competitive. Their new licensing options allow logs to bypass the correlation engine for a flat rate, which is also appealing for log data that is compliance-driven for a small amount of money.

We evaluated  ArcSight, LogRhythm, Splunk, etc.

Understand how your analysts need to use SIEM to execute use cases. This platform can collect and normalize data better than just about anything (if you want it to), but it will not be useful if it is not presented in a useful way.

Normally, an offense comes in and an offense is something negative, it triggers when certain events don't comply with the rules, to put it plainly, it is something that will have impacted your environment very negatively. Once it comes through, you can then see from the QRadar log sources, who or what triggered the offense.

For example, if an IP is browsing somewhere where it shouldn't be browsing. Let's say that one of your log sources reported it back to QRadar. You can see if the IP that browsed on certain websites where it shouldn't be browsing. When you right-click and go to the threat protection network, that will normally show you who is browsing, where that IP is coming from, what type of website it is browsing, and if it is good or bad. If it's bad, it will give you recommendations on how to resolve the issue.

The threat protection network is the most valuable feature, because when you get an offense, you can actually trace it back to where it originated from, how it originated, and why.

I would like to see a more user-friendly product. I would like them to make it more user-friendly. At this stage, you need to use a lot of regular expressions to do your searches.

In the first year I used it, there were a few stability problems. In the previous three years, there haven’t been any major stability issues.

I've seen no scalability issues in any of the environments where I am working at the moment. I've seen how it handles a lot of load. I'm talking about a 5,000-user environment. It can handle a lot of logs and events coming through simultaneously.

If you spec it properly, with the proper hardware requirements, then it doesn’t crash. I've seen how people give it way less specs than it should have, then it does crash. But that was the fault on the users’ side, and not the fault of the product.

I would give technical support a rating of an eight out of 10. When they help you with a call for a problem with the product, which I've had twice, the next day, they roll out an update worldwide for all their products to be patched on that problem.

They lose too much time, in my opinion. Normally, you struggle a bit to get a hold of them and get to the correct person to assist you. Even though this isn't a very big delay, it usually takes about an hour. However, in my company, an hour can make a very big difference in my life. For example, it will take me about an hour to an hour and a half to get support from them. I'm a person who loves to get it done now. So if you don't mind waiting about an hour, then it can be very good support. When you log a call with IBM, it takes them about an hour to start working on the problem.

The setup was very straightforward. It's basically, "next, next, type in machine details and next”, then you are finished.

IBM's Qradar is not for small companie. Unfortunately, it would be 'overkill' to place it plainly. The pricing would be too much.

I wasn't completely part of the whole process when they chose a product. I know they evaluated AlienVault, which unfortunately, I do not have any experience with, neither was I part of the whole processes. I'm not able to provide pointers as to why the company chose IBM QRadar. I believe it's because we are a partner with them.

Just spec it correctly and it will do its job for you. It has an active community. IBM patches the product regularly when problems are picked up. I haven’t heard about a lot of problems from other people using the product.

Maybe the best way it helped our organization is that QRadar is well prepared for PoCs. When you are doing PoCs, you just install the solution and you can show it to the customer.

It has great benefits because we don't spend a lot of time to set it up. There are a lot of features that are there out-of-the-box. It's great to do a PoC with customers and to reduce the money spent on the implementations.

The most valuable features are all the implementations, the plug-ins, and the User Behavior Analytics (UBA). All that stuff is really cool.

We are using the solution a lot on the customer side. We like the strength of the platform, basically. I know there is no other product like QRadar.

We thought about what was missing and it was the analysis of the user behavior. However, with the User Behavior Analytics (UBA), it's much less complicated.

I recently attended a conference presentation on machine learning, and it is a great plug-in to UBA. It will help us a lot because a lot of customers want to analyze their user behavior patterns.

Maybe there should be more custom rules in the exchange. Basically, we are using a lot of threat rules, so maybe they'll develop something like that. It will be better.

I would like to see improvement in the technical support. Sometimes, when we do patching or something like that, it creates some problems. Maybe they could test the patches and the OEM product better.

The stability is not bad. We had some problems with patching, but there are problems with all software.

We had the problem when we patched from Version 7.2 to Version 7.2.8. There were some problems with the authentication tokens. It didn’t go so well, but we solved it with the help of technical support and it was very quick. I think that's cool.

Sometimes, we have a problem with support. We are also using QVM (IBM Security QRadar Vulnerability Manager) and I think it is a little bit buggy for now. We have a lot of problems with it. It should be better.

In terms of scalability, there is no doubt about it: It is perfect.

The quality of technical support depends on the agent. Sometimes, it's hard to get the person who you need. Sometimes, it's better to create a ticket when the USA is working because I think they can help you better.

We had McAfee, but we are ending our use of it. There are only some small implementations that are running with it. We are no longer developing with it. I think in the future, we will switch to QRadar. This is because we don't want to have two separate platforms.

RSA enVision was being used with one of our banking customers. However, we transferred to QRadar last year.

We implemented the solution from the scratch with our customers. We have a lot of implementations that they can check.

The setup was very complex. We have integration with a customer service desk and a lot of customization. It's the best thing that we can create our own app and adapt it to QRadar.

We attended the IBM master class to help us with an SDK to develop our own apps. Some of our customers are banks and they have a lot of things to do. Sometimes the features they need are not in QRadar, so we have to customize the solution a little bit for them.

We have a security department in the Czech Republic. We are basically only implementing IBM security products.

Definitely try it. Do a PoC with a customer. You can get the value for the customer quickly. It's great.

These features make it easy to operate the application:

• Integration with multiple platforms
• Ease of rule making
• Manufacturer support (IBM)

We use QRadar for application security, generating customized rules of correlation according to the operation of our business. It extends the security of our most critical assets.

From my point of view, they should improve the backup procedures. QRadar does not allow sending backups by FTP or SFTP, limiting the tool. I had to make a script but it is a manual process. It would be great to have it automated.

I have used it for approximately five years.

We did have stability issues. Some errors were generated when applying updates.

We have not needed to scale the solution.

It has taken a long time for support to respond to our request regarding AIX.

We didn’t have a previous solution. We have always used QRadar.

The initial configuration is simple; the maturation of the application is complex. Not because of the application of QRadar, but because they include many factors, such as the identification of critical assets and how we can secure them, with the application.

QRadar is a very expensive application but it is a good product. My advice is to validate with other correlator solutions and validate which product is right for the organization.

We did evaluate other similar products that are good, such as McAfee ESM and HPE ArcSight.

First, identify the most critical assets to be included in SIEM and then the most critical events of my organization. With that, you avoid bringing unnecessary events into SIEM.

It's a very good and versatile correlator.

Our primary use case is logging for any anomalous traffic in terms of access times and deviations when users are in different groups within the AD. When a user deviates from their functionality, it's flagged in the UBA and for VPN traffic. I also use it for geolocation functionality. We are partners of IBM and I'm a system engineer. 

The timeline and the machine learning features are great at quickly flagging users who have either left the organization or have dormant accounts. The way that the app has transformed over time is quite phenomenal. One of the major improvements is its capacity for creating machine models. It comes with 16 default machine learning models, where it tracks user activity and changes in profiles and authentications. There are various default machine learning models and I'm able to model those to parameters that suit my needs. It's great that I'm able to implement an unlimited number of use cases on the UBA, putting in as many different kinds of logic as I want. It's a big advantage. 

I'd like to see improved support from the vendor. In addition there are things that are not documented on the IBM site. If you'd like to do something at a high level, the information is not available in the documentation and you have to find it elsewhere. 

I've been using this solution for five years. 

The solution has never crashed or failed, it's stable. 

We haven't tested scalability and currently have around 100 users. I'm responsible for maintenance.

The customer support is helpful but that's more about it being a good solution. 

The initial setup is straightforward, it's just a download and it installs. It's a matter of configuring a few parameters in terms of tweaking the thresholds that you want the app to fire in on. Installing takes a few seconds, but in terms of letting it land so that you can tweak it and tune the various metrics, takes about a week. 

This is a free solution which is one of the main reasons we chose it. It's just a matter of getting a license for the curator as a platform.

I recommend this solution and rate it seven out of 10. 

I am an integrator of this solution, my customers use this as a SIEM solution for log management.

This solution has excellent security analytics.

I think that the search speed of this solution could be improved.

This is a scalable solution, we have customers who have scaled.  

The initial setup is very easy and takes just one day.

I would recommend this solution to everyone considering using it.

I would rate this solution a nine out of ten.

I am currently working in the Brazilian operation of my company. I have a project in the airline industry in Brazil. This project improves the correlation of logs. There is another company I ticket to improve the solution, they have chosen to correlate the logs. We have SOC, Security Operation Center in Brazil, with 53 employees. We developed all these solutions in Brazil and it is in operation in 34 countries. 

Overall a great solution.

There needs to be better integration with other applications.

We have approximately 40 users using the solution.

The technical support is good.

The installation is complex.

We do the deployment for the solution.

I rate IBM QRadar a ten out of ten.