IBM Security QRadar Reviews

We are partners with IBM. We do simulations for our clients. Then we resolve the issue that they're facing using IBM QRadar.

We have integrated IBM QRadar with our firewall and some services that we use. When the logs are about to get full of SQL, IBM QRadar makes a notification. The admin knows that they're about to get full so he just goes and clears them out. That is when we usually use IBM QRadar. On our firewall, when the issue notifications are generated, we don't usually open the firewall but QRadar alerts us about what went down in our environment.

The most valuable feature of IBM QRadar is its slow control and even activation. I also like the post notifications on the screen.

The quoting and the dashboard session could be improved. It should be more user-friendly.

Otherwise, the overall functionality of IBM QRadar is superb. A better GUI and reporting both would be good additions to the product.

IBM QRadar is very stable. It doesn't have many errors.

IBM QRadar is easy to scale. We can integrate other devices if we want to. We could go to distributed architecture instead, but we like this product. It doesn't affect the environment. In our office, we have around 40 - 50 users, but our clients have more users on their networks. 

Our organization has staff in the software department that manages IBM QRadar for us. The security division just manages the login. Overall, only two to three staff are required for the management of IBM QRadar. They are more than enough to control the situation because most of it is easy. We definitely have plans to increase our current usage of the solution in the future.

Technical support from IBM is not that good here in this region. It's quite helpful to have local support. They don't have much expertise in this product. 

We usually have to go to IBM to resolve the issues if we have them because the overall product is a bit complex. There are not many local resources here in this region with expertise in IBM QRadar.

The initial setup is straightforward. It's very easy. I think anyone can install it within minutes. The deployment of IBM QRadar takes around 20 to 25 minutes if you have a good hard drive.

We deployed IBM QRadar ourselves. We have technicians. We bill the client and do the installation on our own, along with other IBM products

We do licensing on a yearly basis. It's for deployment. If the client wants more services, we support the license. There are no other costs for the product.

When I joined the company we were already partners with IBM. I didn't have much experience with other products.

I would recommend IBM QRadar because of the security features and the organization. I can recommend the security. Security is nowadays an essential part of IBM QRadar. 

IBM QRadar is probably the best possible solution in the market. I would rate it an eight out of 10.

The features make my work easier.

The most valuable feature is the DSM Editor. The custom parsing tool is very nice, outstanding. I have used McAfee's SIEM and LogRhythm as well, but because of this feature of QRadar, I don't think their solutions are good.

Customizing it is very easy and it has a user-friendly interface. 

The product is good, but one feature they should have is an Elasticsearch. Currently, in QRadar, there are no Elasticsearch criteria. Elasticsearch is a very fast search engine. IBM should consider it as part of QRadar. Currently, QRadar has a very slow search. If I search previous months' data it stops.

The scalability is good. I'm quite satisfied with it.

Technical support is the area IBM should work on. Support is not that responsive. If I open a support ticket, it takes three to four days for them to respond. They take that much time.

I have used different solutions in the organization, but the main reason for switching is the customization. QRadar very much supports customization. Another reason is that, in the market, we can easily get QRadar resources, like an analyst or engineer, as compared to other products. This is a reason that organizations move towards QRadar.

The initial setup was very straightforward. I didn't have to do anything once I installed it and configured it. It was very simple. Other solutions I have worked on, such as McAfee and LogRhythm, are a bit complex. This one is very easy to install and configure.

The deployment takes one to two months, max. The implementation strategy is totally dependent on the number of EPS, the requirements, and the types of log sources. We collect this information and then create our strategy.

I have been an engineer in many firms. I have deployed it by myself. One expert can deploy it. If there are 100,000 EPS you'll need more resources. If you have 5,000 to 10,000 EPS, one person can do it.

IBM has subscriptions plans that run for one year.

Overall, it's much better than other products.

In terms of increasing its usage, I have suggested to my organization that it tell customers to use it, its capacity and capabilities, with other tools like Watson.

Our primary use case of this solution is for our customer's operations. 

The ability to add extensions is the most valuable feature. For example, extensions that provide valuable test ports.

I don't think this is the best solution on the market because it takes much longer than ArcSight, for example, which provides more flexibility and capability to create much more complex use cases. Other tools provide more valuable things that you can do for the active channel. 

I would like for them to develop out of the box content that doesn't require too much customization. Most of the out of the box we get from it requires too much customization. I would also like to see dynamic filters and better cross-integration between functions.  

We've only been using it for eight months so we haven't scaled much during this time but it seems to be very scalable. We use it a minimum of eight hours a day.

We used ArcSight.

We did the integration ourselves. It was straightforward. 

It is cheaper than ArcSight. 

I would rate this solution a six out of ten. 

• User-friendly
• Easy to deploy
• Easy to create use cases
• Easy to review an offense
• Its correlation engine is one of the best

I usually work on the deployment and fine-tuning of this product. However, I have some operational experience as well. For instance, you can simply audit all the IT equipment in your environment, such as the firewall, the IPS, and the Active Directory (AD) server.

It should have built-in blocking capability.

I have used this solution for four years.

On a scale of 100, it is 95% stable.

I did experience some scalability issues in one organization.

The technical support is excellent.

We were not using any other solution previously. This was my first solution. I am still working on it. I also have experience with McAfee Nitro and LogRhythm.

The setup was straightforward.

The pricing will definitely vary according to your EPS, but it is worth spending money on this product.

We looked at other solutions, such as McAfee Nitro and LogRhythm.

Work on sizing as much as you can so you can avoid any issues after deployment. You should also fulfill hardware requirements for this product. Otherwise, you will not get its full functionality.

Our primary use case is for monitoring global infrastructure.

The feature that I have found most valuable is how it monitors the real network. That is its leading security feature.

In terms of what could be improved, I'd say do nothing, in its current state it does quite okay for now.

The biggest problem was built on top of the QRadar in the executive operations center network. The integration was not using the network security specialist properly, and all the incidents were inferior with QRadar. Its compatibility is not really good

I have been using IBM QRadar for more than five years.

I'm using the latest version of QRadar.

The stability is very good. Its operation is very good.

We have less than five people using it.

For us, as a small security company, it is covering our needs and our growth.

Customer support is good. When an incident gets raised there is a 10 day response.

The initial setup was complex.

We use the vendor for everything. That is the style of the corporation. For these jobs the responsibility and knowledge is on the vendor's side.

Implementation is over time and the maintenance price for QRadar is competitive.

On a scale of one to ten, I would give IBM QRadar a seven.

Overall, I would of course recommend this product to others because of all its functionalities.

We use IBM QRadar to monitor security logs across the network.

One very useful feature is the plug-in offering that allows you to integrate it with other solutions, such as integrating it with plug-ins like ForeScout, Carbon Black, and the rest. Additionally, the ability of the agents to filter using XPath query to filter out the specific events you want to pick from, especially Windows log sources, is also very useful. That goes a long way in managing the EPS of the solution.

There are two ways you can pull logs: one way is where you can receive logs or send logs using the agents and previous transformation and the other way is where QRadar logs onto the servers using the admin account and then pulls the logs itself. The functionality that I would love to see with that remote pulling is to have the ability to also select what logs its pulling because when you use MSRPC now to receive loads from your log surface, it basically pulls all the events from that server. So even the noisy events that would overshoot your EPS, would also be pulled. So for particularly active or high servers that generate a whole lot of security events, let's say like your SFTP server that has a lot of devices on your network connecting to it, if you try to pull the logs remotely it would overshoot your EPS really quickly.

So if they could improve the functionality of the remote pull to also be able to select the logs that it is pulling from the log sources, that would be very, very effective. The reason for the pull is because the agents are not tamper-proof and any administrator can help shut down the service and uninstall the application and a whole lot of other things. Basically, your listening agent is at the mercy of the administrators, and for a security device or security software, that is a big vulnerability, because anybody can then go into the server, stop the agent, and then run any command or make any change they want to do, which would make your monitoring null and void. It would be good if the agent itself could be tamper-proof. And back to the first point, the reason why I prefer the remote pull is if there's no agent on the server and it's the console logging onto the server, your monitoring is much more secure. Regardless of what changes are being made on the server or what's going on the server, if the server is shut down and then a newer version is brought up with the same hostname and IP address, you would not need to go back in and re-install the agent. The console would just automatically connect back to that server once the IP address and the host are back up.

Additionally, I would like the rule creation interface to be much more user-friendly in the next release.

I have been using IBM QRadar every day for the last 12 months.

In terms of stability, it is very stable. In the almost two years in the environment, there has been only one issue. It was a disc failure and that was replaced within a week by the OEM.

Scalability might be an issue, but maybe it's because in our environment we do not use the application host. Since we use on-premise appliances we did notice that performance degraded a little when we added some plugins. So the recommendation was that we should have a separate application server that would host the application and then interface with the plugins and interface with the management console. But we do not have that within our environment so I can't speak to whether that would improve performance.

IBM tech support has been responsive.

I believe the initial setup was straightforward but I was not here for the setup, although I did not get any complaints.

The license is a yearly one.

I would recommend IBM QRadar. The user interface is really great and it simplifies the task of monitoring your environment.

On a scale of one to ten, I would give IBM QRadar an eight.

I use it to analyze incidents. 

I like the API and it's easy to use. 

They should provide more manual examples online so that I can learn it myself. The dashboard also needs improvement. 

We require eight staff members for the maintenance. 

It's too expensive. 

I would rate it an eight out of ten. 

I use QRadar for cybersecurity defense, operation, and to improve performances.

I like that it's easy to use and the performance is good.

It would be better if it were more stable and more secure. The price for maintenance could be better. It's too high. In the next release, I think they should focus on the price and the operation.

I have been using IBM QRadar for four years.

IBM QRadar is a stable solution, but it could be more stable.

IBM QRadar is a scalable solution. We have about 100 users at the moment.

I remember that I opened ten or 20 cases to receive support from IBM over three years.

The initial setup and deployment are very easy. I think it took us about a month to implement this solution. We have a team of two, one manager and one technical, to deploy, manage, and maintain this solution.

We installed this solution with the help of a consultant.

The price could be better. I bought a subscription for three years. 

On a scale from one to ten, I would give IBM QRadar a seven.