IBM QRadar Review

Built-in rules are enabled by default and tunable to meet the specific needs of each organization.

What is our primary use case?

As a PS consultant on projects where the customer is transitioning from a competitor's SIEM to QRadar, they are very pleased when they see the number of quality offenses being caught soon after implementation and integration of log sources just from the out-of-the box rules enabled by default.

How has it helped my organization?

As a Professional Services consultant, I have heard many reports of how QRadar SIEM has quickly identified offenses which the users were unaware of previously. In addition to giving CISO’s gained visibility and increasing security posture, QRadar adheres to an organization's regulatory compliance across a number of  industries (i.e. Healthcare, Financial, Retail, Energy and Government)

What is most valuable?

  • Correlation Rule Engine, built-in use cases: QRadar has the highest number of built-in use cases among any SIEM on the market. There are many built-in rules that are enabled by default and easily tunable to meet the specific needs of each organization. The correlation engine automates what is a manual process for many SIEM platforms.
  • Network-Based Anomaly Detection (NBAD): Using NetFlow, JFlow, SFlow, or QFlow (all 7 layers), offenses are detected as a response when a rule is triggered.
  • QRadar Vulnerability Management: Built-in vulnerability scanner or leverage for other supported scanners to either schedule a scan and/or import the results from a scan. Importing the results enriches the assets profile database to quickly identify assets that have known vulnerabilities.
  • X-Force Threat Intelligence: Threat intelligence IP reputation feed which leverages a series of international data centers to collect tens of thousands of malware samples, to analyze web pages and URLs, and to run analysis to categorize potentially malicious IP addresses and URLs.
  • App Exchange: Many vendors have written apps to enhance QRadar. The apps are free and enhance your SIEM experience by adding rules and custom event properties. In some cases a new tab. You will need to have purchased the third party solution. For example, if you have Palo Alto or Blue Coat, there's a free app for better integration.

What needs improvement?

Some UI enhancements would be nice, such as exporting custom event properties and the ability to export rules.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

We did not encounter any issues with stability.

What do I think about the scalability of the solution?

We did not encounter any issues with scalability.

How are customer service and technical support?

The technical support is very good.

Which solution did I use previously and why did I switch?

We had limited experience with RSA enVision, LogRhythm, and HPE ArcSight. QRadar is much easier and takes less time to implement and maintain.

How was the initial setup?

The initial setup was straightforward.

What's my experience with pricing, setup cost, and licensing?

Go through a vulnerability assessment review for price breaks. A virtualized solution will also cut down on cost.

Which other solutions did I evaluate?

We did not evaluate any other options.

What other advice do I have?

Every SIEM tool has a certain degree of complexity, especially where use cases and rules are concerned. I advise using Professional Services so your SIEM is configured by trained professionals.

**Disclosure: My company has a business relationship with this vendor other than being a customer: We are a business partner of IBM.
More IBM QRadar reviews from users
...who work at a Financial Services Firm
...who compared it with Splunk
Add a Comment

author avatarit_user113184 (Security Expert at a tech services company)

With regards to the UI improvements remark, I would urge you to always check the QRadar Apps that are available on the App Exchange portal. For example, with regards to being able to export custom event properties from one QRadar instance to another, please consider the app available @ Last but not least, please note that an App can be as simple as a rule, a filter, etc... so please do consider using the app exchange framework... my2cs.

author avatarit_user246402 (Sr SIEM Consultant at a tech services company with 51-200 employees)

Thank you for the feedback and the recommendation, Jean-Luc.

author avatarit_user775200 (Senior Managing Consultant - Asia Pacific (AP) IBM Q1 Labs Technical Consultant at a tech company with 10,001+ employees)

Damian, regarding rule export, the question is what do you want to do with this export. QRadar as probably you know has CMT tool (Content Management Tool) which will allow you export custom rules. though that has been said. Always is the question what next. if you want to import them to other Qradar system then yes you can, if you think about them in category of Yara rules then no you cannot use this export in third party solutions