IBM Security QRadar Reviews

Log aggregation and event correlation did not occur in an enterprise fashion before this product. Troubleshooting more complex issues became much simpler with the addition of this product.

Search capabilities are sufficient for most tasks, although not as easy to use as some other products.

Search capability and indexing still lag behind competitors. We also need to see improved rule based access controls and rule/event tuning.

The search capabilities in QRadar are decent in their ability to be granular but the methodology of search prevents the rapid and easy modification of search parameters as an analyst works through the hunting process.

There are several examples of this. Let’s say you add two or three parameters to your search using various filter methods.

You can quickly change items like the scope of time for your search or the presentation of data, but you cannot quickly change the other parameters such as the IP address you are looking for. So you have a search of 10.0.1.1, the system processes that search, but then you realize you need to search for 10.1.1.2 instead.

You have to delete the old IP and recreate. At that point the search starts over from the beginning. In a system like Splunk if when using the filters the query string is written for you and can be easily modified/edited on the fly. While that may still result in a search restarting the manipulation of that search is faster and more efficient. This is just a single example.

I feel that some of the stability issues are attributed to our network. However, too many issues existed with the product and too many more appeared as they tried to fix different issues.

We never scaled the product before we decided to remove it from our network. From all appearances, scalability was not going to be an issue.

Technical support was OK at best due to the length of time before resolution.

I used ArcSight at a previous company. I would much rather have a correctly scoped and built QRadar to manage. However, as a consumer of ArcSight, it was a very good product.

I was not involved in the initial setup.

Do your due diligence. I found other solutions, with more features at the same cost or less. You don’t have to leave the Gartner Magic Quadrant to beat their price.

I did not choose this product.

Evaluate the product based on a full set of requirements and your security analyst workflow. Do not base your decision on the company name or promises of new abilities years down the line.

The search capability (I've used other solutions) and data consolidation are some of the key features.

For this organization, it was the first log management solution. So, it definitely gave us the ability to search through the data when we had events. We could search based on the identity of the person, or the machine, or the IP address. We could do a lot of different searches. We could also do payload searches, and depending on how much capacity you have, you can do quite a lot with it.

I want to see a three-dimensional perspective of the data. I don't want to see just an event perspective of the data. I want to be able to identify a user, and within clicks, know all the activity of that user. I don't want to see it in events. I want to see it in relevant information.

There needs a little bit more investment into enhancing the user interface. That is the main thing; making it represent an actual incident response state-of-mind, similar to how you would troubleshoot an incident. That is the main issue. It was a major position by IBM when they bought it. But we see a lot of things being done around the Cognitive side, around the Watson side. But what we're not seeing the growth in, is the actual tools interface and usability. And that's what we wanted to see. We wanted to be able to see seamless identification of log sources, seamless categorization and normalizing of log sources, seamless alerts. In all those things, for the solution to mature, it has to be able to take data and make sense of it by itself, without a lot of input. And those are the areas that they can really improve it.

It's been stable. Stability hasn't been a problem, as long as you have enough capacity. It's all about sizing it right for the size of your environment. We do drop packets every day. So depending on how our log volume increases or reduces, you see the impact on the packets being dropped.

We've used technical support and it hasn't been great. It didn't seem like we could get the answers we needed without having to use professional services. For a solution like this, little things like how to tune it, how to upgrade it; there are things that as a customer we don't feel the need to use professional services for. We want to be able to just find a document on how to upgrade, and that has been difficult to find.

We didn't have a previous solution. We kind of inherited it as part of another acquisition from IBM, and then we scaled it up to meet our capacity.

We got the basic functionality working, which is not difficult. It's getting the full value out of the solution, which is harder.

From an analytics perspective, it's a good tool. But you have to have the resources to own it. It's not only about buying it. It's not only about capacity, but somebody has to care and feed it. It's not one of those things that you can put it in, walk away and just consume the data. If you don't take care of it and feed it, you won't get what you need out of it.

We are a solution provider and QRadar is one of the products that we implement for our customers.

The majority of our clients for IBM products are financial institutions. By law, to be compliant, they are only allowed to run the current version of any solutions that have been procured. Specifically for our area, all of the financial institutions such as banks are mandated to use the latest version.

The use cases include the logging and reporting of servers. These are typically operations servers and critical servers. You can also use it to monitor network devices such as switches, routers, and firewalls.

Endpoints are not included for most of the clients.

The most valuable feature is the integration with the GRD, for banking.

The advanced planning management (APM) features should be included. We are facing an issue where many of the software houses in Pakistan have developed their own in-house. They have integrated the APM tool with their monitoring solution. This feature is attracting clients and I think that it should be included.

We have not faced any issues in terms of stability.

This is a scalable product. 

The support from IBM is okay. I would rate them a four out of five.

The initial setup is not very complex. My team has hands-on experience with the product, which is perhaps why they do not complain about its complexity.

The distributor helped us a lot, which is something that we appreciate.

We implement this product for our clients.

There are competing products but IBM is a well-known brand so for the most part, we offer IBM QRadar to our clients.

Overall, IBM QRadar is very good but no product is perfect.

I would rate this solution a nine out of ten.

We are using the current version.

The solution supports MSSP models, which most service providers have. This means that a single system can be onboarded for all 200 existing customers for monitoring purposes. 

The implementation of the solution's technology needs to be simplified. It is overly complex. 

The integration also must be simplified. 

The licensing is also overly complex, as there is a need to buy the work load performance monitoring separately. These are the different modules we need to buy. 

IBM does not provide a combined, combo suitor solution which the customer can easily look at. The multiple functionalities are segmented and do not allow for an idea which is complete. It makes it difficult for us to do a realistic comparison with other products. I hope that others follow suit. 

We have been using IBM QRadar for almost eight-and-a-half years. 

No doubt about it, the solution is extremely stable. 

The solution needs to be redesigned to allow for scalability or for extending it to the existing one. There is a need to do long-term planning and migration from an existing to a new one and this cannot be easily accomplished. Storage cannot be added to the installation. One must completely migrate to the new storage to add additional terabytes. 

As such, the solution is not quite scalable. The scalability exists, but it requires migration. 

We are very happy with the technical support. 

The initial setup was extremely complex. 

We made use of an integrator. 

We have nearly two hundred customers making use of the solution.

We have direct contact with Ingram Micro or have a service partner relationship with it, but work directly with IBM as our ISP. 

We are a managed security service provider and wholesale customer of IBM QRadar

We buy a bulk license from IBM QRadar and host around 200 plus customers in a single integration so that all the customer events will be integrated in one solution. We are not integrators and do not resell their services.

As such, we don't buy the license or sell the tools to others. We will buy a license, inclusive of the services, host it with our private cloud and provide services to the end clients.

Our customer base of IBM users is limited. When it comes to a security operations center team, IBM will be looked to for providing security monitoring on an ongoing basis. We must see that it is working as it should be. 

I would recommend this solution to others. 

I rate IBM QRadar as an eight out of ten. 

The product provides a very defined solution. It provides a complete platform for ingesting the log, doing the correlations and handling the runtime.

The solution should enhance its capabilities of UEBA and AI/ML tech modeling.

I have been using IBM QRadar for approximately four years.

IBM QRadar is a very stable product.

The product is very scalable and this can be done to a number of endpoints and towers. However, this is not very feasible, as it depends on the available in-house infrastructure. 

Technical support is very helpful. They are very knowledgeable. While the geographic location can sometimes pose a challenge, my overall experience with the technical support team has been very positive.

The complexity of the initial setup is intermediate. It is neither straightforward nor complex but somewhere in the middle. A person with experience working in a security operation center and who is experienced with correlation rules and use cases can directly configure into the solution. 

Someone considering implementing IBM QRadar should possess a good knowledge of his own infrastructure. He should have all the documents in place. While IBM provides very good implementation support, a complete inventory and technology detail is required, in respect of how the application is flowing, how the infrastructure is connected, and the version and inventory relationship.

I rate IBM QRadar as an eight out of ten. 

There are many use cases for this solution. One example is we are using this solution to monitor user site access to band sites. 

The solution is highly used here in Pakistan and in many sectors, they could improve it by having more SIEM connectors.

I have been using this solution for approximately four years.

The stability is good until you upgrade to a new version. You have to properly shut down services when you are doing some maintenance activities every three to four months. There might be some problems that you do not expect. We have had some complaints from users regarding operation. 

We have had bad experiences with support from IBM. We are not satisfied with the support and they have made me very angry. My customers have had similar experiences.

The initial setup of QRadar is not complex because we have done it before and we are used to the development. It is getting easier all the time.

There is a license required for this solution and it is an annual payment. I have found all solutions in the category to be expensive, including Splunk.

I am evaluating Splunk.

Here in Pakistan, this solution has already saturated the financial market.

I rate IBM QRadar a five out of ten.

We are a cybersecurity service provider, and I manage the QRadar service for my customers.

Provided that the report is prebuilt and I can find what I am looking for, the reporting is the most valuable feature in this solution. The reports are very good and very presentable.

There are reports that I would like to generate that are either not included, or I cannot find. If there is no report for information that needs to be presented then it is one of the biggest issues for the customer.

The ticketing system is not fully automated and needs to be improved.

There should be an easier permission level that basic users can use to create reports. The users include both end-customers and the technical team.  

The pricing needs to be such that they are more competitive with other vendors.

This is a very stable solution and I don't think that we have lost it once. This is good compared to our other system that had gone down three times.

I would say that it is ok. I can buy licenses when I need to scale the solution.

Our experience with technical support has not been smooth. There is a lot of bureaucracy to get to the technical team. In fact, in some cases, we resolved the issues ourselves and then explained to their technical team how it should be done for other customers.

The initial setup for this solution is complex. There are many different components, and only the IBM technicians have the permission, or credentials, to modify the system online. As a customer, I cannot go in and install it myself. Rather, I am dependent on the IBM professionals.

We used a consultant to assist with the installation of this solution.

I have used several other products including ArcSight, AlienVault, and Splunk. Some of these solutions are on-premises or in-house.

I do not like Splunk, but I think that ArcSight is a good solution. ArcSight is complicated, but it is a more mature solution with much greater options than IBM is offering in QRadar.

This is a good solution, but I am familiar with the capabilities of the other products and IBM needs to make some improvements.

I would rate this solution a seven out of ten.

Most of the time, a well-defined rule helps us to detect and investigate different threat scenarios, especially with the QRadar Vulnerability Manager (QVM) and the asset model. It also gives us a historical correlation of who has been using the box, over that time period.

The pre-canned rules and reports in this product are a huge plus. Along with this, they have new apps to integrate different tools into QRadar’s dashboard. These features are most important, since it provides a single pane for viewing and researching the offenses, thus, saving a lot of time and resolving the complexity of the issues.

This product has room for improvement in a lot of areas including the default emailing template that it uses to alert on offenses.

It also needs a lot of work in terms of the flows and the log source parsing. A lot of the times, it is very difficult to add a new/uncommon log source to this tool, as we need to map a lot of fields, rather than simply extracting these from the payload.

QVM is another instance where they need to revise the vulnerability scoring and the proper remediation details.

IBM QRadar is a wonderful product, until they release some patches and that breaks something else. There are many advancements that need to be done in terms of DSMs, when it comes to parsing.

We did encounter stability issues as IBM’s patches are not stable at all. Every time they release a new patch, it breaks certain components immediately and the worst part is, it breaks certain components over a period of 90 days.

Apart from the pricing issues, scaling of the product with the infrastructure is pretty easy and convenient.

Most of the technical support is provided by their L2 support level technicians and I would give them a 7/10 rating.

We have only been using this solution. We have not used any other solutions.

Setting up the equipment and installing it across the network is pretty easy. It is similar to installing a Linux server.

Most of the time, it is easier and cheaper to buy a new product or the QRadar box. For example, with the QRadar Event Collector 1605, as and when you need to expand your EPS and the number of log sources; it’s much cheaper and the boxes usually ship with the default 1000 EPS and 750 log source limit. They have another advantage, i.e., the storage.

We chose this product based on the Gartner Magic Quadrant review. I had gone through a few PoCs and chose this tool, as it is full-proof.

Evaluate your network first. Determine the target audience that you will be monitoring and working on this tool.

It is important to note whether your organization is looking for a compliance-based check mark practice (defensive security), or active threat monitoring and out-of-the-box security posture.