IBM Security QRadar Reviews

It provides many options for searching. I can see devices from different vendors, like Cisco, in one interface, which is good for me.

We sometimes get an error about the hard drive. Approximately once in two months, we can't find the logs, and they go missing, which is a terrible issue. We are getting support for this issue from our support company.

I have been using this solution for one and a half years. We have been using this solution in our company for about four years. We have around 800 to 900 users.

It is very stable, but the hard drive sometimes does not have logs.

IBM is always there to support us. We have no trouble with them.

We have agreements with different companies for support. They are good. For some issues, they take more time, like a day or two days. 

We have almost ten engineers for IT sites.

I would rate IBM QRadar User Behavior Analytics an eight out of ten.

Some of these products can be used in any vertical like healthcare, manufacturing, and vehicle. You can use these products in all types of verticals. But I found that there is a limitation in central verticals. These products do not do well in central verticals.

In terms of the most valuable features, the log collections and log processing mechanisms are good. They have good dashboards. They probably have the best cloud management log processing. They are going to announce user intended behavior and management features. Compliance monitoring is okay. All these things become a commodity.

They have to build more quantitative monitoring, profiling, and make it more predictive.

I have been working with IBM QRadar for the last seven to eight years. 

QRadar is quite stable, but I am not sure about the volume. There is no clear volume. If I were to cross to an enterprise and the stability is not available then it would be a problem.

Augmented solutions are very tough to scale because you already fulfilled how well you fulfill the software and then you will have to limit the scalability. That is a problem.

Our clients are small, medium, and enterprise size. 

Technical support is not that strong from IBM. It definitely does not compare to any standard support organization. It's not that great.

The setup is comparatively easy, it's not that tough. But if you look at the current situation with COVID-19, people or organizations are not looking at how easy the cost of the innovation is. People want a plug and play option. 

It's like if you go to the market you buy a car, you get the key, just sit in the car and drive it out. With traditional companies like IBM, you have to use all the hardware, you have to use all the software, and the setup can take one month, two months, three months depends on or the scope. Nowadays consumers are looking for a souped-up car. They expect the tool to be operational maximum within a week's time or 15 days. That is what is missing in the QRadar.

The time it takes to deploy depends on the project scope. The order of planning can take a month to three months.

You will need three people to set it up. It can get quite expensive in retrospect. I prefer to have a plug and play service

There are more costs in addition to standard licensing; support, building.

If you are only looking at IBM, make sure to evaluate the product thoroughly. Make sure to see the complete list they offer, like more of the competitive features. Explore the options available on the market.

It doesn't really integrate well with other products. 

I would rate it a three out of ten. It is missing key features. 

The most valuable features of this solution are analyzing who is saying what and in case of a threat, we can easily identify from where the threat is originating, based on the analysis.

We have implemented this QRadar solution to identify the data, whether it is being used at various parties including our trading partners, i.e., both the internal as well as external partners. Thus, by using this product, we can also come to the conclusion as to how the data is being applied best and we can decide what to link, i.e., if we need any infrastructure improvements and so on.

I am not currently responsible for this product. However, I did not hear any complaints from the other people in terms of its stability.

We are not directly managing this product. I am from the integration team and the QRadar solution is mostly used by our information security.

Initially, we were using another IBM product. With QRadar, we are getting better outputs such as the reports and other outputs.

The reason why we chose IBM is because we are using so many products from IBM today.

In general, the most important criteria that we look for while selecting a vendor are that there should be other proven solutions offered by the vendor and they need to be a type of investigator since we belong to a specific healthcare industry. So, we are very careful when we are choosing a vendor.

We were involved in the setup in terms of sending the information back and forth to QRadar. Other than that, I did not take part in the installation.

Definitely invest in the QRadar solution.

The UBA feature is the most valuable because you can see everything about users' activities. 

The threat intelligence functionality can be better. In addition, it can have more monitoring capabilities.

I started to use it two to three years ago.

Its stability is very good. I don't have any problem with it.

It has good scalability. It is easy to scale, but it is a little bit expensive to scale because you have to pay a lot for everything.

Their technical support is good.

I have also used Kibana. It is a good tool. The biggest difference between Kibana and QRadar is that Kibana is an open-source SIEM integration solution. So, you need more professionals, and you have to do everything by yourself, whereas in the case of QRadar, you get everything. You are paying not only for QRadar but also for other things like support and integration. In an open-source SIEM integration solution like KIbana, you don't get these things.

It is an easy tool for me, so the initial setup was easy for me, but it might not be easy for everyone. If you compare it with Kibana, QRadar is easier to implement.

The implementation strategy was to follow the users, collect the logs, and then implement QRadar.

We implemented it ourselves.

Its price is good in terms of efficiency and the number of people required for implementing various things. You might pay more in terms of money, but you might save on the number of people. For example, if you are using Kibana, you have to pay more for people or experts, which is not the case with IBM QRadar.

When you go for this solution, you are paying not only for the product but also for integration, good staff to help you, scalability, and many other things. There are many things that you can use in QRadar. It is easy to use.

I would rate IBM QRadar a nine out of ten.

Our primary use case of this solution is for our customer's operations. 

The ability to add extensions is the most valuable feature. For example, extensions that provide valuable test ports.

I don't think this is the best solution on the market because it takes much longer than ArcSight, for example, which provides more flexibility and capability to create much more complex use cases. Other tools provide more valuable things that you can do for the active channel. 

I would like for them to develop out of the box content that doesn't require too much customization. Most of the out of the box we get from it requires too much customization. I would also like to see dynamic filters and better cross-integration between functions.  

We've only been using it for eight months so we haven't scaled much during this time but it seems to be very scalable. We use it a minimum of eight hours a day.

We used ArcSight.

We did the integration ourselves. It was straightforward. 

It is cheaper than ArcSight. 

I would rate this solution a six out of ten. 

I used the IBM QRadar product from 2015 until 2017.

When the WannaCry attack happened, QRadar helped the company a lot with the investigation of the firewall, antivirus, and other appliances.

The "Network Activity" feature was really good. An engineer can live monitor all the flow happening in real-time. This would help us a lot while investigating a case, and it would even help us with preventive actions.

QRadar needs to be improved on the storage side, particularly when the disc exceeded the maximum threshold.

We use IBM QRadar to monitor security logs across the network.

One very useful feature is the plug-in offering that allows you to integrate it with other solutions, such as integrating it with plug-ins like ForeScout, Carbon Black, and the rest. Additionally, the ability of the agents to filter using XPath query to filter out the specific events you want to pick from, especially Windows log sources, is also very useful. That goes a long way in managing the EPS of the solution.

There are two ways you can pull logs: one way is where you can receive logs or send logs using the agents and previous transformation and the other way is where QRadar logs onto the servers using the admin account and then pulls the logs itself. The functionality that I would love to see with that remote pulling is to have the ability to also select what logs its pulling because when you use MSRPC now to receive loads from your log surface, it basically pulls all the events from that server. So even the noisy events that would overshoot your EPS, would also be pulled. So for particularly active or high servers that generate a whole lot of security events, let's say like your SFTP server that has a lot of devices on your network connecting to it, if you try to pull the logs remotely it would overshoot your EPS really quickly.

So if they could improve the functionality of the remote pull to also be able to select the logs that it is pulling from the log sources, that would be very, very effective. The reason for the pull is because the agents are not tamper-proof and any administrator can help shut down the service and uninstall the application and a whole lot of other things. Basically, your listening agent is at the mercy of the administrators, and for a security device or security software, that is a big vulnerability, because anybody can then go into the server, stop the agent, and then run any command or make any change they want to do, which would make your monitoring null and void. It would be good if the agent itself could be tamper-proof. And back to the first point, the reason why I prefer the remote pull is if there's no agent on the server and it's the console logging onto the server, your monitoring is much more secure. Regardless of what changes are being made on the server or what's going on the server, if the server is shut down and then a newer version is brought up with the same hostname and IP address, you would not need to go back in and re-install the agent. The console would just automatically connect back to that server once the IP address and the host are back up.

Additionally, I would like the rule creation interface to be much more user-friendly in the next release.

I have been using IBM QRadar every day for the last 12 months.

In terms of stability, it is very stable. In the almost two years in the environment, there has been only one issue. It was a disc failure and that was replaced within a week by the OEM.

Scalability might be an issue, but maybe it's because in our environment we do not use the application host. Since we use on-premise appliances we did notice that performance degraded a little when we added some plugins. So the recommendation was that we should have a separate application server that would host the application and then interface with the plugins and interface with the management console. But we do not have that within our environment so I can't speak to whether that would improve performance.

IBM tech support has been responsive.

I believe the initial setup was straightforward but I was not here for the setup, although I did not get any complaints.

The license is a yearly one.

I would recommend IBM QRadar. The user interface is really great and it simplifies the task of monitoring your environment.

On a scale of one to ten, I would give IBM QRadar an eight.

We use IBM QRadar for threat protection.

The most valuable features are log monitoring, easy-to-fix issues, and problem-solving.

There is a shortage of skilled individuals with knowledge about the solution. There should be more training programs to teach and enable users get familiar.

I have been using this solution for approximately one year.

The stability of the solution could improve.

We have approximately 20 people using this solution in my organization.

The technical support is great. Additionally, there are plenty of resources available to increase knowledge about the solution.

We have used other solutions in the past.

The installation is not very difficult, I did not have any problems.

We used consultants for the implementation. We have five engineers that do the maintenance of this solution.

There is a license required for this solution.

I would recommend this solution to others.

I rate IBM QRadar a seven out of ten.