IBM Security QRadar Reviews

Our clients who are implementing or trying to implement a Security Operations Center use the IBM QRadar SIEM solution. This solution helps automate incident processing and provides visibility into the incident management process.

The playbook engine is flexible and allows for the graphical visualization of processes, enabling the implementation of dynamic playbooks for incident response or testing.

The integration of our customer's infrastructure with other security management systems, such as Active Directory, firewalls, and vulnerability management systems, is effective.

The solution is difficult to understand in the beginning and has complex management configurations that can be improved.

The stability has room for improvement.

The cost has room for improvement.

I have been using the solution for two years.

I give the stability a seven out of ten. There is sometimes unexpected behavior within the logic of the playbook engine and features.

I give the scalability an eight out of ten.

We have had issues that were not resolved by technical support.

Neutral

For the most part, the initial setup is straightforward and I give it a seven out of ten. The initial deployment and configuration require one month, followed by an additional 11 months of implementing various use cases and processes that need to be automated.

I give the price of the solution a four out of ten. The solution comes with a high price tag, while some of the competitors provide identical functionality in their offerings at no extra cost.

I give the solution a seven out of ten.

We have around 20 users.

The solution is of good quality and can be implemented successfully. However, in order to fully utilize its benefits, one must possess expertise in Python programming.

The most valuable features currently are the security behaviors and pdf files.

I would like to see more integration in place after the security lock.

I have been using IBM QRadar User Behavior Analytics for a couple of years now.

The product is very stable.

The initial setup was straightforward and took three to four months to deploy.

We used a vendor team to assist us in the process of deployment.

I would rate IBM QRadar User Behavior Analytics an eight out of ten.

QRadar is our SIEM solution. Our use cases include authentication between logins, database security, monitoring, and user behavior analytics.

QRadar is helping us to identify ongoing, day-to-day threats. We use it to analyze the risk in our environment, including user behaviors. We can easily monitor many things using this tool.

All of the features offered by this product are useful for analysis. Essentially, everything that it offers is critical and we use it.

Several things need to be improved.

We have been struggling with the QRadar support team for quite a long time. There are things that they can reproduce in their lab environment and can fix, yet we struggled with them trying to get this done. These issues included things like custom logs. There are many things that they need to improve upon.

This product should support multiple log sources.

They need to improve their threat intelligence feed and they need to improve their user behavior analytics modules.

The risk manager module needs to be improved.

It's not a very user-friendly interface.

I have been working with IBM QRadar for seven years.

IBM QRadar is quite stable.

We have approximately 50 users and we keep expanding its usage. It is growing on the infrastructure level, as well as the EPS level.

Three or four administrators are all that is required for the maintenance.

I recommend this product for large enterprises.

We have had a lot of trouble with technical support. As of late, they take too long to respond to our issues. For 99% of our issues, they take too long to respond. It's not instant.

I do not have any experience with other SIEM solutions. QRadar is the first one for me.

The initial setup is complex because it is not managed properly.

Our implementation strategy is based on it being a distributed environment.

We completed the implementation and deployment ourselves.

We did not evaluate other options prior to selecting QRadar.

This is a good product for large enterprises. Smaller companies should implement an open-source solution but for a large enterprise, QRadar is a good product.

I would rate this solution a seven out of ten.

We make some special demos that we sell to our customers. We work as a technical support L1/L2 for our customers in these cases as well.

The solution allows organizations to check people who work from home or in the office. It can help a company understand who is connected from home. 

Sometimes people give a login and password to colleagues. The security can see the situation when someone logs in locally, and they can see a remote connection. They can see this is from the login and password. They'd be able to tell if something was shared and could dig deep to figure out if it is a breach or if it is something that has been properly shared. 

The SOAR features are very good.

The product is able to handle special requests.

It can effectively search local files.

We are able to deploy in two or more different locations.

The solution is functional right out of the box and it's a pretty simple system with different kinds of solutions that address different types of problems. 

The initial setup is pretty straightforward.  

The solution is stable.

The product can scale.

Technical support is good overall.

Qradar has a lot of integration capabilities with different security products.

If we talk about functionality in general for SIEM systems, it's good.

In terms of the government sector, sometimes they do not have enough money to buy a full SIEM. That's why they ask about some parts of the SIEM system or core. It can be expensive.

It would be ideal if they offered a barebone setup alongside an appliance. It's very interesting for different kinds of customers. Most of them prefer the core appliance, yet some of them prefer barebone.

It would be ideal if the solution offered new connectors to other systems.

The reporting system could use some upgrading.

We've been using the solution for at least the last 12 months or so.

The stability is good. there are no bugs or glitches. It doesn't crash or freeze.

The scalability of the product is very good. Sometimes we get requests for specific functionality and usually, we can accommodate that.

Generally, we are happy with technical support. They are helpful and responsive.

The initial setup is very simple for our customers due to the fact that the first step is a demo for a customer. We need about 5 to 15 working days to make this demo. We talk about making a core system. It's not difficult to make over the Qradar SIEM. After that, if the customer needs some special function for, for example, different parts of the organization, we can propose some separate parts of SIEM. That's about two or eight weeks away. 

In general, for a SIEM project, you are looking at a deployment time of about two til eight months. 

As integrators, we can help advise clients and assist in the deployment process.

IBM Qradar has an interesting scheme for payments. They have annual payments for customers who use subscriptions for some services. I can't see any problem with the current financial scheme for this product generally. It's okay.

We are implementors. Our customers are the ones that use IBM Qradar.

We are an IBM partner.

We strongly recommend to our customers use the latest version of Qradar. It's important for security. We tend to use the latest in general.

Our customer is a government organization, including some ministries. Therefore, they use on-premise deployments only. However, they have some plans for hybrid clouds or private clouds in the next three or four years. That said, it's very hard to say exactly as the work at the ministry is about security. On-premise is deemed to be more secure.

I'd rate the solution at a nine out of ten.

Our primary use for this solution is to collect and correlate our logs. We also create appropriate alarms based on the contents of the logs.

This solution provides me with various alarms, and I have found security issues with some of my other products. We also have some special correlation rules that give me information about mail servers, websites, and other user behavior.

The most valuable feature is user-behavior analytics, where it will create logs based on the users' behavior and report suspicious events or other anomalies. I am working with the data analytics so it is a very good one for what I am doing. 

There is a lot of manual configuration required in order for the product to run smoothly, and I think that it could be made more automatic. There is no need for so much manual configuration. For example, it should be able to automatically create at least some of the rules that are suitable for our environment.

The solution has a good user interface, but it could be further developed. I have used other products that are more user-friendly. I would rate the user interface a six out of ten.

We have not experienced any bugs or vulnerabilities, so the stability seems to be fine.

The scalability seems great.

We have five hundred people in our company. All of them are end-users, except for myself and one of my colleagues who are administrators. We have more that one hundred assets, such as databases, that are monitored by this solution.

I have never used technical support for this solution.

The initial setup for this solution is very easy. It is an image file, and we haven't had any difficulties in the setup. After installation, there are many things to do. Again, the difficult part is the configuration of the product.

The installation period was very short, at perhaps one or two weeks. The configuration takes six months or more.

We have a technology company, and we are working with them for deployment and maintenance. They spend one or two hours per week maintaining this solution.

We have not calculated ROI.

I am familiar with products from other vendors, such as McAfee. We specifically evaluated Splunk, which is a good solution but there is no local partner in Turkey for support. Having a local partner is very important to us.

We chose this solution because we have a good relationship with IBM, and they are able to provide us with local support.

There are many good products and solutions on the market, but for implementation and maintenance, I can say that the most important thing is local support.

We do not have any issues with this product, and we have seen the benefits of it. It is easily configured and installed, and we have a local team to support it. It does have issues in terms of user experience, however.

I would rate this solution an eight out of ten.

Our primary use case is to get logs mainly from firewalls, although you can also get logs from anything that can forward syslogs. We use it to sort events.

Instead of logging in to multiple devices and checking the logs, QRadar gives us one centralized point for comparing data against each other and rules to make sure that you don't miss anything. It tells you where all the detections happened. It provides easier access and we pick up things way quicker than in the past.

The most valuable feature is the QRadar Vulnerability Manager which provides vulnerability scans. In addition, I like the way QRadar generates alerts.

It would be good if the program allowed certain profiles to only see certain customer information.

If you're running the latest version under recommended specifications, it is very stable thus far.

It's scalable.

The technical support has definitely improved. In 2016-17 it took me about ten hours to get a reply from IBM. It now takes an hour to two hours for them to reply to me.

We went with QRadar because it's a more well-known product. I was only using the AlienVault Community Edition, a free version. It wasn't a fully-paid version I was using at the time. IBM QRadar was just the product the company was using.

The setup is straightforward. The last one I did took me about three days. It only takes half an hour to set up QRadar, but getting the other systems to talk with QRadar, to forward syslogs, is what took the additional time, because I didn't have all the login information. If you've got all the relevant information, it shouldn't take you more than a day to set it up.

QRadar is quite expensive. It wouldn't be worth it for a small business unless, through a third-party company, they used it in a software-as-a-service type of arrangement, rather than buying the licenses outright.

There are additional costs beyond the standard licensing fees. For example, there are add-ons like the QRadar Vulnerability Manager.

QRadar, as a product, might be very straightforward, but to fully understand the product you would need to go for the QRadar training. IBM's training for QRadar is very expensive but it really helps you use the product to its full potential. Before I went to the training, I only used about ten percent of its capability. I would recommend going for the training on the product.

In terms of the number of users, it's not users logging in every day and doing stuff on QRadar. It's a handful of people from the team monitoring QRadar. We could be managing, for example, 50 or 70 customers through one dashboard and about ten people would be monitoring it. The users have a specific role.

The amount of staff required for deployment or maintenance depends on the type of update or patch that's being deployed. For deployment of a new patch it, it could take anything from an hour to about ten hours. It depends on the patch, how big the patch is, and if you've gone through a testing phase or not. So there are multiple dependencies on how long it would take. An average, for me, would be three hours to do certain deployments.

Currently it's being used quite widely. The only downfall of this product would be its price. I wouldn't recommend it for a small company. For larger companies I know it's being widely used.

Most of the time, a well-defined rule helps us to detect and investigate different threat scenarios, especially with the QRadar Vulnerability Manager (QVM) and the asset model. It also gives us a historical correlation of who has been using the box, over that time period.

The pre-canned rules and reports in this product are a huge plus. Along with this, they have new apps to integrate different tools into QRadar’s dashboard. These features are most important, since it provides a single pane for viewing and researching the offenses, thus, saving a lot of time and resolving the complexity of the issues.

This product has room for improvement in a lot of areas including the default emailing template that it uses to alert on offenses.

It also needs a lot of work in terms of the flows and the log source parsing. A lot of the times, it is very difficult to add a new/uncommon log source to this tool, as we need to map a lot of fields, rather than simply extracting these from the payload.

QVM is another instance where they need to revise the vulnerability scoring and the proper remediation details.

IBM QRadar is a wonderful product, until they release some patches and that breaks something else. There are many advancements that need to be done in terms of DSMs, when it comes to parsing.

We did encounter stability issues as IBM’s patches are not stable at all. Every time they release a new patch, it breaks certain components immediately and the worst part is, it breaks certain components over a period of 90 days.

Apart from the pricing issues, scaling of the product with the infrastructure is pretty easy and convenient.

Most of the technical support is provided by their L2 support level technicians and I would give them a 7/10 rating.

We have only been using this solution. We have not used any other solutions.

Setting up the equipment and installing it across the network is pretty easy. It is similar to installing a Linux server.

Most of the time, it is easier and cheaper to buy a new product or the QRadar box. For example, with the QRadar Event Collector 1605, as and when you need to expand your EPS and the number of log sources; it’s much cheaper and the boxes usually ship with the default 1000 EPS and 750 log source limit. They have another advantage, i.e., the storage.

We chose this product based on the Gartner Magic Quadrant review. I had gone through a few PoCs and chose this tool, as it is full-proof.

Evaluate your network first. Determine the target audience that you will be monitoring and working on this tool.

It is important to note whether your organization is looking for a compliance-based check mark practice (defensive security), or active threat monitoring and out-of-the-box security posture.

IBM QRadar Advisor with Watson is aligned with regards to what's happening in the public space in terms of the Phishing attacks that we are seeing prevalent in the market. In the campaigns that which hackers are trying to obtain information, the use cases are very practical. The solution offers quite a bit of protection.  

IBM QRadar Advisor with Watson could be more user-friendly. You need some skills and understanding of what you're looking at, especially if you're going to draw down specific information.

Massive improvement is required in reporting. IBM QRadar Advisor with Watson is not a tool that is known for its reporting capability. It's a highly operational tool that you use for monitoring, you can sit and you can watch your alerts, whether it's flows or EPS, and you set up your playbooks directly. It is not a reporting tool. It is the worst possible tool to ever expect any reporting. It's unfortunate it's not a great reporting tool.

In a future release, there could be a bit more intelligence in terms of predictive accuracy and overall predictions. I haven't been too close in the last two, three, or four months, but I certainly would expect that their technology would be simplified to provide predictive analytics as opposed to retrospective looking back and analyzing past historic data.

I have been using IBM QRadar Advisor with Watson for approximately 10 years.

IBM QRadar Advisor with Watson is a stable solution.

IBM QRadar Advisor with Watson is best suited for large enterprises.

The support from IBM is not great at all. They can offer much better aftermarket support. They don't respond in a timely manner and it's such a challenge to have IBM respond. You have to follow their due diligence process when logging a call on their portal, you need access to their portal, and you have to provide detailed logs, et cetera. If their problem is always about integration, they have to get to the vendors. They can always enhance their support.

I would rate the support from IBM QRadar Advisor with Watson a two out of five.

They do respond but it depends on many factors, such as urgency. When we had an issue with Microsoft integration it took us six weeks to have a solution to the problem.

IBM QRadar Advisor with Watson's initial setup is not straightforward. You have to set up your network infrastructure, IP range, and firewalls, and make sure everything is secure. There's nothing easy about that.

You need application and hardware leads, firewall administrators, network engineers, and server administrators to complete the implementation.

My advice to others is to shop around because IBM QRadar Advisor with Watson is not for small enterprises, it's aimed at your larger environments that have a multitude of infrastructure and networks that are hybrid across different environments. It integrates into quite a few tools, such as your email system, and file systems. 

This tool is not for everybody. IBM doesn't have the sort of tool that helps a five, ten, or twenty user environment. This is not advisable to go and invest in the solution. There are other tools that you could possibly look at that do probably some of the functions in terms of monitoring your playbooks and integration points that are a little bit easier to map to. However, that is not a tool for every organization out there. The solution is targeting major enterprises.

I rate IBM QRadar Advisor with Watson a seven out of ten.

There are quite a few areas they could improve, such as they have a lot of technical manual configs and orchestration could be better.