IBM QRadar Review

Search capabilities are sufficient for most tasks. We need to see improved rule based access controls and rule/event tuning.


How has it helped my organization?

Log aggregation and event correlation did not occur in an enterprise fashion before this product. Troubleshooting more complex issues became much simpler with the addition of this product.

What is most valuable?

Search capabilities are sufficient for most tasks, although not as easy to use as some other products.

What needs improvement?

Search capability and indexing still lag behind competitors. We also need to see improved rule based access controls and rule/event tuning.

The search capabilities in QRadar are decent in their ability to be granular but the methodology of search prevents the rapid and easy modification of search parameters as an analyst works through the hunting process.

There are several examples of this. Let’s say you add two or three parameters to your search using various filter methods.

You can quickly change items like the scope of time for your search or the presentation of data, but you cannot quickly change the other parameters such as the IP address you are looking for. So you have a search of 10.0.1.1, the system processes that search, but then you realize you need to search for 10.1.1.2 instead.

You have to delete the old IP and recreate. At that point the search starts over from the beginning. In a system like Splunk if when using the filters the query string is written for you and can be easily modified/edited on the fly. While that may still result in a search restarting the manipulation of that search is faster and more efficient. This is just a single example.

What do I think about the stability of the solution?

I feel that some of the stability issues are attributed to our network. However, too many issues existed with the product and too many more appeared as they tried to fix different issues.

What do I think about the scalability of the solution?

We never scaled the product before we decided to remove it from our network. From all appearances, scalability was not going to be an issue.

How are customer service and technical support?

Technical support was OK at best due to the length of time before resolution.

Which solution did I use previously and why did I switch?

I used ArcSight at a previous company. I would much rather have a correctly scoped and built QRadar to manage. However, as a consumer of ArcSight, it was a very good product.

How was the initial setup?

I was not involved in the initial setup.

What's my experience with pricing, setup cost, and licensing?

Do your due diligence. I found other solutions, with more features at the same cost or less. You don’t have to leave the Gartner Magic Quadrant to beat their price.

Which other solutions did I evaluate?

I did not choose this product.

What other advice do I have?

Evaluate the product based on a full set of requirements and your security analyst workflow. Do not base your decision on the company name or promises of new abilities years down the line.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
1 visitor found this review helpful
Add a Comment
Guest
Sign Up with Email