We just raised a $30M Series A: Read our story
RU
Senior Solutions Architect at a manufacturing company with 51-200 employees
Real User
Top 5Leaderboard
A stable SIEM solution with centralized control and built-in AI/ML

Pros and Cons

  • "QRadar, Splunk, and ArcSight are SIEM solutions with built-in AI/ML features. They can do the complete investigation and alert the admin about what is happening. They can also do the root cause analysis. There are many other features that come with QRadar. It has a more granular log, so you can integrate with various non-IT as well as IT-based components. You can get unstructured data to the SIEM data, and you can identify more what is happening in the network or what is happening in the central head office. You can also identify what is happening between your remote offices. You can also use it to identify what the users in the field are doing on their devices and how things are moving. From the integration point of view, it is very centric. It gives complete control centrally. If a user is not connected to the system, whenever he comes online, we can see the policy updates over the Internet, and we can ensure that the data that is supposed to be protected is protected."
  • "When it comes to what could be better, it is always what others are trying to do and what is the roadmap. It can have more integration. It should have more flexible RESTful APIs for integration with applications. These are the things that are always in demand for any of the SIEM solutions, not only for QRadar. Integration is ever-evolving. Nowadays, different versions of mobile handsets are there and data is getting scattered. Users are using their personal handsets to keep the data of the organization. So, it should have a more flexible integration, irrespective of the flavor of the firmware and iOS or Android version. It should have an API that can seamlessly get integrated. It should also provide more flexible control and a more advanced or analytical view to see what exactly is happening across the globe or network. From wherever a user is connecting and accessing the enterprise data, it should give real-time visibility and predictive visibility about what exactly is happening. These things are already there, but there should be more advanced control in terms of managing the security."

What is our primary use case?

We provide cloud services to the users, and we have our own cloud setup over here. The major use case is when clients require the SOC to be set up.

Setting up the SOC itself is a huge investment. A customer has to invest a lot to build up the whole SOC environment, so, rather than the customer investing in the SOC environment and building up the SOC, we provide it as a service. Customers don't need to do any up-front investment. They use our service. We manage their security tools and security environment as per the compliance guidelines that come from the Indian government. We follow all those practices, and we help them procure more for their network and infrastructure.

What is most valuable?

QRadar, Splunk, and ArcSight are SIEM solutions with built-in AI/ML features. They can do the complete investigation and alert the admin about what is happening. They can also do the root cause analysis. 

There are many other features that come with QRadar. It has a more granular log, so you can integrate with various non-IT as well as IT-based components. You can get unstructured data to the SIEM data, and you can identify more what is happening in the network or what is happening in the central head office. You can also identify what is happening between your remote offices. You can also use it to identify what the users in the field are doing on their devices and how things are moving.

From the integration point of view, it is very centric. It gives complete control centrally. If a user is not connected to the system, whenever he comes online, we can see the policy updates over the Internet, and we can ensure that the data that is supposed to be protected is protected.

What needs improvement?

When it comes to what could be better, it is always what others are trying to do and what is the roadmap. It can have more integration. It should have more flexible RESTful APIs for integration with applications. These are the things that are always in demand for any of the SIEM solutions, not only for QRadar. 

Integration is ever-evolving. Nowadays, different versions of mobile handsets are there and data is getting scattered. Users are using their personal handsets to keep the data of the organization. So, it should have a more flexible integration, irrespective of the flavor of the firmware and iOS or Android version. It should have an API that can seamlessly get integrated. It should also provide more flexible control and a more advanced or analytical view to see what exactly is happening across the globe or network. From wherever a user is connecting and accessing the enterprise data, it should give real-time visibility and predictive visibility about what exactly is happening. These things are already there, but there should be more advanced control in terms of managing the security.

For how long have I used the solution?

I have been using this solution for five years.

What do I think about the stability of the solution?

It is absolutely stable. It depends upon how the implementation has been done. We definitely have the skills to do this kind of implementation. We ensure that a customer's environment is absolutely protected.

What do I think about the scalability of the solution?

It is very scalable, but it also depends upon how the implementation was done. We are providing services to one of the major brands in India. They have somewhere around 30,000 devices. We are currently managing more than 1 lakh QRadar users.

How are customer service and technical support?

QRadar has a good technical team. They provide timely support whenever a ticket is raised.

How was the initial setup?

Deployment of such solutions always takes time because these solutions are not simple. You should have the expertise and you should understand what is really needed for the business. We understand the real business need, and accordingly, we implement the policies.

What about the implementation team?

We have been managing some of the security tools for the past 11 years. We have expert engineers who can help our customers with installation, configuration, planning, designing, and other things.

If you have an environment of 5,000 or 10,000 devices, three to five people should be enough to manage it.

What's my experience with pricing, setup cost, and licensing?

Customers have to purchase a license based on the number of users, devices, and applications they want to protect. It allows you to take a license on a subscription basis for three years or five years.

What other advice do I have?

I would recommend this solution. If you are looking for a SIEM solution, IBM QRadar is one that you should ideally look for.

I would rate IBM QRadar a nine out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
OK
Analyst at a tech services company with 501-1,000 employees
Real User
Easily monitors your environment with good user interface and plug-in integrations

Pros and Cons

  • "One very useful feature is the plug-in offering that allows you to integrate it with other solutions, such as integrating it with plug-ins like Scout, Carbon Black, and the rest."
  • "I would like the rule creation interface to be much more user-friendly in the next release."

What is our primary use case?

We use IBM QRadar to monitor security logs across the network.

What is most valuable?

One very useful feature is the plug-in offering that allows you to integrate it with other solutions, such as integrating it with plug-ins like ForeScout, Carbon Black, and the rest. Additionally, the ability of the agents to filter using XPath query to filter out the specific events you want to pick from, especially Windows log sources, is also very useful. That goes a long way in managing the EPS of the solution.

What needs improvement?

There are two ways you can pull logs: one way is where you can receive logs or send logs using the agents and previous transformation and the other way is where QRadar logs onto the servers using the admin account and then pulls the logs itself. The functionality that I would love to see with that remote pulling is to have the ability to also select what logs its pulling because when you use MSRPC now to receive loads from your log surface, it basically pulls all the events from that server. So even the noisy events that would overshoot your EPS, would also be pulled. So for particularly active or high servers that generate a whole lot of security events, let's say like your SFTP server that has a lot of devices on your network connecting to it, if you try to pull the logs remotely it would overshoot your EPS really quickly.

So if they could improve the functionality of the remote pull to also be able to select the logs that it is pulling from the log sources, that would be very, very effective. The reason for the pull is because the agents are not tamper-proof and any administrator can help shut down the service and uninstall the application and a whole lot of other things. Basically, your listening agent is at the mercy of the administrators, and for a security device or security software, that is a big vulnerability, because anybody can then go into the server, stop the agent, and then run any command or make any change they want to do, which would make your monitoring null and void. It would be good if the agent itself could be tamper-proof. And back to the first point, the reason why I prefer the remote pull is if there's no agent on the server and it's the console logging onto the server, your monitoring is much more secure. Regardless of what changes are being made on the server or what's going on the server, if the server is shut down and then a newer version is brought up with the same hostname and IP address, you would not need to go back in and re-install the agent. The console would just automatically connect back to that server once the IP address and the host are back up.

Additionally, I would like the rule creation interface to be much more user-friendly in the next release.

For how long have I used the solution?

I have been using IBM QRadar every day for the last 12 months.

What do I think about the stability of the solution?

In terms of stability, it is very stable. In the almost two years in the environment, there has been only one issue. It was a disc failure and that was replaced within a week by the OEM.

What do I think about the scalability of the solution?

Scalability might be an issue, but maybe it's because in our environment we do not use the application host. Since we use on-premise appliances we did notice that performance degraded a little when we added some plugins. So the recommendation was that we should have a separate application server that would host the application and then interface with the plugins and interface with the management console. But we do not have that within our environment so I can't speak to whether that would improve performance.

How are customer service and technical support?

IBM tech support has been responsive.

How was the initial setup?

I believe the initial setup was straightforward but I was not here for the setup, although I did not get any complaints.

What's my experience with pricing, setup cost, and licensing?

The license is a yearly one.

What other advice do I have?

I would recommend IBM QRadar. The user interface is really great and it simplifies the task of monitoring your environment.

On a scale of one to ten, I would give IBM QRadar an eight.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Learn what your peers think about IBM QRadar. Get advice and tips from experienced pros sharing their opinions. Updated: November 2021.
555,139 professionals have used our research since 2012.
reviewer1285209
Tech Lead at a tech services company with 1,001-5,000 employees
Real User
Top 5Leaderboard
Scalable and versatile with a lot of good features and good integration with AWS

Pros and Cons

  • "There are a lot of features in QRadar. App Exchange is the most valuable feature. User behavior analytics (UBA) is also a very good feature. Watson is also there, but we are not currently using Watson. It is versatile and quite easy. It also has an all-in-one-box feature and good integration with AWS."
  • "SOAR is what is expected the most from QRadar. They have something called SOAR Resilient, and it would be great if that gets induced in SIEM. IBM QRadar (as well as McAfee ESM) should have analytics platform integration. Currently, SIEMs don't have full-fledged integration with analytics where we are able to dump our data in SIEM, and the same data can be called from different analytics applications. We should be able to bring this data to a platform like Hadoop for big data and run the analytics there. Currently, people are seeing the past data and taking some actions in the present, but when it comes to analytics, there should be futuristic data where you can predict something out of your present and past data. Apart from that, I would like to see a full-fledged ITSM tool in QRadar. It sometimes has some technical issues that need to be checked. It requires a dedicated QRadar engineer to completely manage it. It has different module sets, such as event collector and event processor, and some technical glitches come in between. It takes the log but doesn't exactly process it in the way we want."

What is our primary use case?

We are a product-based organization. We use this solution for a shared SOC service and security audits and compliance.

What is most valuable?

There are a lot of features in QRadar. App Exchange is the most valuable feature. User behavior analytics (UBA) is also a very good feature. Watson is also there, but we are not currently using Watson.

It is versatile and quite easy. It also has an all-in-one-box feature and good integration with AWS. 

What needs improvement?

SOAR is what is expected the most from QRadar. They have something called SOAR Resilient, and it would be great if that gets induced in SIEM. IBM QRadar (as well as McAfee ESM) should have analytics platform integration. Currently, SIEMs don't have full-fledged integration with analytics where we are able to dump our data in SIEM, and the same data can be called from different analytics applications. We should be able to bring this data to a platform like Hadoop for big data and run the analytics there. Currently, people are seeing the past data and taking some actions in the present, but when it comes to analytics, there should be futuristic data where you can predict something out of your present and past data. Apart from that, I would like to see a full-fledged ITSM tool in QRadar.

It sometimes has some technical issues that need to be checked. It requires a dedicated QRadar engineer to completely manage it. It has different module sets, such as event collector and event processor, and some technical glitches come in between. It takes the log but doesn't exactly process it in the way we want. 

If its pricing can be reduced, it would help a lot of customers in bringing in a new SIEM environment.

What do I think about the stability of the solution?

It is stable. There are no incidents when SIEM completely stopped. 

What do I think about the scalability of the solution?

I have expanded it. It is very good in terms of scalability. Because it is on the cloud, it can be scaled anytime. If I want to increase my CPU's RAM, I can do it. At any point in time, if I want to get additional licenses, I can just call support, and they will provide that.

I have around six customers who are using QRadar in a shared model. We do have plans to increase its usage. We are looking after different customers, and when they're ready, we can integrate it.

How are customer service and technical support?

They are good and responsive. However, because of COVID, of late everyone is working from home, and sometimes, their response has been a little bit slow for incidents. They did apologize for that.

How was the initial setup?

It is straightforward. AWS has a feature called Marketplace in its environment. When we click it, we can load it directly. It doesn't take more than two to three days to completely deploy the infrastructure. 

What's my experience with pricing, setup cost, and licensing?

They can give us some scalability and flexibility on pricing. If its pricing can be reduced, it would help a lot of customers in bringing in a new SIEM environment and grow business in the market. If I start a license today and take around 10,000 EPS, and after a month, there is an increase in the number of clients on my platform, I can increase the number of licenses. I can add 5,000 EPS on a yearly basis.

Which other solutions did I evaluate?

We chose QRadar over McAfee ESM.

What other advice do I have?

It has good integration with AWS. AWS has come up with a Marketplace click-in option that provides direct integration between your AWS and data centers or cloud solutions through a small VPN. It allows you to bring up small environments with 5,000 EPS or 6,000 EPS or even 3,500 EPS or 2,500 EPS very quickly. It is very flexible and not at all tough for a startup engineer to click and bring solutions inside. It is quite easy.

I would rate IBM QRadar an eight out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
AK
User
Real User
Stable, functional out of the box, and offers good integration capabilities

Pros and Cons

  • "Technical support is good overall."
  • "The reporting system could use some upgrading."

What is our primary use case?

We make some special demos that we sell to our customers. We work as a technical support L1/L2 for our customers in these cases as well.

The solution allows organizations to check people who work from home or in the office. It can help a company understand who is connected from home. 

Sometimes people give a login and password to colleagues. The security can see the situation when someone logs in locally, and they can see a remote connection. They can see this is from the login and password. They'd be able to tell if something was shared and could dig deep to figure out if it is a breach or if it is something that has been properly shared. 

What is most valuable?

The SOAR features are very good.

The product is able to handle special requests.

It can effectively search local files.

We are able to deploy in two or more different locations.

The solution is functional right out of the box and it's a pretty simple system with different kinds of solutions that address different types of problems. 

The initial setup is pretty straightforward.  

The solution is stable.

The product can scale.

Technical support is good overall.

Qradar has a lot of integration capabilities with different security products.

If we talk about functionality in general for SIEM systems, it's good.

What needs improvement?

In terms of the government sector, sometimes they do not have enough money to buy a full SIEM. That's why they ask about some parts of the SIEM system or core. It can be expensive.

It would be ideal if they offered a barebone setup alongside an appliance. It's very interesting for different kinds of customers. Most of them prefer the core appliance, yet some of them prefer barebone.

It would be ideal if the solution offered new connectors to other systems.

The reporting system could use some upgrading.

For how long have I used the solution?

We've been using the solution for at least the last 12 months or so.

What do I think about the stability of the solution?

The stability is good. there are no bugs or glitches. It doesn't crash or freeze.

What do I think about the scalability of the solution?

The scalability of the product is very good. Sometimes we get requests for specific functionality and usually, we can accommodate that.

How are customer service and technical support?

Generally, we are happy with technical support. They are helpful and responsive.

How was the initial setup?

The initial setup is very simple for our customers due to the fact that the first step is a demo for a customer. We need about 5 to 15 working days to make this demo. We talk about making a core system. It's not difficult to make over the Qradar SIEM. After that, if the customer needs some special function for, for example, different parts of the organization, we can propose some separate parts of SIEM. That's about two or eight weeks away. 

In general, for a SIEM project, you are looking at a deployment time of about two til eight months. 

What about the implementation team?

As integrators, we can help advise clients and assist in the deployment process.

What's my experience with pricing, setup cost, and licensing?

IBM Qradar has an interesting scheme for payments. They have annual payments for customers who use subscriptions for some services. I can't see any problem with the current financial scheme for this product generally. It's okay.

What other advice do I have?

We are implementors. Our customers are the ones that use IBM Qradar.

We are an IBM partner.

We strongly recommend to our customers use the latest version of Qradar. It's important for security. We tend to use the latest in general.

Our customer is a government organization, including some ministries. Therefore, they use on-premise deployments only. However, they have some plans for hybrid clouds or private clouds in the next three or four years. That said, it's very hard to say exactly as the work at the ministry is about security. On-premise is deemed to be more secure.

I'd rate the solution at a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
RB
Founder at Halainfosec
Reseller
Priced well and has good support, but it is resource intensive

Pros and Cons

  • "The flexibility is good in terms of pulling log files."
  • "It's resource-intensive."

What is our primary use case?

We are service providers, and we are always exploring tools to accompany existing tools. I am always searching for the best products to meet my clients' requirements. I always look to understand the technology first, learn what benefits we can get from the product, how competitive is it with other tools such as DarkTrace, and Palo Alto.

We are working with this solution, but it is being managed by another vendor.

We are service providers. We are providing SOC service and MSSP services for our clients. 

We are working on various products, not one specific product. We can provide services for any product, in fact, any security solution.

What is most valuable?

There have been many advancements made in the most recent year. There are many add-ons included in the licenses that I have yet to explore.

There have been many improvements. When I worked with this solution at the core technical level, it was a SIEM solution. Many attributes have been added, such as threat intelligence, SO solutions, automation, and OT security. Many other platforms have been included as part of IBM QRadar.

The flexibility is good in terms of pulling log files.

What needs improvement?

Automation is an area that people are looking for. IBM does have the SO solutions platform, but it would be more useful if they could have predefined use cases rather than using more generic ones. It would be much better if they could customize their use cases.

It's resource-intensive.

The IBM QRadar team has to be proactive and they have to be informative about the product.

They don't want to spend too much money on the SIEM because it is obviously resource-intensive. But the SIEM is a very useful product when you have good resources and good software.

For large organizations, that want to integrate all of the log sources, the pricing will be too expensive. This is the main reason that clients are not interested in SIEM solutions.

For how long have I used the solution?

I have been working with IBM QRadar for approximately four years.

I moved into consulting, at the architectural level. I'm not working at the core level but I know the basics of QRadar and how exactly it functions. 

How are customer service and technical support?

Technical support is good. 

My personal experience was fantastic. They are always good and we have never had any problems.

There are a lot of online resources available.

What's my experience with pricing, setup cost, and licensing?

When compared with other SIEM solutions, QRadar is considerably less expensive. I would like to compare it with Elasticsearch because they have different pricing strategies.

QRadar is events per second, EPS-based, whereas Elasticsearch is resource-based. You have to estimate based on how many resources will be used in the infrastructure, irrespective of log resources and log volumes. 

They are charging based on the resources. 

Which other solutions did I evaluate?

I'm exploring the Elastic Stack Elasticsearch currently. Splunk is out of scope for us right now, we're not interested in that. Sentinel is one that we are interested in.

What other advice do I have?

There are many competitive tools that are emerging regarding XDR solutions or SO solutions, which are capabilities that QRadar offers.

The competition is very different from the geographical locations.

For the Indian market, locally, they are still working on the old SIEM structure. It is a very generic SIEM model. Western countries, especially North American clients, are advanced in terms of moving the infrastructure to the cloud. Some have OT security and they're also doing some Office 365 advancements and several advanced search engines for endpoint detection.

They are expecting that nothing is left behind without using any licenses. Microsoft provides part of the security services if you go with the EFI license.

As vendors, we need to counter with the important visibility areas, and the critical access, which needs to be monitored as part of security. 

I would rate IBM QRadar a seven out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: reseller
Flag as inappropriate
RO
Information Security Specialist at a comms service provider with 501-1,000 employees
Real User
Not user friendly, doesn't integrate well, and has terrible technical support

Pros and Cons

  • "The solution can scale."
  • "The solution is clunky."

What is our primary use case?

We use the solution for a variety of tasks. We use it, for example, for authentication, network-related authentication, user-related tasks, and Windows UNIX servers. It's a lot. There's a ton of use cases. I really can't sync right now about every single use case, however, the main things are authentication and network-related systems and all flavors of UNIX Windows. 

How has it helped my organization?

It helped our organization in the sense that having it was better than nothing. However, I did not enjoy the product overall and I advised we switch to something else.

What is most valuable?

The user behavior analytics as part of our deployment was okay, even though it was clunky.

The solution can scale.

What needs improvement?

I really didn't like QRadar to be honest. I inherited it. I was part of the reason that we moved over to LogRhythm. The solution just isn't user friendly.

The solution is clunky. 

The interface could be much better.

The integration capabilities within the product are not that great.

For how long have I used the solution?

I've been using the solution for about two years at this point. My team has been using it for two to three years, so we have a total of about five years of experience in all.

What do I think about the stability of the solution?

I wouldn't describe the solution as stable. 

It was really buggy. Like other app integrations, it wasn't straightforward. It was pretty clunky. We tried to integrate Qualys with it and it wasn't effective. To integrate anything took quite a bit of time and energy. It wasn't easy. When it did, it didn't work properly. It wasn't really pulling in the data correctly.

What do I think about the scalability of the solution?

Scalability was hard as it was on-prem. We needed to add more modules, and had to add more of the servers to stack it. It wasn't that a simple task at all. I wouldn't say that it scales well, although technically, you can scale it.

When we were using the solution, we had ten to 15 users on it. They were anyone from Information Security Engineers to regular IT admins.

How are customer service and technical support?

Technical support was awful. We often didn't even have any assistance available to us. On a scale from one to ten, I'd rate them at a three. We were very unsatisfied with the level of support we received. They just simply weren't helpful when it came down to it.

Which solution did I use previously and why did I switch?

The organization didn't previously use a different solution before choosing QRadar.

We actually switched to LogRhythm as I didn't like how the solution was working for the organization.

How was the initial setup?

I didn't handle the initial setup. It was handled before I arrived at the organization.

What other advice do I have?

I'm not sure of which version of the solution we're using.

I wouldn't recommend the solution. I'd probably tell others to shy away and look at other products like possibly Splunk, however, it's a pricey option. LogRhythm is pretty good. We're having some issues with it. That said, for the most part, it's okay. 

Exabeam also seems like it might be a good option. I haven't worked with it personally, however, I've had some experience with a POC.

Overall, I would rate the solution at a three out of ten. We didn't have a good experience with it. If it offered, for example, easier behavior analytics, easier integrations, better interface, supported model integration, and a good user interface to perform analysis I might rate it higher. Basically, it just needs to be much more user-friendly.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
JT
IT Security Analyst at a manufacturing company with 10,001+ employees
Real User
Helps us monitor and generate statistics that help to illustrate what is going on in the company

Pros and Cons

  • "I have found its network traffic log, network bit log, and QBI most valuable."
  • "We need more features in order to create rules to detect or to meet some requirements for other areas, for example, catching the event from other authentication tools."

What is our primary use case?

We have a lot of use cases with IBM QRadar, but our primary use is for monitoring traffic and detecting tricks.

How has it helped my organization?

In terms of how IBM QRadar has improved our company, on peak days it helps us monitor and generate statistics that help to illustrate what is going on in the company. For example, SMB detects ransomware and invalid log-on. If a user is located in the United States, or we expect a login in Russia, or Ukraine, or Kenya, it is very important for us because we can detect what application they are using there, or if a hacker is trying to log in by mobile or another device.

What is most valuable?

I have found its network traffic log, network bit log, and QBI most valuable.

We have a lot of domain controllers in QRadar tracking all the security. It is also useful for identity management.

What needs improvement?

In terms of where it could be improved, this includes its forensics, incident response, and security operation center features. Additionally, some also struggle with the rules. We need more features in order to create rules to detect or to meet some requirements for other areas, such as catching the event from other authentication tools, like in Okta, for example.

In some cases, I have issues because some tools are not integrated in QRadar, such as other tools similar to DLP (Data Loss Prevention). We need to create all the integrations manually because they are not integrated in QRadar. We have a problem, for example, because they have Symantec DLP integrated in QRadar, however, it is not working because it's not detected automatically. It is not converting all the columns, but we do have the option to create manually. This is not difficult because it's very clear in the procedures.

For how long have I used the solution?

I have been using IBM QRadar for seven years.

What do I think about the stability of the solution?

QRadar's stability is great because it is always live and is always catching and monitoring all the information that we need. When we need information, it is here in QRadar. 

In terms of maintenance of QRadar, my internet is secured by IBM.

What do I think about the scalability of the solution?

For me, the scalability is good.

At the moment, we have no more than 15 people working on QRadar. This includes analysts, forensics, internet response, and active directory.

How are customer service and technical support?

Tech support is good. Additionally, I can find all the information at IBM.

How was the initial setup?

In some cases, the system or the hardware do not meet the requirements to install one flow collector. Or the menu is not displayed. The menu has 10 options. If the CPU and memory are not enough, the menu shows only five or six options. But this information is not mentioned in the installation process. But it is not complex because the installation is very clear as long as we are meeting all the requirements for the CPU, memory, or the space.

The solution takes maybe four months because we have a lot of integrations.

What other advice do I have?

I would absolutely recommend QRadar because it has a lot of options to improve or detect some information.

On a scale of one to ten, I would give QRadar a 10.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
AK
Security Analyst at a tech services company with 51-200 employees
Real User
Well priced with information granularity, but has lousy tech support and provides false positives of attacks

Pros and Cons

  • "Most valuable features include the granularity of information."
  • "IBM technical support is always terrible."

What is most valuable?

Most valuable features include the granularity of information. Queries provide leads for finding information. We also deal with the Symantec team, which is a different one. 

What needs improvement?

The solution has definite room for improvement. There were certain bugs we had to deal with. Bigger issues involve the quantity of rules involved in its deployment. Also, false positives can be obtained and there is a need to fine tune the solution once every month or two until everything is correct. 

The stability and product support should also be addressed. 

When an offense occurs, the source IP will automatically provide a source username which is not correct. For reasons I don't understand, it uses the team or the name of the last user of the computer and this is not always accurate. This means that there are times that I obtain offenses that are ascribed to my boss and which serve him. The solution ensures that the host is vulnerable to another attack. The solution will estimate that the targeted host is vulnerable to certain attacks. 

Moreover, the solution may provide information of attacks that failed or that are irrelevant, such as vulnerabilities involving modems in which the target host is the Windows Server. This begs the question of why an offense that was and will always be blocked must be generated, such as that involving vulnerability from a modem. 

For how long have I used the solution?

I have been using IBM QRadar for five years. 

What do I think about the scalability of the solution?

When it comes to the scalability of the solution, it is possible to install many apps on top of IBM QRadar which can provide a host of views, such as those involving user behavior and analytics. There is no need to construct an SQL report, for example, as there are many free apps available which can be used to extend one's IBM QRadar functionalities. 

How are customer service and technical support?

:
IBM technical support is always terrible. I have much experience with IBM, dating back 25 years in IT. I worked with IBM as a partner for almost 10 years. The organization is so big that it cannot tell one person from another. One can send an email and then get transferred from one support person to another, needing with the need to reiterate the issue anew with each one. In France they go on vacation and there is no one to whom one can address his issue. They also have problems with directing and redirecting phone calls. 

I found myself in charge of all hardware issues involving IBM. Whenever we had a case with IBM which was escalated, I managed to resolve the issue before them. I would find a solution while they would still be making queries about some version. Sometimes I feel they are buying time. At other times, they start by enquiring about what I did in an attempt to resolve the issue. There are times that they insist on the purchase of a subscription as a condition of benefiting from high level support and at these moments I'm inclined to tell them that they should be paying me for this. 

How was the initial setup?

The initial setup is quite straitforward and not so difficult. 

What's my experience with pricing, setup cost, and licensing?

The pricing is always fine. 

What other advice do I have?

We use the solution with multiple customers on a daily basis. We have experience with its installation, configuration and use. 

I rate IBM QRadar as a six or seven out of ten. 

Disclosure: My company has a business relationship with this vendor other than being a customer: partner
Flag as inappropriate
Buyer's Guide
Download our free IBM QRadar Report and get advice and tips from experienced pros sharing their opinions.