We are partners with IBM. We do simulations for our clients. Then we resolve the issue that they're facing using IBM QRadar.
Works at a tech services company with 11-50 employees
Alerts us about events in our network environment and has superb functionality
Pros and Cons
- "IBM QRadar is easy to scale, it doesn't affect the environment. In our office, we have around 40 - 50 users, but our clients have more users on their networks. Our organization has staff in the software department that manages IBM QRadar for us."
- "The quoting and the dashboard session could be improved. It should be more user-friendly."
What is our primary use case?
How has it helped my organization?
We have integrated IBM QRadar with our firewall and some services that we use. When the logs are about to get full of SQL, IBM QRadar makes a notification. The admin knows that they're about to get full so he just goes and clears them out. That is when we usually use IBM QRadar. On our firewall, when the issue notifications are generated, we don't usually open the firewall but QRadar alerts us about what went down in our environment.
What is most valuable?
The most valuable feature of IBM QRadar is its slow control and even activation. I also like the post notifications on the screen.
What needs improvement?
The quoting and the dashboard session could be improved. It should be more user-friendly.
Otherwise, the overall functionality of IBM QRadar is superb. A better GUI and reporting both would be good additions to the product.
Buyer's Guide
IBM Security QRadar
December 2024
Learn what your peers think about IBM Security QRadar. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
For how long have I used the solution?
Less than one year.
What do I think about the stability of the solution?
IBM QRadar is very stable. It doesn't have many errors.
What do I think about the scalability of the solution?
IBM QRadar is easy to scale. We can integrate other devices if we want to. We could go to distributed architecture instead, but we like this product. It doesn't affect the environment. In our office, we have around 40 - 50 users, but our clients have more users on their networks.
Our organization has staff in the software department that manages IBM QRadar for us. The security division just manages the login. Overall, only two to three staff are required for the management of IBM QRadar. They are more than enough to control the situation because most of it is easy. We definitely have plans to increase our current usage of the solution in the future.
How are customer service and support?
Technical support from IBM is not that good here in this region. It's quite helpful to have local support. They don't have much expertise in this product.
We usually have to go to IBM to resolve the issues if we have them because the overall product is a bit complex. There are not many local resources here in this region with expertise in IBM QRadar.
How was the initial setup?
The initial setup is straightforward. It's very easy. I think anyone can install it within minutes. The deployment of IBM QRadar takes around 20 to 25 minutes if you have a good hard drive.
What about the implementation team?
We deployed IBM QRadar ourselves. We have technicians. We bill the client and do the installation on our own, along with other IBM products
What's my experience with pricing, setup cost, and licensing?
We do licensing on a yearly basis. It's for deployment. If the client wants more services, we support the license. There are no other costs for the product.
Which other solutions did I evaluate?
When I joined the company we were already partners with IBM. I didn't have much experience with other products.
What other advice do I have?
I would recommend IBM QRadar because of the security features and the organization. I can recommend the security. Security is nowadays an essential part of IBM QRadar.
IBM QRadar is probably the best possible solution in the market. I would rate it an eight out of 10.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Security Engineer at dig8labs
Custom parsing tool makes customization easy, and UI is friendly
Pros and Cons
- "The most valuable feature is the DSM Editor. The custom parsing tool is very nice, outstanding."
- "The product is good, but one feature they should have is an Elasticsearch. Currently, in QRadar, there are no Elasticsearch criteria."
How has it helped my organization?
The features make my work easier.
What is most valuable?
The most valuable feature is the DSM Editor. The custom parsing tool is very nice, outstanding. I have used McAfee's SIEM and LogRhythm as well, but because of this feature of QRadar, I don't think their solutions are good.
Customizing it is very easy and it has a user-friendly interface.
What needs improvement?
The product is good, but one feature they should have is an Elasticsearch. Currently, in QRadar, there are no Elasticsearch criteria. Elasticsearch is a very fast search engine. IBM should consider it as part of QRadar. Currently, QRadar has a very slow search. If I search previous months' data it stops.
For how long have I used the solution?
More than five years.
What do I think about the scalability of the solution?
The scalability is good. I'm quite satisfied with it.
How are customer service and technical support?
Technical support is the area IBM should work on. Support is not that responsive. If I open a support ticket, it takes three to four days for them to respond. They take that much time.
Which solution did I use previously and why did I switch?
I have used different solutions in the organization, but the main reason for switching is the customization. QRadar very much supports customization. Another reason is that, in the market, we can easily get QRadar resources, like an analyst or engineer, as compared to other products. This is a reason that organizations move towards QRadar.
How was the initial setup?
The initial setup was very straightforward. I didn't have to do anything once I installed it and configured it. It was very simple. Other solutions I have worked on, such as McAfee and LogRhythm, are a bit complex. This one is very easy to install and configure.
The deployment takes one to two months, max. The implementation strategy is totally dependent on the number of EPS, the requirements, and the types of log sources. We collect this information and then create our strategy.
I have been an engineer in many firms. I have deployed it by myself. One expert can deploy it. If there are 100,000 EPS you'll need more resources. If you have 5,000 to 10,000 EPS, one person can do it.
What's my experience with pricing, setup cost, and licensing?
IBM has subscriptions plans that run for one year.
What other advice do I have?
Overall, it's much better than other products.
In terms of increasing its usage, I have suggested to my organization that it tell customers to use it, its capacity and capabilities, with other tools like Watson.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
Buyer's Guide
IBM Security QRadar
December 2024
Learn what your peers think about IBM Security QRadar. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
Cyber Security Team Leader at a tech services company with 501-1,000 employees
Enables us to add extensions that provide valuable test ports but is not the best solution on the market
Pros and Cons
- "The ability to add extensions is the most valuable feature. For example, extensions that provide valuable test ports."
- "Their technical support is not good. We opened a lot of cases and from my experience, they are not complicated issues but it takes forever to get an answer."
What is our primary use case?
Our primary use case of this solution is for our customer's operations.
What is most valuable?
The ability to add extensions is the most valuable feature. For example, extensions that provide valuable test ports.
What needs improvement?
I don't think this is the best solution on the market because it takes much longer than ArcSight, for example, which provides more flexibility and capability to create much more complex use cases. Other tools provide more valuable things that you can do for the active channel.
I would like for them to develop out of the box content that doesn't require too much customization. Most of the out of the box we get from it requires too much customization. I would also like to see dynamic filters and better cross-integration between functions.
For how long have I used the solution?
Less than one year.
What do I think about the scalability of the solution?
We've only been using it for eight months so we haven't scaled much during this time but it seems to be very scalable. We use it a minimum of eight hours a day.
Which solution did I use previously and why did I switch?
We used ArcSight.
What about the implementation team?
We did the integration ourselves. It was straightforward.
What's my experience with pricing, setup cost, and licensing?
It is cheaper than ArcSight.
What other advice do I have?
I would rate this solution a six out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Sr. Security Engineer at a tech services company with 11-50 employees
We use it to create use cases and review offenses. One of the valuable features is its correlation engine.
What is most valuable?
- User-friendly
- Easy to deploy
- Easy to create use cases
- Easy to review an offense
- Its correlation engine is one of the best
How has it helped my organization?
I usually work on the deployment and fine-tuning of this product. However, I have some operational experience as well. For instance, you can simply audit all the IT equipment in your environment, such as the firewall, the IPS, and the Active Directory (AD) server.
What needs improvement?
It should have built-in blocking capability.
For how long have I used the solution?
I have used this solution for four years.
What do I think about the stability of the solution?
On a scale of 100, it is 95% stable.
What do I think about the scalability of the solution?
I did experience some scalability issues in one organization.
How are customer service and technical support?
The technical support is excellent.
Which solution did I use previously and why did I switch?
We were not using any other solution previously. This was my first solution. I am still working on it. I also have experience with McAfee Nitro and LogRhythm.
How was the initial setup?
The setup was straightforward.
What's my experience with pricing, setup cost, and licensing?
The pricing will definitely vary according to your EPS, but it is worth spending money on this product.
Which other solutions did I evaluate?
We looked at other solutions, such as McAfee Nitro and LogRhythm.
What other advice do I have?
Work on sizing as much as you can so you can avoid any issues after deployment. You should also fulfill hardware requirements for this product. Otherwise, you will not get its full functionality.
Disclosure: My company has a business relationship with this vendor other than being a customer: I am a vendor.
IT Security Manager at a tech services company with 201-500 employees
Excellent network monitoring but needs better compatibility
Pros and Cons
- "The feature that I have found most valuable is how it monitors the real network. That is its leading security feature."
- "The biggest problem was built on top of the QRadar in the executive operations center network. The integration was not using the network security specialist properly, and all the incidents were inferior with QRadar. Its compatibility is not really good."
What is our primary use case?
Our primary use case is for monitoring global infrastructure.
What is most valuable?
The feature that I have found most valuable is how it monitors the real network. That is its leading security feature.
What needs improvement?
In terms of what could be improved, I'd say do nothing, in its current state it does quite okay for now.
The biggest problem was built on top of the QRadar in the executive operations center network. The integration was not using the network security specialist properly, and all the incidents were inferior with QRadar. Its compatibility is not really good
For how long have I used the solution?
I have been using IBM QRadar for more than five years.
I'm using the latest version of QRadar.
What do I think about the stability of the solution?
The stability is very good. Its operation is very good.
What do I think about the scalability of the solution?
We have less than five people using it.
For us, as a small security company, it is covering our needs and our growth.
How are customer service and technical support?
Customer support is good. When an incident gets raised there is a 10 day response.
How was the initial setup?
The initial setup was complex.
What about the implementation team?
We use the vendor for everything. That is the style of the corporation. For these jobs the responsibility and knowledge is on the vendor's side.
What's my experience with pricing, setup cost, and licensing?
Implementation is over time and the maintenance price for QRadar is competitive.
What other advice do I have?
On a scale of one to ten, I would give IBM QRadar a seven.
Overall, I would of course recommend this product to others because of all its functionalities.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Analyst at a tech services company with 501-1,000 employees
Easily monitors your environment with good user interface and plug-in integrations
Pros and Cons
- "One very useful feature is the plug-in offering that allows you to integrate it with other solutions, such as integrating it with plug-ins like Scout, Carbon Black, and the rest."
- "I would like the rule creation interface to be much more user-friendly in the next release."
What is our primary use case?
We use IBM QRadar to monitor security logs across the network.
What is most valuable?
One very useful feature is the plug-in offering that allows you to integrate it with other solutions, such as integrating it with plug-ins like ForeScout, Carbon Black, and the rest. Additionally, the ability of the agents to filter using XPath query to filter out the specific events you want to pick from, especially Windows log sources, is also very useful. That goes a long way in managing the EPS of the solution.
What needs improvement?
There are two ways you can pull logs: one way is where you can receive logs or send logs using the agents and previous transformation and the other way is where QRadar logs onto the servers using the admin account and then pulls the logs itself. The functionality that I would love to see with that remote pulling is to have the ability to also select what logs its pulling because when you use MSRPC now to receive loads from your log surface, it basically pulls all the events from that server. So even the noisy events that would overshoot your EPS, would also be pulled. So for particularly active or high servers that generate a whole lot of security events, let's say like your SFTP server that has a lot of devices on your network connecting to it, if you try to pull the logs remotely it would overshoot your EPS really quickly.
So if they could improve the functionality of the remote pull to also be able to select the logs that it is pulling from the log sources, that would be very, very effective. The reason for the pull is because the agents are not tamper-proof and any administrator can help shut down the service and uninstall the application and a whole lot of other things. Basically, your listening agent is at the mercy of the administrators, and for a security device or security software, that is a big vulnerability, because anybody can then go into the server, stop the agent, and then run any command or make any change they want to do, which would make your monitoring null and void. It would be good if the agent itself could be tamper-proof. And back to the first point, the reason why I prefer the remote pull is if there's no agent on the server and it's the console logging onto the server, your monitoring is much more secure. Regardless of what changes are being made on the server or what's going on the server, if the server is shut down and then a newer version is brought up with the same hostname and IP address, you would not need to go back in and re-install the agent. The console would just automatically connect back to that server once the IP address and the host are back up.
Additionally, I would like the rule creation interface to be much more user-friendly in the next release.
For how long have I used the solution?
I have been using IBM QRadar every day for the last 12 months.
What do I think about the stability of the solution?
In terms of stability, it is very stable. In the almost two years in the environment, there has been only one issue. It was a disc failure and that was replaced within a week by the OEM.
What do I think about the scalability of the solution?
Scalability might be an issue, but maybe it's because in our environment we do not use the application host. Since we use on-premise appliances we did notice that performance degraded a little when we added some plugins. So the recommendation was that we should have a separate application server that would host the application and then interface with the plugins and interface with the management console. But we do not have that within our environment so I can't speak to whether that would improve performance.
How are customer service and technical support?
IBM tech support has been responsive.
How was the initial setup?
I believe the initial setup was straightforward but I was not here for the setup, although I did not get any complaints.
What's my experience with pricing, setup cost, and licensing?
The license is a yearly one.
What other advice do I have?
I would recommend IBM QRadar. The user interface is really great and it simplifies the task of monitoring your environment.
On a scale of one to ten, I would give IBM QRadar an eight.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Easy to use and helps me analyze incidents that occur
Pros and Cons
- "They should provide more manual examples online so that I can learn it myself."
What is our primary use case?
I use it to analyze incidents.
What is most valuable?
I like the API and it's easy to use.
What needs improvement?
They should provide more manual examples online so that I can learn it myself. The dashboard also needs improvement.
For how long have I used the solution?
More than five years.
How was the initial setup?
We require eight staff members for the maintenance.
What's my experience with pricing, setup cost, and licensing?
It's too expensive.
What other advice do I have?
I would rate it an eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Assistant IT Manager at a insurance company with 1,001-5,000 employees
A SIEM solution that's easy to use, but the price could be better
Pros and Cons
- "I like that it's easy to use and the performance is good."
- "It would be better if it were more stable and more secure. The price for maintenance could be better. It's too high. In the next release, I think they should focus on the price and the operation."
What is our primary use case?
I use QRadar for cybersecurity defense, operation, and to improve performances.
What is most valuable?
I like that it's easy to use and the performance is good.
What needs improvement?
It would be better if it were more stable and more secure. The price for maintenance could be better. It's too high. In the next release, I think they should focus on the price and the operation.
For how long have I used the solution?
I have been using IBM QRadar for four years.
What do I think about the stability of the solution?
IBM QRadar is a stable solution, but it could be more stable.
What do I think about the scalability of the solution?
IBM QRadar is a scalable solution. We have about 100 users at the moment.
How are customer service and technical support?
I remember that I opened ten or 20 cases to receive support from IBM over three years.
How was the initial setup?
The initial setup and deployment are very easy. I think it took us about a month to implement this solution. We have a team of two, one manager and one technical, to deploy, manage, and maintain this solution.
What about the implementation team?
We installed this solution with the help of a consultant.
What's my experience with pricing, setup cost, and licensing?
The price could be better. I bought a subscription for three years.
What other advice do I have?
On a scale from one to ten, I would give IBM QRadar a seven.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free IBM Security QRadar Report and get advice and tips from experienced pros
sharing their opinions.
Updated: December 2024
Product Categories
Security Information and Event Management (SIEM) Log Management User Entity Behavior Analytics (UEBA) Endpoint Detection and Response (EDR) Security Orchestration Automation and Response (SOAR) Managed Detection and Response (MDR) Extended Detection and Response (XDR)Popular Comparisons
CrowdStrike Falcon
Microsoft Sentinel
Splunk Enterprise Security
Elastic Security
LogRhythm SIEM
Sumo Logic Security
Rapid7 InsightIDR
Fortinet FortiSIEM
AlienVault OSSIM
Cortex XSIAM
Securonix Next-Gen SIEM
Buyer's Guide
Download our free IBM Security QRadar Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What SOC product do you recommend?
- Has anyone got experience in deployment of a SIEM solution?
- IBM QRadar is rated above competitors (McAfee, Splunk, LogRhythm) in Gartner's 2020 Magic Quandrant. Agree/Disagree?
- What is your opinion of IBM QRadar?
- What are the biggest differences between Securonix UEBA, Exabeam, and IBM QRadar?
- Why do most companies prefer IBM QRadar?
- What Solution for SIEM is Best To Be NIST 800-171 Compliant?
- When evaluating Security Information and Event Management (SIEM), what aspect do you think is the most important feature to look for?
- What are the main differences between Nessus and Arcsight?
- Which is the best SIEM solution for a government organization?