CS engineer at AYACOM
Real User
Comes with a lot of predefined connectors and good correlation rules, but needs better reporting and doesn't have a SOAR system by default
Pros and Cons
  • "It has a lot of good correlation rules. From a customer's point of view, it is one of the best solutions because you don't need to create correlation rules from scratch. You just review them and customize them as you want."
  • "It doesn't have a SOAR system by default. You need to purchase it additionally, which is the main problem with QRadar."

What is our primary use case?

We are using mixed solutions. We are currently working with IBM solutions and Azure system services. We are using two SIEM solutions: Azure Sentinel and QRadar. Azure Sentinel is covering our cloud-based solutions, and QRadar is covering our on-premise solutions.

What is most valuable?

QRadar has a lot of connectors out of the box. It has a lot of predefined and pre-deployed connectors that you can use. 

It has a lot of good correlation rules. From a customer's point of view, it is one of the best solutions because you don't need to create correlation rules from scratch. You just review them and customize them as you want. 

It supports using SQL queries. Sentinel uses KQL, but you need to learn it from scratch.

What needs improvement?

It doesn't have a SOAR system by default. You need to purchase it additionally, which is the main problem with QRadar. 

Its reporting can be improved.

For how long have I used the solution?

I have been using this solution for approximately three years.

Buyer's Guide
IBM Security QRadar
March 2024
Learn what your peers think about IBM Security QRadar. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,234 professionals have used our research since 2012.

What do I think about the stability of the solution?

It is stable.

What do I think about the scalability of the solution?

It is scalable. It works for small, medium, and large enterprises. You can have a huge SOC, and you can implement it in a big company. 

Our company has more than 5,000 assets, and we are covering them all with the QRadar system.

Which solution did I use previously and why did I switch?

We are using Azure Sentinel for our cloud-based solutions. The best functionality that you can get from Azure Sentinel is the SOAR capability. So, you can estimate any type of activity, such as when an alert was triggered or an incident was found.

Azure Sentinel doesn't have many connectors for third-party SIEM solutions. Many customers are struggling with the integration of Azure Sentinel with their on-premise SIEM.

If we start to collect all logs from our on-premise SIEM solutions, Azure Sentinel will cost much more than QRadar. If we calculate its cost over the next five or ten years, it will cost more than QRadar.

What's my experience with pricing, setup cost, and licensing?

You have a one-time payment, and you also can purchase it for one year as a subscription. We have it on-premise, and we have a permanent license for it. We have to pay for the support on a yearly basis.

If you compare its cost with Sentinel for one year, QRadar would seem more expensive, but if you compare its cost over five or ten years, Azure Sentinel will be more expensive than QRadar.

What other advice do I have?

I would recommend purchasing a cloud-based license subscription because it doesn't have any limits on the license. You can easily install it in a cloud environment. This cloud pack can be integrated with different types of SIEM solutions. So, you can use one management console to query all of the SIEM systems that you are managing. It is like having one window to manage your SOC. For example, a SOC can operate, manage, or provide services for different types of companies, and all these companies can have different types of SIEM solutions. With the cloud subscription of QRadar, you can cover all companies, which is good in my opinion.

I would recommend both QRadar and Azure Sentinel. It depends on the use case of a customer and the environment that they are using.

I would rate QRadar a seven out of ten. 

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: partner
PeerSpot user
Cyber Security Specialist at a tech vendor with 10,001+ employees
Real User
Top 20
Good dashboard and helpful third-party plugins but technical support could be better
Pros and Cons
  • "There are other third-party plugins that we can use."
  • "The AQL queries could be better."

What is most valuable?

There is a Pulse dashboard that they have. From a reporting perspective, we'll be creating dashboards based on the pulse functionalities. 

There are other third-party plugins that we can use as well. We can initiate in the QRadar platform, however, Pulse is one of the most user-friendly options. 

Along with that, there are out the box rules and out the box dashboards that we have available to us. Mostly what we are concentrating on is creating the rules and fine-tuning the rules to align properly with the customer infrastructure depending upon the customer's requirements. Pulse, UEBA, and NBAD are the features that are the best. They are the most useful from a SOC manager perspective.

What needs improvement?

The AQL queries could be better. With the queries, there's an option for you to create dashboards based on the queries that they have. The documentation that is available for AQL queries is not well received. They could maybe look at how Microsoft is leveraging AQLs from a Sentinel perspective and create more documentation and training materials and make those more available to the general public.

They have to facilitate more learning opportunities. Microsoft has something called Playground where you have some sample logs and where you can learn how to work on all this stuff, however, there is nothing like that for IBM. They really could make it more generalized and accessible to the general analyst population.

Technical support should be improved.

For how long have I used the solution?

In terms of QRadar, I've used it for close to two years. I worked for a customer that is a managed security service provider. What we do is we will provide SOC as a service and QRadar. IBM is one of the partners that we have. Depending upon the customer considerations and customer preferences, we will either engage QRadar or Sentinel according to the customer preferences. Splunk and LogRhythm we also use on an as-needed basis. 

What do I think about the stability of the solution?

What they have claimed is 99.5% uptime. However, I'm not very sure whether there's an implementation problem or not. Sometimes the system gets hung and then we have to restart everything from the scratch. You have got these multi printing options, though not functionally. Sometimes it gets some jitters there. Sometimes there are cases where we are finding it very difficult to get into the system as there can be three or four people logging into the same platform at the same time and sometimes the reduces the speed a lot.

What do I think about the scalability of the solution?

From an architect implementation perspective, the role that I have played is very limited. I'm not very sure about scaling. I'm not in a position to comment on that part. That said, once everything is implemented, I've noted that it's not as scalable as Sentinel or Splunk on the cloud, for sure. That is the same for LogRhythm and QRadar. Obviously, cloud-hosted applications will be more scalable and more resilient.

How are customer service and support?

Technical support is something that has always been an issue for us. We have to raise a ticket and the products team will be available, however, depending upon the criticality, sometimes the support is not very easily accessible on weekends and on Friday evenings.

Which solution did I use previously and why did I switch?

I've also worked with Sentinel, Splunk, QRadar, and LogRhythm. 

How was the initial setup?

Compared to Sentinel, the initial setup is a bit complex. Depending upon whether you're going ahead with the cloud version or on-prem version, there is human involvement, however, normally everything is done by the platform engineer. I don't have to get my head into that part. Once everything is up and running, that is when we have to start working from our side. I'm sure it is more complex than a plug-and-play Sentinel, where connectors are easily available and just have to click, click and get things done.

The administration and maintenance would be two or three people depending upon the availability. I'm not very sure about troubleshooting. I'm coming at the solution from a user perspective. I'm more concerned with the rule fine-tuning and rule-building part. That kind of troubleshooting will be done with the platform team, which specializes in that. 

What's my experience with pricing, setup cost, and licensing?

Licensing is mostly dependent on the EPS, events per second. Depending upon the number of products that are integrated with the platform, we have to come to an optimal EPS value. I'm not very sure about the financials, however, the licensing cost cannot be as much as that for Sentinel, which is not very low. For customers who need medium EPS values, we advise QRadar.

The basic out the box cost covers, the EPS value that you have specified, and then some archiving maybe. It should include at least six months of archiving and other functionalities. Most of the customers will go for the standard package and we don't have to go for extra archival or enhanced DPS. 10% to 15% of DPS can always be increased. It will not completely shut down the system, however, it'll start sending us notifications that the DPS is getting increased and then we can go for a higher licensing.

What other advice do I have?

The version we use depends on when the customer is onboarded. Whenever recent onboarding takes place, we use the most up-to-date versions. However, there are customers that we have been facilitating for the past two or two and a half years and they might be using the previous versions. There are proper version upgrades that happen on a quarterly basis. 

I'd rate the solution seven out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Buyer's Guide
IBM Security QRadar
March 2024
Learn what your peers think about IBM Security QRadar. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,234 professionals have used our research since 2012.
Manager SOC at a comms service provider with 10,001+ employees
Real User
A user-friendly solution that provides visibility across a range of use cases and comes with interesting features such as QNI
Pros and Cons
  • "The QNI feature is the one I am very interested in, and I have also been interested in Watson. From the log analysis and the security perspective, we are able to dive deep into any of the logs and anomalies."
  • "I have also been working with other SIEM solutions, and I have observed that they have extensive Linux-based and Unix-based integrations. They have been able to support some of the Linux-based agents, which is useful to investigate and process the information on the Linux and Unix side."

What is our primary use case?

I'm an administrator. I have been leading the security operation center for the past four years. I have more than 12 members or SOC analysts for our 24/7 operations. I have been pitching the solutions to multiple customers, and I have also designed, implemented, and administered customer projects and completed them at the specified timeline.

We have many use cases. The most common use cases are related to insights into any threats from the inside and outside. I have also configured X-Force with QRadar, and we are getting all the feeds showing malware-based IPs, etc. I also have designed some anomaly-based rules in case anyone has logged in from outside Pakistan. Most of the rules are custom-based.

What is most valuable?

The QNI feature is the one I am very interested in, and I have also been interested in Watson. From the log analysis and the security perspective, we are able to dive deep into any of the logs and anomalies.

It is user-friendly, and it is easy to develop. If you know the architecture, what to develop, and how to get the output for your results, you can easily work with it.

What needs improvement?

I have also been working with other SIEM solutions, and I have observed that they have extensive Linux-based and Unix-based integrations. They have been able to support some of the Linux-based agents, which is useful to investigate and process the information on the Linux and Unix side.

It could have pre-defined automation and integration of all those device parameters that analysts have to share manually.

What do I think about the stability of the solution?

It is stable.

How are customer service and support?

I would rate them a 3.5 out of 5.

How was the initial setup?

It is not very difficult. I have done more than 10 deployments, and I have integrated and developed custom applications. I have also developed a Python-based script to support me with the things that IBM cannot support. I am using that script from the health check perspective. It gives me a high-level and low-level overview of QRadar with respect to the rules that have been triggered and the notifications that have been generated and how to tune them.

What other advice do I have?

I would rate it an eight out of 10.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Cyber Security Services Operations Manager at a aerospace/defense firm with 501-1,000 employees
Real User
Provides a single window into your network, SIEM, network flows, and risk management of your assets
Pros and Cons
  • "The most valuable thing about QRadar is that you have a single window into your network, SIEM, network flows, and risk management of your assets. If you use Splunk, for instance, then you still need a full packet capture solution, whereas the full packet capture solution is integrated within QRadar. Its application ecosystem makes it very powerful in terms of doing analysis."
  • "I'd like them to improve the offense. When QRadar detects something, it creates what it calls offenses. So, it has a rudimentary ticketing system inside of it. This is the same interface that was there when I started using it 12 years ago. It just has not been improved. They do allow integration with IBM Resilient, but IBM Resilient is grotesquely expensive. The most effective integration that IBM offers today is with IBM Resilient, which is an instant response platform. It is a very good platform, but it is very expensive. They really should do something with the offense handling because it is very difficult to scale, and it has limitations. The maximum number of offenses that it can carry is 16K. After 16K, you have to flush your offenses out. So, it is all or nothing. You lose all your offenses up until that point in time, and you don't have any history within the offense list of older events. If you're dealing with multiple customers, this becomes problematic. That's why you need to use another product to do the actual ticketing. If you wanted the ticket existence, you would normally interface with ServiceNow, SolarWinds, or some other product like that."

What is our primary use case?

We're a customer, partner, or reseller. We use QRadar on our own internal SOC. We are also a reseller of QRadar for some of the projects. So, we sell QRadar to customers, and we're also a partner because we have different models. We roll the product out to a customer as part of our service where we own it, but the customer is paying. We also do a full deployment that a customer owns. So, we are actually fulfilling all three roles.

What is most valuable?

The most valuable thing about QRadar is that you have a single window into your network, SIEM, network flows, and risk management of your assets. If you use Splunk, for instance, then you still need a full packet capture solution, whereas the full packet capture solution is integrated within QRadar. Its application ecosystem makes it very powerful in terms of doing analysis.

What needs improvement?

In terms of the GUI, they need to improve the consistency. It has been written by different teams at different times. So, when you go around the interface, you'll find a lot of inconsistencies in terms of the way it works.

I'd like them to improve the offense. When QRadar detects something, it creates what it calls offenses. So, it has a rudimentary ticketing system inside of it. This is the same interface that was there when I started using it 12 years ago. It just has not been improved. They do allow integration with IBM Resilient, but IBM Resilient is grotesquely expensive. The most effective integration that IBM offers today is with IBM Resilient, which is an instant response platform. It is a very good platform, but it is very expensive. They really should do something with the offense handling because it is very difficult to scale, and it has limitations. The maximum number of offenses that it can carry is 16K. After 16K, you have to flush your offenses out. So, it is all or nothing. You lose all your offenses up until that point in time, and you don't have any history within the offense list of older events. If you're dealing with multiple customers, this becomes problematic. That's why you need to use another product to do the actual ticketing. If you wanted the ticket existence, you would normally interface with ServiceNow, SolarWinds, or some other product like that. 

Their support should also be improved. Their support is very slow, and it is very difficult to find knowledgeable people within IBM.

Its price and licensing should be improved. It is overly expensive and overly complex in terms of licensing. 

For how long have I used the solution?

I have been using this solution for 12 years.

How are customer service and technical support?

Their support is very slow. it is very difficult to find knowledgeable people within IBM. I'm an expert in the use of QRadar, and I know the technical insights of QRadar very well, but it is sometimes very painful to deal with IBM's support and actually get them to do something. Their support is very difficult to work with for some customers.

Which solution did I use previously and why did I switch?

I work with Prelude, which is by a French company. It is a basic beginner's SIEM. If you never had a SIEM before and you wanted to experiment, this is where you would start, but it is probably that you would leave very quickly. I've also worked with ArcSight and Splunk.

My recommendation would depend upon your technical appetite or your technical capability. QRadar is essentially a Linux-based Red Hat appliance. Unfortunately, you still need some Linux knowledge to work with this effectively. Not everything is through the GUI. 

Comparing it with Splunk, in terms of licensing, IBM's model is simpler than Splunk's model. Splunk has two models. One is volume metrics, so you pay for the number of bytes that are transmitted daily. The other one is based upon the number of events per second, which they introduced relatively recently. Splunk can be more expensive than QRadar when you start to get into adding what they call indexes. So, basically, you create specific indexes to hold, for instance, logs related to Cisco. This is implicit within QRadar, and it is designed that way, but within Splunk, if you want to get that performance and you have large volumes of logs, you need to create indexes. This is where the cost of Splunk can escalate.

How was the initial setup?

Installing QRadar is very simple. You insert a DVD, boot the system, and it runs the installation after asking you a few questions. It runs pretty much automatically, and then you're up and going. From an installation point of view, it is very easy.

The only thing that you have to get right before you do the installation is your architecture because it has event collectors, event processes, flow collectors, flow processes, and a number of other components. You need to understand where they should be placed. If you want more storage, then you need to place data nodes on the ends of the processes. All this is something that you need to have in mind when you design and deploy.

What's my experience with pricing, setup cost, and licensing?

It is overly expensive and overly complex in terms of licensing. They have many different appliances, which makes it extremely difficult to choose the technology. It is very difficult to choose the technology or QRadar components that you should be deploying. 

They have improved some of it in the last few years. They have made it slightly easy with the fact that you can now buy virtual versions of all the appliances, which is good, but it is still very fragmented. For instance, on some of the smaller appliances, there is no upgrade path. So, if you exceed the capacity of the appliance, you have to buy a bigger appliance, which is not helpful because it is quite a major cost. If you want to add more disks to the system, they'll say that you can't. If they ship a disk with 2 terabytes that the older appliances have, and you say to them that you can commercially get 10 terabyte disks, they will say this is not possible, even though there is no technical reason why it cannot be done. So, they're not very flexible from that point of view. For IBM, it is good because you basically have to buy new appliances, but from a customer's point of view, it is a very expensive investment.

What other advice do I have?

Make sure that you have the buy-in from different teams in the company because you will need help from the network teams. You will potentially need help from IT. 

You need to have a strategy of how you onboard logs into SIEM. Do you take a risk-based approach or do you onboard everything? You should take the time to understand the architecture and the implications of design choices. For instance, QRadar Components communicate with each other using SSH tunnels. The normal practice in security is that if I put a device in a DMZ, then communication between the device on the normal network, which is a higher security zone, and the DMZ, which is a lower security zone, will be initiated from the high-security zone. You would not expect the device in the DMZ to initiate communication back into the normal network. In the case of QRadar, if you put your processes in the DMZ, then it has to communicate with the console, which means that you have to allow the processor to communicate. This has consequences. If you have remote sites or you plan to use cloud-based processes, collectors, etc, and have an internal console, the same communication channels have to exist. So, it requires some careful planning. That's the main thing.

I would rate QRadar an eight out of 10 as compared to other products.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Abbasi Poonawala - PeerSpot reviewer
Chief Enterprise Architect at a financial services firm with 10,001+ employees
Real User
Top 5Leaderboard
It has good integrations, easy scalability, and strong technical support, but needs better pricing and more AI features
Pros and Cons
  • "Integrations are quite a useful and key feature of this solution. It has integration with the CVSS score, which is a central point for all the data and scores about the threats. There is an IBM Bluemix dashboard that is integrated with the CVSS score."
  • "I don't look at only the features and benefits; I also look at the price. It is a bit expensive when compared with other solutions. It is expensive for specific deployment topologies, and the decision-makers go for alternatives like ArcSight. It should also have more AI features or capabilities for better threat intelligence. The more it uses machine learning, the better would be the dashboard, analytics, and other things."

What is our primary use case?

It is used to dive deep into threat analysis. It is a SIEM solution that can be hooked up with some of the endpoint security or threat discovery solutions such as Forescout, Qualys, Sophos, and MDM. After the endpoint security or threat discovery solution discovers the threat, QRadar takes it further from that point onwards and allows you to go deep into the threat analysis. It has a lot of integrations, such as with CMDB, and it can do the asset classification. It can also tell the CVSS score. These are the capabilities or use cases. 

What is most valuable?

Integrations are quite a useful and key feature of this solution. It has integration with the CVSS score, which is a central point for all the data and scores about the threats. There is an IBM Bluemix dashboard that is integrated with the CVSS score.

What needs improvement?

I don't look at only the features and benefits; I also look at the price. It is a bit expensive when compared with other solutions. It is expensive for specific deployment topologies, and the decision-makers go for alternatives like ArcSight. 

It should also have more AI features or capabilities for better threat intelligence. The more it uses machine learning, the better would be the dashboard, analytics, and other things.

For how long have I used the solution?

I have been using this solution for five years. 

What do I think about the scalability of the solution?

You can scale it easily in the cloud with a given deployment topology. We have somewhere around 50 plus users.

How are customer service and technical support?

IBM is very strong on the technical support side. They have proper support available across different regions. After the implementation is done, the admin within the organization is in touch with IBM technical support for any day-to-day support requirements.

Which solution did I use previously and why did I switch?

We have been switching for some time between Micro Focus ArcSight and IBM QRadar.

How was the initial setup?

For cloud deployment, you need to go for IBM Bluemix Cloud, and you can deploy easily on a private cloud. You create the stack and use the Bluemix Cloud formation template. If you have the IBM Bluemix Cloud subscription, you can deploy it easily within maybe half a day or one day. You can create all the resources by using the Bluemix Cloud formation template.

For deployment, you need a small team of two or three because it just needs the team to provision the resources on the IBM Bluemix Cloud. For support, we need a bigger team of around 10 plus people.

What's my experience with pricing, setup cost, and licensing?

It is costlier as compared to the other alternatives available in the market.

What other advice do I have?

I would definitely recommend this solution. It is a good solution with good capabilities like integration with CMDB and CVSS score. The dashboard is also really nice. It can help with threat intelligence, and it also has artificial intelligence. It is a futuristic kind of technology because the more AI-driven a product is, the better are the results. We plan to keep using this solution.

I would rate IBM QRadar a seven out of ten.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user634773 - PeerSpot reviewer
Senior Security Analyst at The Hartford
Real User
The organizational value we derive from it is that it helps us track down where we have problems.

What is most valuable?

The most valuable feature for us is probably the intelligence we get out of the product.

How has it helped my organization?

The organizational value we derive from it is that it helps us track down where we have problems.

What needs improvement?

We appreciate ease of use in the product, so I suppose they could bring the cost down. I haven't really thought about possible improvements. They've added a lot of good features to the apps. I'm still exploring those and there are a lot of good features there.

For how long have I used the solution?

I have used the solution for about 15 years.

What do I think about the stability of the solution?

Overall I'd say the stability is pretty good. I have noticed some issues with the patch and updates recently, especially version 72A. There have been some problems where a patch would come out and a few days later another patch would have to come out to fix issues that weren't encountered so that's caused some issues for us.

What do I think about the scalability of the solution?

Scalability is good.

How is customer service and technical support?

The initial technical support to call is less than adequate. I usually know more than the level one or level two, again because I've been a customer for 15 years. I worked with the original QRadar guys to help develop their SIEM solutions so I know quite a bit about it. Usually when we call in it's a real problem because we fix most of our own problems.

How was the initial setup?

Fifteen years ago it was very complex because of the linking of different flow collectors. Being processed together, upgrading them was painful. That part has improved greatly as you can just put the update process in the console and push Yes. That's a lot better.

What other advice do I have?

It's a great product. They're obviously an industry leader right now in this field, if you're looking for SIEM, I would recommend it.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Head of Cybersecurity at a computer software company with 51-200 employees
Real User
Top 10
A highly scalable and stable tool with a responsive support team
Pros and Cons
  • "Stability-wise, I rate the solution a ten out of ten."
  • "The price of IBM Security QRadar is an area of concern where improvements are required."

What is our primary use case?

I use IBM Security QRadar in my company as it provides features like SIEM, SOAR, and QNI.

What is most valuable?

The most valuable feature of IBM Security QRadar stems from the fact that it is a product that is like a complete suite.

What needs improvement?

The price of IBM Security QRadar is an area of concern where improvements are required. IBM is never known to provide products at a cheap price.

IBM Security QRadar's UI is an area with certain shortcomings where improvements are needed.

In the future, I would like IBM Security QRadar to have a library of adapters or APIs.

The area around recovery time is an aspect of IBM's technical support where improvements are required.

For how long have I used the solution?

I have been using IBM Security QRadar for more than a year. I use the solution's latest version. My company is in the process of being declared as a golden partner of IBM.

What do I think about the stability of the solution?

It is a stable solution. Stability-wise, I rate the solution a ten out of ten.

What do I think about the scalability of the solution?

It is a scalable solution. Scalability-wise, I rate the solution a ten out of ten.

My company currently deals with around four to five organizations comprising medium to large companies where IBM Security QRadar is used.

How are customer service and support?

The solution's technical support is responsive. The only area where I don't agree with IBM Security QRadar's technical support stems from the lack of proper or defined recovery time, even though their response time is good.

I rate the technical support a seven out of ten.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

I have experience with Splunk. My company deals with Splunk since we had no choice owing to the fact that one or two customers wanted it.

In the past, I was using open-source products, including solutions like Elastic Security and Wazuh.

My company decided to switch from Wazuh to IBM Security QRadar.

How was the initial setup?

The product's deployment phase can be described as an average one.

I rate the deployment process of IBM Security QRadar a seven on a scale of one to ten, where one is difficult, and ten is easy.

The solution is deployed on an on-premises model.

What's my experience with pricing, setup cost, and licensing?

On a scale of one to ten, I rate the price a one, where one is an extremely expensive product, and ten is a cheap product. IBM Security QRadar is an expensive product. A customer gets discounts only when they ask for them from IBM.

The challenge is that if someone submits a request or proposal and finds that the prices of the products our company deals with are too high, we may not even be shortlisted for negotiations. If my company gets shortlisted for the next round, then we get questioned over the high prices.

What other advice do I have?

My company takes care of the maintenance part of the solution for our clients who use IBM Security QRadar in their environments. Nine engineers and one manager take care of the maintenance process of IBM Security QRadar. My company has a lot of certified employees to take care of IBM Security QRadar's maintenance. My company can be considered a powerhouse when it comes to products from IBM.

I recommend the solution to those who plan to use it.

Splunk and IBM are leaders as per Gartner Magic Quadrant. I believe that IBM Security QRadar should be fairly priced for SMEs.

I rate the overall tool an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer:
Flag as inappropriate
PeerSpot user
Senior Cyber Security Engineer at a logistics company with 10,001+ employees
Real User
It's built around Red Hat Linux, which is highly robust
Pros and Cons
  • "It's built around Red Hat Linux, which is highly robust."
  • "I would also like to see more integration with other vendors. IBM doesn't integrate well with products from China, like Huawei. Many Middle Eastern customers are switching to Huawei from American vendors like Cisco because of the price. In most RFPs, Huawei wins because it costs less."

What needs improvement?

When it sends the log source, QRadar generates a lot of noise and false positives. LogRhythm logs when the alarm rules are disabled, so it doesn't generate any noise when sending the log source. I think LogRhythm's one, this one too. QRadar, we have to cure it all the time. It's only this advantage with QRadar.

I would also like to see more integration with other vendors. IBM doesn't integrate well with products from China, like Huawei. Many Middle Eastern customers are switching to Huawei from American vendors like Cisco because of the price. In most RFPs, Huawei wins because it costs less. 

IBM needs to integrate better with Huawei. I opened one case with IBM, and they told me to submit a request for enhancement so they could write the correct DSMs to integrate with Huawei. We were very disappointed. Customers who want to implement QRadar or LogRhythm need to consider all the other components. The environment needs to be homogenous to avoid problems due to a lack of integration.

For how long have I used the solution?

My old company used QRadar, so I still use it sometimes when I consult for them. They get stuck on a few things. I also worked on vulnerability discovery. Right now, my current customers are migrating from QRadar to LogRhythm.

What do I think about the stability of the solution?

QRadar is built around Red Hat Linux, which is highly robust.

How are customer service and support?

IBM's support for QRadar could be improved. Sometimes it takes them two days to reply to a low-priority case. However, it tasks them about 1.5 hours to respond to a more serious case. Sometimes our customer service will think it's a priority one case, so he asks me to open it as priority one, then IBM reduces it to two or three. 

We don't have any security appliances from Huawei, but they have the best technical support. We have engineers everywhere with CRM, and they call you after the problem is resolved. IBM closes the case, and that's it. It's a very restricted environment. 

What's my experience with pricing, setup cost, and licensing?

QRadar is reasonable compared to LogRhythm.

What other advice do I have?

I rate IBM QRadar nine out of 10. If you're going to use QRadar, you have to be familiar with it and know all the components. IBM offers free appliances, like data nodes, that offload many processes from the collectors and the processors. 

Every engineer must understand the overall portfolio to add some value to the solutions. If a solution isn't integrated with other solutions, they are only collectors. You need to tune the rules and be up to date with the Mitre Att&ck framework all the time.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free IBM Security QRadar Report and get advice and tips from experienced pros sharing their opinions.
Updated: March 2024
Buyer's Guide
Download our free IBM Security QRadar Report and get advice and tips from experienced pros sharing their opinions.