IBM Security QRadar Reviews

The most valuable feature of this product is the nice UI. It is easy and quick to get the information you're looking for.

The benefits are that it's easy to navigate the UI and to get the information as quickly as possible. We're able to resolve problems quicker, so that we get to the solution in an easier manner.

It would probably be better to get more access to the APIs.

The product is very stable. I don't have any issues with stability at all.

Scalability is nice, as well. We have a distributed environment and it's real easy to both manage and upgrade. Anything we need to do, we can do it from the console.

On a scale of 1-10, probably seven; I would rate the technical support team a 7/10.

We were previously using a different solution that just wasn't getting the job done. It was taking too long to get where we needed to get to.

The setup was very straightforward. The special services team gave us insight and helped out to resolve any issues.

QRadar was at the top our list. We also looked at other solutions such as HPE ArcSight and Splunk. The reason we went with QRadar is because we could bring it on-prem, which made it nice, and we also use other IBM products as well.

In general, when selecting a vendor, support is probably going to be the number one criteria. Then, the second criteria is the availability of the product; the product is not very good if it's not available, it's broken, etc.

Make sure you try them all and then, pick the one that you think would work the best. It's nice to value other people's opinions, but it's better to test all the products and choose what you think would be best, for whatever your need is.

It's very easy and initiative. It's just a good overall solution, compared to the other ones I've used.

I use IBM Security QRadar in my company as it provides features like SIEM, SOAR, and QNI.

The most valuable feature of IBM Security QRadar stems from the fact that it is a product that is like a complete suite.

The price of IBM Security QRadar is an area of concern where improvements are required. IBM is never known to provide products at a cheap price.

IBM Security QRadar's UI is an area with certain shortcomings where improvements are needed.

In the future, I would like IBM Security QRadar to have a library of adapters or APIs.

The area around recovery time is an aspect of IBM's technical support where improvements are required.

I have been using IBM Security QRadar for more than a year. I use the solution's latest version. My company is in the process of being declared as a golden partner of IBM.

It is a stable solution. Stability-wise, I rate the solution a ten out of ten.

It is a scalable solution. Scalability-wise, I rate the solution a ten out of ten.

My company currently deals with around four to five organizations comprising medium to large companies where IBM Security QRadar is used.

The solution's technical support is responsive. The only area where I don't agree with IBM Security QRadar's technical support stems from the lack of proper or defined recovery time, even though their response time is good.

I rate the technical support a seven out of ten.

Neutral

I have experience with Splunk. My company deals with Splunk since we had no choice owing to the fact that one or two customers wanted it.

In the past, I was using open-source products, including solutions like Elastic Security and Wazuh.

My company decided to switch from Wazuh to IBM Security QRadar.

The product's deployment phase can be described as an average one.

I rate the deployment process of IBM Security QRadar a seven on a scale of one to ten, where one is difficult, and ten is easy.

The solution is deployed on an on-premises model.

On a scale of one to ten, I rate the price a one, where one is an extremely expensive product, and ten is a cheap product. IBM Security QRadar is an expensive product. A customer gets discounts only when they ask for them from IBM.

The challenge is that if someone submits a request or proposal and finds that the prices of the products our company deals with are too high, we may not even be shortlisted for negotiations. If my company gets shortlisted for the next round, then we get questioned over the high prices.

My company takes care of the maintenance part of the solution for our clients who use IBM Security QRadar in their environments. Nine engineers and one manager take care of the maintenance process of IBM Security QRadar. My company has a lot of certified employees to take care of IBM Security QRadar's maintenance. My company can be considered a powerhouse when it comes to products from IBM.

I recommend the solution to those who plan to use it.

Splunk and IBM are leaders as per Gartner Magic Quadrant. I believe that IBM Security QRadar should be fairly priced for SMEs.

I rate the overall tool an eight out of ten.

There is a Pulse dashboard that they have. From a reporting perspective, we'll be creating dashboards based on the pulse functionalities. 

There are other third-party plugins that we can use as well. We can initiate in the QRadar platform, however, Pulse is one of the most user-friendly options. 

Along with that, there are out the box rules and out the box dashboards that we have available to us. Mostly what we are concentrating on is creating the rules and fine-tuning the rules to align properly with the customer infrastructure depending upon the customer's requirements. Pulse, UEBA, and NBAD are the features that are the best. They are the most useful from a SOC manager perspective.

The AQL queries could be better. With the queries, there's an option for you to create dashboards based on the queries that they have. The documentation that is available for AQL queries is not well received. They could maybe look at how Microsoft is leveraging AQLs from a Sentinel perspective and create more documentation and training materials and make those more available to the general public.

They have to facilitate more learning opportunities. Microsoft has something called Playground where you have some sample logs and where you can learn how to work on all this stuff, however, there is nothing like that for IBM. They really could make it more generalized and accessible to the general analyst population.

Technical support should be improved.

In terms of QRadar, I've used it for close to two years. I worked for a customer that is a managed security service provider. What we do is we will provide SOC as a service and QRadar. IBM is one of the partners that we have. Depending upon the customer considerations and customer preferences, we will either engage QRadar or Sentinel according to the customer preferences. Splunk and LogRhythm we also use on an as-needed basis. 

What they have claimed is 99.5% uptime. However, I'm not very sure whether there's an implementation problem or not. Sometimes the system gets hung and then we have to restart everything from the scratch. You have got these multi printing options, though not functionally. Sometimes it gets some jitters there. Sometimes there are cases where we are finding it very difficult to get into the system as there can be three or four people logging into the same platform at the same time and sometimes the reduces the speed a lot.

From an architect implementation perspective, the role that I have played is very limited. I'm not very sure about scaling. I'm not in a position to comment on that part. That said, once everything is implemented, I've noted that it's not as scalable as Sentinel or Splunk on the cloud, for sure. That is the same for LogRhythm and QRadar. Obviously, cloud-hosted applications will be more scalable and more resilient.

Technical support is something that has always been an issue for us. We have to raise a ticket and the products team will be available, however, depending upon the criticality, sometimes the support is not very easily accessible on weekends and on Friday evenings.

I've also worked with Sentinel, Splunk, QRadar, and LogRhythm. 

Compared to Sentinel, the initial setup is a bit complex. Depending upon whether you're going ahead with the cloud version or on-prem version, there is human involvement, however, normally everything is done by the platform engineer. I don't have to get my head into that part. Once everything is up and running, that is when we have to start working from our side. I'm sure it is more complex than a plug-and-play Sentinel, where connectors are easily available and just have to click, click and get things done.

The administration and maintenance would be two or three people depending upon the availability. I'm not very sure about troubleshooting. I'm coming at the solution from a user perspective. I'm more concerned with the rule fine-tuning and rule-building part. That kind of troubleshooting will be done with the platform team, which specializes in that. 

Licensing is mostly dependent on the EPS, events per second. Depending upon the number of products that are integrated with the platform, we have to come to an optimal EPS value. I'm not very sure about the financials, however, the licensing cost cannot be as much as that for Sentinel, which is not very low. For customers who need medium EPS values, we advise QRadar.

The basic out the box cost covers, the EPS value that you have specified, and then some archiving maybe. It should include at least six months of archiving and other functionalities. Most of the customers will go for the standard package and we don't have to go for extra archival or enhanced DPS. 10% to 15% of DPS can always be increased. It will not completely shut down the system, however, it'll start sending us notifications that the DPS is getting increased and then we can go for a higher licensing.

The version we use depends on when the customer is onboarded. Whenever recent onboarding takes place, we use the most up-to-date versions. However, there are customers that we have been facilitating for the past two or two and a half years and they might be using the previous versions. There are proper version upgrades that happen on a quarterly basis. 

I'd rate the solution seven out of ten.

The most valuable features are its ease of use and that it provides good return on investments. It's the best solution out there, in my opinion.

It brings down the time for our incident handlers to find incidents within our environment, to track down new threats and to keep them gainfully employed, by finding the new problems that we see.

I'm not really sure in regards to any additional features, because everything I've seen on the roadmap looks good. So, I'm pretty happy with that.

There is always scope for improvement. The QRadar WinCollect feature needs to be improved. The Windows Log collection is sort of problematic and needs to work better.

A little bit more improvement needs to be brought about in the Watson integration and I still need to see how that works. A little more improvement can be brought about in the User Behavior Analytics and Network Analytics. That would be great.

We've had no issues with its stability or scalability.

The technical support is very good. After the Q1 Labs integration into IBM, they kept the same people. I'm a long-time user and I keep talking to the same people year after year.

It's worth the cost. There are a lot of other options out there that are way more expensive, and that may be better in certain areas, but in my opinion, the overall best solution is QRadar.

First, make sure that it's sized right and read all the manuals, before you do it.

Interoperability with other products is what I look for in a vendor. An open API is the big thing. I want be able to make sure that if I buy something, it will be able to talk with other products. I won't need to keep going down the same path, i.e., if I buy company X, I have to buy company X products all the way; otherwise, they won't talk to each other. Being able to talk with other products really makes a difference.

I am a Product Manager. I am managing the inventory and the logs. For R&D purposes, we downloaded various SIEM solutions from the internet to analyze their performance, and QRadar was one of them. I downloaded the Community Edition of QRadar to check its capabilities and see how to integrate various log sources in our network. It is in my lab, and I have tested it with a few hardware devices and a few computers and servers.

What I like the most about it is that you can very easily install and configure it. As compared to other SIEM solutions, for which you need to know and do a lot more to prepare your SIEM environment, QRadar is much simpler to install and configure. There are various options in the Admin console. In the Admin tab, you can design dashboards and view various graphs. It has a lot of attractive features, and you don't need to configure everything on your own.

I have noticed a few things while working on this. After the restart of the server, sometimes, the services misbehave, and you need to manually start or restart the service. I have seen that specifically with the Tomcat service. 

Sometimes, when you click on log sources, instead of opening the log source extension, it redirects you over the internet. 

There are two types of dashboards in QRadar. One is the conventional or old one, and the other one is Pulse. The Pulse dashboard is better, but we would like to have more options in the dashboard.

Additionally, if possible, there should be a single product for SIEM and SOAR. Instead of having QRadar and Resilient separately, there should be a combined solution to benefit from both. Furthermore, there should be a built-in mechanism to configure it in the cluster mode and high availability mode.

I tested this product in the last two, three months. It is not implemented in our company.

Its installation is very simple. You can install it and configure it very easily.

We are looking at implementing a SIEM solution, and currently, we're comparing various commercial and open-source SIEM solutions. We have tested Wazuh, which is an open-source SIEM solution, but we have not finalized anything.

I would rate it a seven out of 10. It is good, but when a product doesn't behave in a good manner, it creates confusion. Its behavior isn't consistent.

We are using QRadar as a managed service.

This product helps us to find security incidents before they become a problem to the business. We are able to attend to them quicker and we can put protection in place so that should they occur again, we are able to deal with them more easily.

The most valuable feature is the ease of use.

The modularity could be improved.

We have been using IBM QRadar for three years.

This is a very stable product.

We have had no issues with scalability and we have approximately 1,500 users. We are not using its full capabilities at the moment because we are still growing. In the next year or two, we will see.

I don't deal with IBM directly. Rather, I deal with our service provider and they deal with IBM.

The initial set was very easy for us because we just bought what we were looking for, and not the entire infrastructure.

The company that we subscribe to for this service takes care of the installation, maintenance, and management of it. They give us updates that concern the features we use, so the maintenance doesn't affect us much.

We use QRadar as a managed service and we pay licensing fees to the partner.

This is a good tool to have because it gives you the ability to track what is currently happening in your environment. Otherwise, if you did not have that, you'd only react to an event or an incident that has already caused problems. The proactiveness goes a long way because it saves your environment and your business from being negatively affected.

In summary, this is a good product but there is always room for improvement.

I would rate this solution a nine out of ten.

We have a lot of use cases with IBM QRadar, but our primary use is for monitoring traffic and detecting tricks.

In terms of how IBM QRadar has improved our company, on peak days it helps us monitor and generate statistics that help to illustrate what is going on in the company. For example, SMB detects ransomware and invalid log-on. If a user is located in the United States, or we expect a login in Russia, or Ukraine, or Kenya, it is very important for us because we can detect what application they are using there, or if a hacker is trying to log in by mobile or another device.

I have found its network traffic log, network bit log, and QBI most valuable.

We have a lot of domain controllers in QRadar tracking all the security. It is also useful for identity management.

In terms of where it could be improved, this includes its forensics, incident response, and security operation center features. Additionally, some also struggle with the rules. We need more features in order to create rules to detect or to meet some requirements for other areas, such as catching the event from other authentication tools, like in Okta, for example.

In some cases, I have issues because some tools are not integrated in QRadar, such as other tools similar to DLP (Data Loss Prevention). We need to create all the integrations manually because they are not integrated in QRadar. We have a problem, for example, because they have Symantec DLP integrated in QRadar, however, it is not working because it's not detected automatically. It is not converting all the columns, but we do have the option to create manually. This is not difficult because it's very clear in the procedures.

I have been using IBM QRadar for seven years.

QRadar's stability is great because it is always live and is always catching and monitoring all the information that we need. When we need information, it is here in QRadar. 

In terms of maintenance of QRadar, my internet is secured by IBM.

For me, the scalability is good.

At the moment, we have no more than 15 people working on QRadar. This includes analysts, forensics, internet response, and active directory.

Tech support is good. Additionally, I can find all the information at IBM.

In some cases, the system or the hardware do not meet the requirements to install one flow collector. Or the menu is not displayed. The menu has 10 options. If the CPU and memory are not enough, the menu shows only five or six options. But this information is not mentioned in the installation process. But it is not complex because the installation is very clear as long as we are meeting all the requirements for the CPU, memory, or the space.

The solution takes maybe four months because we have a lot of integrations.

I would absolutely recommend QRadar because it has a lot of options to improve or detect some information.

On a scale of one to ten, I would give QRadar a 10.

Our primary use case is intrusion prevention and detection. We also use this solution for compliance and assisting in network troubleshooting for IT.

This has been indispensable in detecting intrusion attempts and many forms of malicious activity. 

This solution provides amazing visibility into the network and endpoints. The ability to correlate point in time and things happening over time is priceless in today's threat environment.

The rules can look for things both from log sources and from data traversing your network which is unique in the SIEM world and makes QRadar a consistent magic quadrant leader.

The QNI file hash in-flight search is helpful.

The ability to transition from microscopic to macroscopic view, instantly, is very good.

I would still  like to see a better GUI. improvements have been made but there still a way to go.

There are pretty annoyances like clicking out of a rule setup and instead of going back to search results in the rules, with the rule you selected still highlighted, you get the whole list without your search. Start again.  In the new lig source management app if you have a large number of log sources typing a name to filter them by is Java Hell, the high overhead of JIT compiled code means that even two fingered  carpal tunnel afflicted users can outpace the type ahead buffer, leaving random intermediate characters on the floor. Needless to say that makes managing log sources sometimes annoying. You can always cut and paste to go around this, but hey for  5 or 6 figures in hardware  and software, it aught to keep up with my typing. 

But to be fair, these kinds of things are dwarfed by it's awesome ability to ingest and correlate tortured use cases of mind boggling complexity, which is what you REALLY need your SIEM to do. That, QRadar does better than anyone else.

I have been using IBM QRadar for more about five years.

Scalability is very good.

This is not a trivial undertaking. You will need at least one experienced user and considerable infrastructure to support this if you use the on-prem version which we did. The cloud version has less overhead but there are some limitations so choose carefully.

Other solutions were investigated but none none came close to QRadar's capability.

If you absolutely positively have to catch the bad guys, and you have a heterogeneous environment QRadar is a great choice.