IBM Security QRadar Reviews

We are using it from the compliance perspective. We need this solution to comply with HIPAA and PCI because our clients require HIPAA and PCI DSS compliance. We also use it for log management, primarily security logs, and to some extent, for operational activities, even though this tool is actually not meant for operational tasks. We do keep track of errors in our appliances like hardware, storage, and network switches through QRadar.

The main or core solution is on-premises. There is an extended arm, which is in the cloud as well for cloud integration.

Security incident and event management are actually the core functionalities of this solution. We receive security logs on this product and based on the received logs, we can create offense tickets that are forwarded to Netcool, which is another solution that we have. I don't have experience with that, but our integration is there so that any offense or security event is forwarded to Netcool, and a ticket is automatically generated in ServiceNow for that offense. This level of automation that we have for security-related events is done through this solution. There's no manual work involved, which obviously takes away a lot of load from the individuals who are managing the security side of it.

It is a pretty solid product for the type that it is representing i.e. SIEM. It can do automatic correlation based on the traffic that you are receiving to some extent. It has plethora of options available for third party application integration. For e.g CISCO Firepower, Palo Alto Dashboard for CISCO and Palo Alto Firewall respectively. Integration with Cloud based Log Sources is also supported via. parsers that support API Connect. This is helpful when pulling in Logs from AWS, Azure, GCP or other Cloud Based Solution like Carbon Black, Imperva etc.

A lot of information that we receive for the devices is IP-based, but it would help if we could have a default dashboard in which we can add more details about the assets for which we are receiving the information. For example, if it is a Windows or Linux device, we only get the IP for that particular device. We don't really get the name and other details of that particular device. For that, you have to drill down into your own asset management system. It would be good to have a place where we can probably add this information so that we don't have to look into other tools.

I have been using this solution for about six months.

It is very stable. As long as you have the proper connectivity availability, it is pretty stable.

Our deployment covers North America, South America and part of Europe. The product is easy to deploy and scale. Almost everyone in our organization is using this solution because most of our projects rely on this. Because of the compliance requirement, most of our projects have to be integrated with QRadar. Each business unit or each program that we have in another environment has independent access to the solutions. They might not be the end users, of course, but at least every admin team of every program unit has access to this tool so that they can see what's happening in their environment.

It also supports multi-tenancy. So, if you have multiple clients or multiple tenants in your environment, you can create logical containers for them. From a logical point of view, you can create separate disconnected containers for each client so that they can only see their data.

Their technical support is quite good. I would rate them a nine out of ten.

Yes, we switched over from NNT to QRardar. This product is more detailed. Expensive but definitely more detailed! :)

It was pretty straightforward. These are hardware appliances. So, you need to rack and stack them. If the rack space, cabling, and other things are already done, which would typically be the responsibility of a data center team, it essentially takes three to five days. But this is only the core deployment. The fine tuning on top of it would take extra time based on the environment and how complex it is.

It was implemented by team that included me. We have an external team for its maintenance.

The IBM QRadar Licensing for the core Events(EPS) and Flows(FPS) is per second based. The licensing is perpetual and surely expensive but the output of the Product makes it worth your money. 

I would absolutely recommend this solution. I am pretty okay with it, and I don't have any issues with it. It has some competitors like Splunk and LogRhythm. Symantec has its own SIEM solution. ArcSight, LogRhythm, and Splunk are in the first quadrant for the Gartner research. They are leaders in their products, and they know what they're doing. It also comes down to what your company is into, how does it fit into a particular environment, and how compatible it is with a particular environment. I could have gone on the Splunk path and probably said the same thing for it as well. 

I would rate IBM QRadar a nine out of ten. It is a pretty solid product.

We use the product to customize rules and detect malicious behavior. 

The tool's most valuable feature is real-time detection. 

The solution is not as flexible as Splunk. 

I have been working with the product since 2016. 

I haven't contacted technical support yet. 

I worked with Splunk before IBM Security QRadar.

The solution's pricing is based on the EPS model. 

I prefer Splunk since it gives a lot more freedom and flexibility. I rate the overall solution a six out of ten. 

We utilize the product for our Security Operations Center operations. Additionally, we extend its use to our customers, employing it for tasks such as threat hunting, investigation, and triage analysis.

The tool's most valuable feature is log source management. It enables us to connect to various log sources, including content, authentications, or other customized integrations. These integrations can be tailored for use with other platforms that don’t already have built-in IBM add-ons.

Its scalability is also important. It is also compatible with ISO 27001, DSS API, and various certifications.

As part of our security infrastructure, this tool excels in detecting a wide range of attacks. Its responsiveness surpasses that of alternative solutions. Moreover, the user-friendly interface greatly benefits our analysts. The product is helpful in anomaly detection scenarios.

Additionally, we leverage out-of-the-box content and libraries within the IBM ecosystem. Its user behavior analysis helps us to ensure that our customers are protected. 

Correlation plays a pivotal role in our security strategy. It helps us to analyze logs from different sources. This process helps to correlate logs from endpoints. 

Certain updates—especially when using Azure—don't apply directly. Our engineering team must invest additional effort to implement these updates. However, the tool's cloud-based version poses no issues. However, upgrading the product can sometimes be challenging for on-premises instances.

Our current query language (KQL) serves its purpose, but there's room for improvement. Consider introducing a more human-friendly language to streamline analyst training. Analysts could then express queries in a manner akin to human language. This change would expedite processes, making it easier for new analysts to adapt.

I have been working with the product for five years. 

I rate the tool's scalability an eight to nine out of ten. 

Troubleshooting delays have been a recurring challenge. Occasionally, responses take two to three days, leading to escalations. While their website’s knowledge base is commendable, troubleshooting scenarios demand more time. My observation is that they may be understaffed.

Neutral

My company has customers using Splunk and Chronicle SIEM. When comparing Splunk and IBM Security QRadar, they indeed offer similar features, but their business models differ. Chronicle SIEM predominantly operates in the cloud. However, we cannot offer the cloud model if a customer prefers an on-premises solution.

Splunk and IBM Security QRadar both cater to diverse deployment preferences. Splunk boasts a slightly more robust correlation engine than IBM Security QRadar. Splunk tends to be marginally more expensive than IBM Security QRadar.

The number of log sources significantly impacts deployment complexity. The process becomes more complicated for environments with 50 log sources compared to those with fewer sources (e.g., 20 or 10).

Each log source requires a connection to IBM, a task that can take several days or hours, depending on its complexity.

On average, the entire deployment process spans six to eight weeks.

The tool's on-premise version is expensive. However, it is cheaper than Splunk. The hybrid model offers shared instances for customers, which is not expensive. Customers with a limited budget can opt for it. You can get premium support with licenses. However, if you need customized integration, you need to buy it. 

I rate the overall product an eight out of ten. 

I am a Product Manager. I am managing the inventory and the logs. For R&D purposes, we downloaded various SIEM solutions from the internet to analyze their performance, and QRadar was one of them. I downloaded the Community Edition of QRadar to check its capabilities and see how to integrate various log sources in our network. It is in my lab, and I have tested it with a few hardware devices and a few computers and servers.

What I like the most about it is that you can very easily install and configure it. As compared to other SIEM solutions, for which you need to know and do a lot more to prepare your SIEM environment, QRadar is much simpler to install and configure. There are various options in the Admin console. In the Admin tab, you can design dashboards and view various graphs. It has a lot of attractive features, and you don't need to configure everything on your own.

I have noticed a few things while working on this. After the restart of the server, sometimes, the services misbehave, and you need to manually start or restart the service. I have seen that specifically with the Tomcat service. 

Sometimes, when you click on log sources, instead of opening the log source extension, it redirects you over the internet. 

There are two types of dashboards in QRadar. One is the conventional or old one, and the other one is Pulse. The Pulse dashboard is better, but we would like to have more options in the dashboard.

Additionally, if possible, there should be a single product for SIEM and SOAR. Instead of having QRadar and Resilient separately, there should be a combined solution to benefit from both. Furthermore, there should be a built-in mechanism to configure it in the cluster mode and high availability mode.

I tested this product in the last two, three months. It is not implemented in our company.

Its installation is very simple. You can install it and configure it very easily.

We are looking at implementing a SIEM solution, and currently, we're comparing various commercial and open-source SIEM solutions. We have tested Wazuh, which is an open-source SIEM solution, but we have not finalized anything.

I would rate it a seven out of 10. It is good, but when a product doesn't behave in a good manner, it creates confusion. Its behavior isn't consistent.

• The ability to correlate data across our global enterprise in near real time
• The ability to integrate a lot of third-party solutions
• The machine learning pieces with Watson, indicators of compromise, and utilizing that across the value stream

I look at the solution as the best-of-the-breed product. The fact that it can work with what everybody else is doing in the cyber landscape is really what gives it the edge.

The solution has improved the efficiency of our security team. These improvements prevent the need for more proactive security activities.

The improvements did not reduce our staff. It's funny, because IBM keeps on having this conversation about staff headcount. It probably sounds good to senior leadership, like to a CIO. The reality is that nobody's looking to decrease the number of staff who they are hiring.

We're looking at refocusing those resources and energy on being able to do additional, higher-value activities. It's more of the case that I don't need as many junior resources. I can focus on some of the things that are a little bit more important.

Our equipment collects billions of pieces of data. We're 100,000-plus EPS per second. The daily list of required investigations for the offenses is manageable.

We've had incidents in our environment. How long it takes QRadar to detect them is always a function of the rules being correlated, the people watching them, and pieces of that nature. I'd say it's in real time. The question is, when it comes to tuning, we want to know if it was tuned appropriately, so it's not lost in the pile of needles.

Room for improvement is more in relation to a lot of the features, the automation of incidents themselves, and being able to automate workflow responses.

Overall, I love the product. IBM usually puts good resources and talent behind things. What they fail to do is to bring all the security together and make sure everything inter-operates and creates one pane of glass.

Actually, I don’t want to say "one pane of glass" because we have seen other vendors do that. They fail miserably because they do not understand where people are coming from.

In terms of some of the right-click functionality that is within QRadar, it should work automatically for all the other IBM products. It shouldn't be something that customers develop. There are pieces in which they have to step back and get some of the foundational pieces.

There are pieces that I feel that IBM should do better. They own Guardium, they own AppScan, and they own some of these other pieces of the security infrastructure that need to relate to QRadar or to Watson. It's the foundational pieces that I feel they need some focus on.

Let's do some of the basics really well. I'm looking at it from owning 50 or 60 different security products across a global organization.

They keep on adding products based on a simple feature set that they can do real well, but they can't integrate them into the rest of the security economy. It doesn't make sense to keep on buying products like that. Whether it's IBM or others, there are companies in the endpoint space that are taking over because they're saying, "Hey, we're going to do everything across your gamut of security needs."

IBM needs to look at that and how they are going to integrate across all of the security products and have them work together.

We have been using this solution for four years.

The stability is good.

The scalability is great.

We don't really use technical support. We're part of some of the engineering and development behind it and we work with a lot of the backend engineers.

Once in a while, we may put something in PMR but most of the time, we are working with the engineers themselves to figure out a solution. They are not really tech support issues.

We have used other solutions, but that was years ago. We've had QRadar for four years. Before that, it was the Symantec solution. The landscape for SIEM has changed progressively over the years.

You're not even talking about the same set of requirements around those things. We just needed to upgrade. We needed the speed, the flexibility, and we needed the correlation building block pieces of it.

I was involved in the initial setup. We are an advanced user of QRadar. While the initial setup was not hard for us, it is a lot more complex where we are right now. It works with integrating some of other IBM products into QRadar, and there's work that needs to be done there to make it seamless.

We were able to be operational in a matter of weeks or months, which is not a long time.

When picking a vendor, the most important thing is partnership.

I honestly have nothing but good things to say about the IBM relationship that we have related to QRadar.

Partnership is going be important. Having the right skillset from an engineering standpoint is important to ensure that you don't set up things backwards. You have a high probability of doing it. This is one of those pieces where IBM doesn't “dummify” the solution for you.

On one side for my senior engineers, they don't want it “dummified” because they need to do it. On the other side of it, there are some aspects that don’t need to be this complex.

For the SMB market, those are some of the areas where I counsel people and say they need to get these types of solutions and do these types of processes. Selling something like QRadar to them becomes a little bit more of a burden because of that complexity. It's like a compliance check mark.

The most valuable features are its ease of use and that it provides good return on investments. It's the best solution out there, in my opinion.

It brings down the time for our incident handlers to find incidents within our environment, to track down new threats and to keep them gainfully employed, by finding the new problems that we see.

I'm not really sure in regards to any additional features, because everything I've seen on the roadmap looks good. So, I'm pretty happy with that.

There is always scope for improvement. The QRadar WinCollect feature needs to be improved. The Windows Log collection is sort of problematic and needs to work better.

A little bit more improvement needs to be brought about in the Watson integration and I still need to see how that works. A little more improvement can be brought about in the User Behavior Analytics and Network Analytics. That would be great.

We've had no issues with its stability or scalability.

The technical support is very good. After the Q1 Labs integration into IBM, they kept the same people. I'm a long-time user and I keep talking to the same people year after year.

It's worth the cost. There are a lot of other options out there that are way more expensive, and that may be better in certain areas, but in my opinion, the overall best solution is QRadar.

First, make sure that it's sized right and read all the manuals, before you do it.

Interoperability with other products is what I look for in a vendor. An open API is the big thing. I want be able to make sure that if I buy something, it will be able to talk with other products. I won't need to keep going down the same path, i.e., if I buy company X, I have to buy company X products all the way; otherwise, they won't talk to each other. Being able to talk with other products really makes a difference.

The tool helps with infrastructure, application, and network monitoring. 

There are areas in IBM Security QRadar that could benefit from improvement. Its ability to customize knowledge for specific purposes could be enhanced. Also, it lacks clarity in presenting details. It is also difficult to see the reports. 

I have been using the product for a year. 

The tool's technical support is good. 

Neutral

Implementing IBM Security QRadar is not overly complex. 

The product is expensive. We have purchased the perpetual license, but we pay for the support. 

I rate the tool a seven out of ten. It is a tough product. 

I use IBM Security QRadar in my company for authentication of users and to block the access of a user to the internet. In my company, we have only used the basic version of the solution, and currently, we don't have a license for the product since we didn't renew it. The basic version of the solution fits my company's basic requirements.

IBM Security QRadar is not hard to implement and administrate. To serve new use cases or do the tuning and allow correlation rules, you may need training since it is necessary to know the solution. With IBM solutions, you need training to know how to use the different features of the solution. IBM needs to provide training to its users to teach them how to use the case manager and how to tune rules.

I have been using IBM Security QRadar since 2020, so I have experience with it for three years. I am a customer of IBM.

It is a scalable solution.

With IBM Security QRadar, my company faced issues with the support we received for the product. Basically, my company faced problems due to the delays or mistakes made by IBM's support team.

I rate the technical support a six out of ten.

Neutral

The solution is deployed on an on-premises model.

For the product's implementation, my company took two months. To implement all log sources, my company took somewhere between three to five months.

IBM Security QRadar is a very expensive tool.

In the future, my company would want the cloud version of the solution and not its on-prem version.

I rate the overall tool a seven out of ten.