IBM QRadar Review

AQL allows me extract data directly from the QRadar database.


What is most valuable?

I believe AQL is the most valuable feature. It allows me to extract data from the QRadar database directly using a very flexible language similar to SQL. So, if somebody has SQL experience, it is easy to learn.

How has it helped my organization?

My organization did not have SIEM at all. We had Log Manager only, but it was very slow and user-unfriendly. QRadar allowed us to concentrate two functions in one place: an extremely fast log manager with a very user-friendly web UI and the ability to correlate events from many different sources. Thanks to that, the efficiency of the security team has increased.

What needs improvement?

I think Risk Manager (one of the optional QRadar modules) is something that needs improvement.

For how long have I used the solution?

I have been using QRadar for three years.

What do I think about the stability of the solution?

Sometimes, after a new release, we had issues with stability or some bug showed up. It is strongly recommended to have a DEV or UAT environment to test the release before going into production.

What do I think about the scalability of the solution?

We have not really had scalability issues.

How are customer service and technical support?

Technical support is at acceptable level, but sometimes a case is stuck on L1 too long.

Which solution did I use previously and why did I switch?

We did not previously use a different solution.

How was the initial setup?

Initial setup was straightforward, but as with all SIEMs, out-of-the-box configuration presents minimal value from a security standpoint. Furthermore, good analysis on where to put collectors is essential, especially when it comes to QFlows.

What's my experience with pricing, setup cost, and licensing?

Put some efforts and evaluate what license (EPS) you need for which collector before making an order. It is worth hiring a professional to do it for you (somebody who has experience with QRadar sizing).

Which other solutions did I evaluate?

We evaluated HPE ArcSight.

What other advice do I have?

Don't forget to hire the right people. They are expensive, but it is far more cost-effective to pay them now than to try to integrate SIEM without professional knowledge and break it (it is especially important in the architecture and integration phase). Because, then you will pay twice and your security monitoring program can be delayed months. In the operation phase, don't forget to invest in training for both analysts and SIEM administrator teams. It is very easy to use this tool the wrong way and then it will give you almost no value.

**Disclosure: I am a real user, and this review is based on my own experience and opinions.
More IBM QRadar reviews from users
...who work at a Financial Services Firm
...who compared it with Splunk
Learn what your peers think about IBM QRadar. Get advice and tips from experienced pros sharing their opinions. Updated: September 2021.
535,015 professionals have used our research since 2012.
Add a Comment
ITCS user
Guest