Improvements to My Organization
Normally, an offense comes in and an offense is something negative, to put it plainly, that impacted your environment. Once it comes through, you can then see from the QRadar log sources, who or what triggered the offense. For example, if an IP is browsing somewhere where it shouldn't be browsing. Let's say that one of your log sources reported it back to QRadar. You can see if the IP that browsed on certain websites where it shouldn't be browsing. When you right-click and go to the threat protection network, that will normally show you who is browsing, where that IP is coming from, what type of website it is browsing, and if it is good or bad. If it's bad, it will give you recommendations on how to resolve the issue.
The threat protection network is the most valuable feature because when you get an offense, you can actually trace it back to where it originated from, how it originated, and why.
Room for Improvement
I would like to see a more user-friendly product. I would like them to make it much more user-friendly. At this stage, you need to use a lot of widgets to do your searches.
To advance searches, you must do a lot of Regex expressions.
In the first year I used it, there were a few stability problems. In the previous three years, there haven’t been any stability issues.
I've seen no scalability issues in any of the environments where I am working at the moment. I've seen how it handles lot of load. I'm talking about a 5,000-user environment. It can handle a lot of logs and events coming through simultaneously.
If you spec it properly, with the proper hardware requirements, then it doesn’t crash. I've seen how people give it way less specs then it should have, and then it does crash. But that was the fault on the users’ side, and not the fault of the product.
Customer Service and Technical Support
I would give technical support a rating of 8/10. When they help you with a call for a problem with the product, which I've had twice, the next day, they roll out an update worldwide for all their products to be patched on that problem.
They lose too much time, in my opinion. Normally, you struggle a bit to get a hold of them and get to the correct person to assist you. Even though this isn't a very big delay, it usually takes about an hour. However, in my company, an hour can make a very big difference in my life. For example, it will take me about an hour to an hour and a half to get support from them. I'm a person who loves to get it done now. So if you don't mind waiting about an hour, then it can be very good support. When you log a call with IBM, it takes them about an hour to start working on the problem.
We used Splunk in the past and we are using both products at the same time.
The setup was very straightforward. It's basically, "next, next, and next”, and then you are finished.
Other Solutions Considered
I wasn't completely part of the whole process when they chose a product. I know they evaluated AlienVault, which unfortunately I do not have any experience with. I'm not able to provide pointers as to why the company chose IBM QRadar. I believe it's because we are a partner with them.
Just spec it correctly and it will do its job for you. It has an active community. IBM patches the product regularly when problems are picked up. I haven’t heard about a lot of problems from other people using the product. When we only have four hours to respond, an hour can make a difference in waiting for support.
Disclosure: I am a real user, and this review is based on my own experience and opinions.