IBM QRadar Review

Easily monitors your environment with good user interface and plug-in integrations


What is our primary use case?

We use IBM QRadar to monitor security logs across the network.

What is most valuable?

One very useful feature is the plug-in offering that allows you to integrate it with other solutions, such as integrating it with plug-ins like ForeScout, Carbon Black, and the rest. Additionally, the ability of the agents to filter using XPath query to filter out the specific events you want to pick from, especially Windows log sources, is also very useful. That goes a long way in managing the EPS of the solution.

What needs improvement?

There are two ways you can pull logs: one way is where you can receive logs or send logs using the agents and previous transformation and the other way is where QRadar logs onto the servers using the admin account and then pulls the logs itself. The functionality that I would love to see with that remote pulling is to have the ability to also select what logs its pulling because when you use MSRPC now to receive loads from your log surface, it basically pulls all the events from that server. So even the noisy events that would overshoot your EPS, would also be pulled. So for particularly active or high servers that generate a whole lot of security events, let's say like your SFTP server that has a lot of devices on your network connecting to it, if you try to pull the logs remotely it would overshoot your EPS really quickly.

So if they could improve the functionality of the remote pull to also be able to select the logs that it is pulling from the log sources, that would be very, very effective. The reason for the pull is because the agents are not tamper-proof and any administrator can help shut down the service and uninstall the application and a whole lot of other things. Basically, your listening agent is at the mercy of the administrators, and for a security device or security software, that is a big vulnerability, because anybody can then go into the server, stop the agent, and then run any command or make any change they want to do, which would make your monitoring null and void. It would be good if the agent itself could be tamper-proof. And back to the first point, the reason why I prefer the remote pull is if there's no agent on the server and it's the console logging onto the server, your monitoring is much more secure. Regardless of what changes are being made on the server or what's going on the server, if the server is shut down and then a newer version is brought up with the same hostname and IP address, you would not need to go back in and re-install the agent. The console would just automatically connect back to that server once the IP address and the host are back up.

Additionally, I would like the rule creation interface to be much more user-friendly in the next release.

For how long have I used the solution?

I have been using IBM QRadar every day for the last 12 months.

What do I think about the stability of the solution?

In terms of stability, it is very stable. In the almost two years in the environment, there has been only one issue. It was a disc failure and that was replaced within a week by the OEM.

What do I think about the scalability of the solution?

Scalability might be an issue, but maybe it's because in our environment we do not use the application host. Since we use on-premise appliances we did notice that performance degraded a little when we added some plugins. So the recommendation was that we should have a separate application server that would host the application and then interface with the plugins and interface with the management console. But we do not have that within our environment so I can't speak to whether that would improve performance.

How are customer service and technical support?

IBM tech support has been responsive.

How was the initial setup?

I believe the initial setup was straightforward but I was not here for the setup, although I did not get any complaints.

What's my experience with pricing, setup cost, and licensing?

The license is a yearly one.

What other advice do I have?

I would recommend IBM QRadar. The user interface is really great and it simplifies the task of monitoring your environment.

On a scale of one to ten, I would give IBM QRadar an eight.

Which deployment model are you using for this solution?

On-premises

Which version of this solution are you currently using?

7.4.3
**Disclosure: I am a real user, and this review is based on my own experience and opinions.
More IBM QRadar reviews from users
...who work at a Financial Services Firm
...who compared it with Splunk
Learn what your peers think about IBM QRadar. Get advice and tips from experienced pros sharing their opinions. Updated: September 2021.
536,548 professionals have used our research since 2012.
Add a Comment
ITCS user
Guest