IBM QRadar Overview

IBM QRadar is the #2 ranked solution in our list of Log Management Software. It is most often compared to Splunk: IBM QRadar vs Splunk

What is IBM QRadar?

The IBM QRadar security and analytics platform is a lead offering in IBM Security's portfolio. This family of products provides consolidated flexible architecture for security teams to quickly adopt log management, SIEM, user behavior analytics, incident forensics, and threat intelligence and more. As an integrated analytics platform, QRadar streamlines critical capabilities into a common workflow, with tools such as the IBM Security App Exchange ecosystem and Watson for Cyber Security cognitive capability.

With QRadar, you can decrease your overall cost of ownership with an improved detection of threats and enjoy the flexibility of on-premise or cloud deployment, and optional managed security monitoring services.

IBM QRadar is also known as QRadar SIEM, QRadar UBA, QRadar on Cloud, QRadar.

IBM QRadar Buyer's Guide

Download the IBM QRadar Buyer's Guide including reviews and more. Updated: June 2021

IBM QRadar Customers

Clients across multiple industries, such as energy, financial, retail, healthcare, government, communications, and education use QRadar.

IBM QRadar Video

Filter Archived Reviews (More than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
General Manager at New System Engineering
Real User
A straightforward solution that minimizes the number of false positive errors

What is our primary use case?

We are a partner and provide this solution to our customers.

Pros and Cons

  • "It is a very optimized engine."
  • "It is very difficult to activate all of the network equipment, and it would help if it were made easier."

What other advice do I have?

I would recommend this product. It is very simple to install, and not a complicated solution. IBM supplies regular software updates. I would rate this solution an eight out of ten.
GO
Marketing Director at a aerospace/defense firm with 1-10 employees
Real User
Enables us to collect information from different devices, detect, and analyze various threats or attacks to protect our system

What is our primary use case?

We don't have a business relationship with IBM QRadar, our relationship is a customer relationship. We use IBM QRadar as our primary security solution.

Pros and Cons

  • "Vulnerability detection is the most valuable feature. It's the tool that finds the threats."
  • "The tool is very complicated. One place for improvement would be to have a more user-friendly interface. Having better support in Spanish would be cool."

What other advice do I have?

This kind of solution is essential. The communication network functions very well. On a scale of one to 10, ten being the best, I would give this product a rating of nine.
Learn what your peers think about IBM QRadar. Get advice and tips from experienced pros sharing their opinions. Updated: June 2021.
509,820 professionals have used our research since 2012.
AF
Cyber Security Specialist at AEC
Real User
Alerts and correlates the aggregate events or offenses we receive through all the applications we use

What is our primary use case?

We are a reseller of this solution. We have numerous uses cases all dependant on the needs of our customers.

Pros and Cons

  • "IBM QRadar has improved my organization by introducing many functions. It collects logs from all of our systems in the organization and has functioned very well. It alerts and correlates the aggregate events or offenses we receive through all the applications we use."
  • "There is one problem with QRadar in regards to the add-on apps. The apps can be frustrating. For example, when I add a big app like one of the add-ons for resiliency, add-on applications for QRadar, these applications require different hardware to implement and to deploy. The resiliency connector because there's a considerable amount of data scanning, operates for these apps correctly."

What other advice do I have?

The solution functions very well. It is amazing but there are some bugs with it. The unknown bugs can just come up with the adaptor with the data stored in Qradar. On a scale from one to 10, ten being the best, I would rate this product an eight out of 10.
Technical Consultant at Activedge Technologies
Consultant
Enchances Security Through Vulnerability Management and Increased Visibility

What is our primary use case?

I'm the technical consultant here at ActivEdge Technologies. Our primary use case for this solution is for Security Intelligence and Event Monitoring (SIEM) p. We provide protection services models for an organization's networks through a sophisticated technology which permits a proactive security posture. We have a business relationship with IBM QRadar as well as being a partner. We are a partner and we also use this feature. It's an integrated solution. We design it to be compatible with our client's network devices to maintain real-time monitoring through a centralized console. Our clients… more »

Pros and Cons

  • "The most valuable features would have to be the products' ability to customize vulnerability management settings."
  • "There could be improvements made to the UI, the user interface. Though the newer version, 7.3.2, might already have this improvement in place."

What other advice do I have?

I think this product adds significant value to organizations seeking a scalable, security integration tool. It does a great job of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities. It's a good solution On a scale of 1 - 10, 10 being the best, I give this product a rating of 9.
BK
Program Manager at a tech services company
Real User
Highly customizable and provides a single dashboard for global device monitoring

What is our primary use case?

Our primary use case for this solution is compliance.

Pros and Cons

  • "There is a single dashboard that gives us a complete overview of what is happening around the globe."
  • "Ideally we would like a mobile version so that any alert that comes in will notify us in a mobile app, or by using SMS integration."

What other advice do I have?

I would rate this solution eight and a half out of ten.
Sr. Security Engineer at OmnitechIT
Real User
Stable security both in-house and for our customers

What is our primary use case?

Our primary use case for this solution for the management of our security services, and our NOC (Network Operations Center) services.

How has it helped my organization?

In addition to using this solution for our security operations center, we are using it for our other customers.

What needs improvement?

It needs more resilience and functionality. 

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

My impressions of the stability is that it is good.

What do I think about the scalability of the solution?

The scalability is good. Internally we have many customers, but we offer this as a specific consultancy service. I do not know with certainty the number of users for this product…
Senior Associate Consultant at Skill Orbit (Pvt.) Ltd.
Consultant
Alerts us about events in our network environment and has superb functionality

What is our primary use case?

We are partners with IBM. We do simulations for our clients. Then we resolve the issue that they're facing using IBM QRadar.

Pros and Cons

  • "IBM QRadar is easy to scale, it doesn't affect the environment. In our office, we have around 40 - 50 users, but our clients have more users on their networks. Our organization has staff in the software department that manages IBM QRadar for us."
  • "The quoting and the dashboard session could be improved. It should be more user-friendly."

What other advice do I have?

I would recommend IBM QRadar because of the security features and the organization. I can recommend the security. Security is nowadays an essential part of IBM QRadar. IBM QRadar is probably the best possible solution in the market. I would rate it an eight out of 10.
Cybersecurity Practice Lead at a tech services company with 201-500 employees
Real User
Enables us to handle the most critical attacks and integrates well with other solutions

What is our primary use case?

We are using it for SIEM, for Security Information and Event Management. We're gathering the logs and doing analytics on how we are going to react to security incidents.

Pros and Cons

  • "One of the most valuable features is its ability to integrate with other solutions. IBM has a lot of solutions and we have managed to make it work with IBM BigFix and MaaS360, and even Microsoft."
  • "In terms of additional features, a mobile app would be nice. Also, the reporting is definitely okay, but you have to make sure that everybody with different roles can understand it. There is room for improvement in the reporting."

What other advice do I have?

My advice is to take your time. It depends on your network, on what you want to gather information from. Make sure that the networking and the cybersecurity teams are working towards a common goal. The solution is very much worth it. You can gather all the information that you need as long as you know first what you need. This solution is mainly for the Security Operations Center, so there are just three or four users. But it's one of the key tools for us to identify threats and attacks. The users are security operations analysts and threat hunters. In our case, deployment and maintenance…
Vulnerability Manager at a tech services company with 51-200 employees
Reseller
Top 10
Scanning by the Vulnerability Manager and alert-generation are key features for us

What is our primary use case?

Our primary use case is to get logs mainly from firewalls, although you can also get logs from anything that can forward syslogs. We use it to sort events.

Pros and Cons

  • "The most valuable feature is the QRadar Vulnerability Manager which provides vulnerability scans. In addition, I like the way QRadar generates alerts."
  • "It would be good if the program allowed certain profiles to only see certain customer information."

What other advice do I have?

QRadar, as a product, might be very straightforward, but to fully understand the product you would need to go for the QRadar training. IBM's training for QRadar is very expensive but it really helps you use the product to its full potential. Before I went to the training, I only used about ten percent of its capability. I would recommend going for the training on the product. In terms of the number of users, it's not users logging in every day and doing stuff on QRadar. It's a handful of people from the team monitoring QRadar. We could be managing, for example, 50 or 70 customers through one…
RM
Senior Analyst at a tech services company with 201-500 employees
Real User
We can add anything to it, as it is a good companion to other tools

What is our primary use case?

The primary use case is for insurance and product manufacturing. We use it to create rules and Windows firewalls.

Pros and Cons

  • "It integrates very easily with other solutions. The solution is flexible. We can add anything to it, as it is a good companion to other tools."
  • "It's user-friendly when compared to other products."
  • "They should introduce some automation into the product."
  • "There was some complexity in the initial setup due to bandwidth issues."
Senior Information Security Analyst at a financial services firm with 501-1,000 employees
Real User
Top 10
Helps us to discover any threats with their alerts and tracking

Pros and Cons

  • "It helps us discover any threats with their alerts and tracking."
  • "The only challenge is that IBM has been a closed enterprise. It should be more open to integrating with other providers at an enterprise level. We're a bank and the core banking system integration is not way straightforward and there is no integration between IBM and these products. If IBM could open up and provide a way of integrating it seamlessly, without charging more for it, that would make a big difference."

What other advice do I have?

I would advise someone considering this solution to write down your use cases and evaluate them with the vendor. Evaluate the best solution based on your use cases because you are the ones who are going to use it. The vendor will try and implement and leave you with your problems. If the solution meets your requirements and solves most of your problems, you're good to go. QRadar is the best solution we have. The only challenge is that IBM has been a closed enterprise. It should be more open to integrating with other providers at an enterprise level. We're a bank and the core banking system…
NB
IT Security and Business Development Manager at a tech services company with 51-200 employees
Real User
Top 20
Enables us to ensure that the data being transferred from one company to another is done securely but it needs better cloud security

What is our primary use case?

Our primary use case is for the security. We use it to make sure that the data that is being transferred from one company to the other is being done securely.

Pros and Cons

  • "The support is very good. We get support whenever we need it. Sometimes they respond immediately and sometimes it will be within 24 hours. We can ask them to please do it right away and they can get a request done within an hour or two."
  • "Before we didn't have any security issues but recently a few of the user emails were hacked. We had to actually recreate their emails for them."

What other advice do I have?

I would advise someone considering this solution to evaluate several solutions, compare them, and if there is an option for customization check with the solution provider, and then go for it. I would rate it a seven out of ten. It's a good solution, we've used it for a long time, but then there are a few issues with security.
Senior Cybersecurity Consultant at CIA Botswana
Reseller
Top 10
Enables our clients to detect threats and vulnerabilities in real time

What is our primary use case?

Our primary use case if for security analytics. We do investigation and security analytics, so we collect events and after collecting events we give positive security analytics to clients.

Pros and Cons

  • "Most of our clients are interested in automation. The automation part is good because they are able to detect threats and vulnerabilities in real time. It's very fast."
  • "The API integration for AD is a problem when it comes to vulnerability management. If you want to incorporate multiple factor authentication it becomes a problem with the AD. It doesn't integrate well. That needs to be improved."

What other advice do I have?

I would rate it an eight out of ten. Not a ten because the configuration part of it should be easier. They tried to integrate everything together to be all in one, but it's not easy to configure.
Security Consultant at Varutra Consulting
Consultant
The product is easy to use, but it needs a comprehensive PDF user guide

What is our primary use case?

We use it to detect security incidents.

Pros and Cons

  • "The stability is good."
  • "The scalability is good."
  • "I would suggest QRadar release any documentation or give an online demo, like videos on YouTube. It would increase publicity and public appeal."
Senior Security Engineer at dig8labs
Real User
Custom parsing tool makes customization easy, and UI is friendly

Pros and Cons

  • "The most valuable feature is the DSM Editor. The custom parsing tool is very nice, outstanding."
  • "The product is good, but one feature they should have is an Elasticsearch. Currently, in QRadar, there are no Elasticsearch criteria."

What other advice do I have?

Overall, it's much better than other products. In terms of increasing its usage, I have suggested to my organization that it tell customers to use it, its capacity and capabilities, with other tools like Watson.
DA
Senior Server Security Engineer
Reseller
Has great scalablity, if you use APS 25 GPS license you can change to 3000 EPS anytime

What is our primary use case?

Our primary use case of this solution is to identify threats.

Pros and Cons

  • "IBM has everything you need in a cybersecurity solution. If you want to build a cybersecurity operation center version then I think QRadar is a perfect solution."
  • "I think QRadar is very complex. It's a distributed system and IBM QRadar has an all-in-one solution which is not like that distributed solution but it's a good product. IBM needs to consider the user interface because if we compare it with AlienVault, the AlienVault user interface is fantastic but the IBM QRadar user interface is very complex. They should focus on how to make it easier for the client."

What other advice do I have?

I would rate it an eight out of ten. Not a ten because of the complex interface.
YC
Security Consultant at a tech services company with 11-50 employees
Consultant
Easy to use and helps me analyze incidents that occur

What is our primary use case?

I use it to analyze incidents. 

What is most valuable?

I like the API and it's easy to use. 

What needs improvement?

They should provide more manual examples online so that I can learn it myself. The dashboard also needs improvement. 

For how long have I used the solution?

More than five years.

How was the initial setup?

We require eight staff members for the maintenance. 

What's my experience with pricing, setup cost, and licensing?

It's too expensive. 

What other advice do I have?

I would rate it an eight out of ten. 
RM
Senior Field Manager at a tech services company
Reseller
Good scalability and straightforward setup, all in all, a good solution

What is our primary use case?

It is a requirement for all of the banks to have a security solution in Pakistan. That is the reason most of the banks are using it. In the last one and a half years, Pakistani companies are taking security very seriously, so for that reason, they evaluate these solutions. All in all, it's a good solution. 

What needs improvement?

I would like for them to develop a detection management solution. It does not have a detection management solution in it, you have to buy it as it is, on top of the extended solution. 

What do I think about the scalability of the solution?

It's quite scalable. We have upgraded some solutions from 1000 APS up to 3500 APS to 5000 APS. It's a good solution, they have no scalability issues.

How was the initial setup?

The…
AS
Senior Information Security Analyst at a tech services company with 501-1,000 employees
Real User
Enables us to add extensions that provide valuable test ports but is not the best solution on the market

What is our primary use case?

Our primary use case of this solution is for our customer's operations.

Pros and Cons

  • "The ability to add extensions is the most valuable feature. For example, extensions that provide valuable test ports."
  • "Their technical support is not good. We opened a lot of cases and from my experience, they are not complicated issues but it takes forever to get an answer."

What other advice do I have?

I would rate this solution a six out of ten.
VP
Managing Director at a tech services company with 1,001-5,000 employees
Real User
It is really helpful to us from the compliance point of view.

What is our primary use case?

The primary use case for us is the plug and play implementation and it is pretty easy to set it up, and scale up the SIEM. It has a kind of a functionality to it.

Pros and Cons

  • "It is really helpful to us from the compliance point of view."
  • "The initial setup is not complex or difficult."
  • "The tech support is not that good."

What other advice do I have?

If you are a medium to large size enterprise, you can surely consider IBM as one of the major contenders for your selection. If you are a small enterprise, QRadar may be too much for you, it may be too complex. When deciding on a solution, we always consider: * Cost-benefit * Shelf-life of the solution * Security of the solution
AH
Senior Security Architect at a tech services company with 10,001+ employees
Real User
Has somewhat of a new structure recently compared to the last gen. They have moved from the standard UI based infrastructure.

What is our primary use case?

My primary use case is for security monitoring. We activated freeze, proxy and firewalls and we collect data from them. We receive alerts and customize that according to our customer environments.

Pros and Cons

  • "QRadar has somewhat of a new structure recently from last gen. They have moved from the standard UI based infrastructure."
  • "It has improved my efficiency."
  • "The Indian tech support is not helpful."
  • "It is not app based."

What other advice do I have?

There are new things that are coming up in QRadar, such as AI to IBM Watson. This is going to create a huge impact in these types of solutions, because we don't have an artificial intelligence coming in. There are other tools that have artificial intelligence, but IBM QRadar getting integrated with artificial intelligence is the next step. It should be noted that the QRadar type products are actually changing their strategy. they will move on to the next stage that is called "Threat Hunting." Instead of waiting for some attack to happen and getting an alert, the new solutions will try to find…
Information Security Advisor, CISO & CIO, Docutek Services at Docutek Services
Consultant
Top 5Leaderboard
It is not a user-friendly program.

What is our primary use case?

My primary use case for this solution is to monitor security events in our cloud environment.

Pros and Cons

  • "A nice benefit is when we go to the process of selecting our youth cases, they go by building blocks. QRadar links it to building blocks."
  • "The initial setup was complex, and it took six months."
  • "QRadar needs a lot of fine tuning"
MS
Cloud Security Architect at Nordcloud Oy
Vendor
It's a state-of-the-art product for security information and event management

What is our primary use case?

It is under a non-disclosure agreement (NDA).

Pros and Cons

  • "It's a state-of-the-art product for security information and event management (SIEM)."
  • "There are a lot of great out-of-the-box features included."
  • "The quality of technical support depends on the IBM support person. Sometimes, it's hard to get the right person on the other side. A ticket coordinator could be the key to better quality delivery."
  • "The released patch quality is poor. IBM should test those patches on their side, not on the client's side."

What other advice do I have?

I highly recommend this product.
General Manager at Global Solutions Services
User
Log correlation is very useful for processing alerts

What is our primary use case?

CRM and billing system 100 multiple technology servers: Windows AD, Linux, HP-UX, etc. 40 firewall multiple routers  Cisco Nexus switches

How has it helped my organization?

Log correlation is very useful for processing alerts. It serves to follow up alerts in real-time, building an entire workflow.

What is most valuable?

DSM parsing Log correlation X-Force connectivity Ease of DSM customisation Multiple reports

What needs improvement?

Data encryption Flow encryption Third-party compliance Its architecture is very complicated. Its hardware is Lenovo-based.

For how long have I used the solution?

Three to five years.
AT
Software Trainee at a tech services company with 1,001-5,000 employees
Consultant
Senses, tracks, and links significant incidents and threats

What is most valuable?

Almost every feature is useful. In particular: Sense and detect fraud, both insider and advanced threats. Sense, track, and link significant incidents and threats.

What needs improvement?

The tool is already automated in many ways, but there are some additional functions which should be automated, like sending an email, mobile notification, and integration of XFS.

For how long have I used the solution?

Less than one year.

What other advice do I have?

Overall, I love this product.
Director of Market Enabling Solutions at Raksha Technologies Pvt Ltd
Reseller
In one single pane of glass, we can see all the issues. Though, the architecture could be improved.

What is our primary use case?

Its primary use case is for people who want to manage all of their logs with analytics and correlate that between different security devices whose logs are related. This solution is performing well.

Pros and Cons

  • "On the back-end, Watson helps me figure out an exact problem, sometimes giving me the result."
  • "It saves a lot of time. We integrate the customer's firewall with all their networking devices."
  • "This console gives you the entire view, which makes life easier and allows you to take precautionary measures."
  • "The architecture could be improved. I got stuck for a long time trying to understand the architecture, as it is quite challenging."

What other advice do I have?

I would rate it a seven out of 10. I have had some challenges integrating this solution. Each organization is looking for security. If you have a SIEM tool, you can integrate it with all of your security devices, and get all your security logs. This console gives you the entire view, which makes life easier and allows you to take precautionary measures. People who handle only four or five security devices spread across the globe should go with this SIEM tool.
PL
Network Security Engineer at a wellness & fitness company with 10,001+ employees
Real User
It is the core of our entire SOX

Pros and Cons

  • "It is the core of our entire SOX."
  • "Due to the skills shortage, we are able to use it from the standpoint of bringing in a lower level employee or a person who may not have security knowledge."
  • "We run 65 servers globally with just two people: an engineering person and me."
  • "The technical support is poor. Mostly because when I open a PMR for IBM, I am stuck with Level 1 staff. As an engineer, nothing that I am bringing them does not require Level 2 or Level 3 support."

What other advice do I have?

The most important criteria when selecting a vendor: stability. The security space is tough. Unlike a lot of other spaces, IBM will not be bought anytime soon as a 100 year-old company.
Member at CIFAL Argentina
Reseller
The scalability is awesome, because QRadar includes other solutions in the same console

How has it helped my organization?

QRadar improved risk assessment and vulnerability, plus reduced staff.

What is most valuable?

The threat protection integration with other vendors.

What needs improvement?

The user interface needs improvement.

Network Breach

We have not suffered a network breach.

Events per Day

Our deployment collects nearly a 100 events a day. We often wield a backlog.

What do I think about the stability of the solution?

Stability is great.

What do I think about the scalability of the solution?

The scalability is awesome, because QRadar includes other solutions in the same console.

How is customer service and technical support?

I have not used technical support.

How was the initial setup?

I was not involved in the initial setup.

Which

Security Solutions Architect at Micro Strategies
Real User
It has helped us with our response time to threats

Pros and Cons

  • "It showed us where weaknesses were in our environment, so we could actively target those patches first."
  • "Do your research before implementing it, because it is tough to implement."

What other advice do I have?

Do your research before implementing it, because it is tough to implement. Most important criteria when selecting a vendor: support. I say this to every vendor. It is not always about pricing, which is nice when we start, but when the crap hits the fan. I want the vendor to be there with me.
Sr. Security Analyst with 1,001-5,000 employees
Real User
Enables us to integrate with some of the top security products on the market

What is our primary use case?

In recent years, our focus has been the third-party integrations. Like most companies, we have several security products. (I hope most other companies are not relying on a single product). The challenge with a SIEM is taking the data produced by a log source and presenting it in a readable manner for technical and non-technical staff. That can be done with custom-built reports or in dashboards. With the IBM Security App Exchange you add a new extension (i.e. download from the App Exchange site) and configure it.

What other advice do I have?

Research, and don’t be afraid to do a few PoCs. Also, make sure you have a team for the tool. Most solutions require a team, so if you cannot apply a team towards the tool then hopefully you can use one of the managed SIEM options.
Partner at a tech services company with 11-50 employees
Real User
It has a high degree of interconnection with other systems

What is our primary use case?

* Origination process in banks. * Insurance claims on insurance companies.

Pros and Cons

  • "We have the abilities to monitor each instance which originates on the process along with the performance of each department."
  • "For the common needs of clients to fulfill requirements, a real integration with Blueworks Live (BPA modeling tool also from IBM) and a more suitable BPM on cloud solution for midsize customers."

What other advice do I have?

Ensure you have the functional skills on BPM and the technical skills on IBM BPM. We used to be IBM partners, but are not anymore. Now, we are Red Hat partners.
JK
Lead Security Infrastructure Engineer at a financial services firm with 5,001-10,000 employees
Real User
Single pane of glass for analysts and SIEM administrators

Pros and Cons

  • "It is incredibly easy to deploy. All the appliances are flexible in the roles that they serve and are all managed the in the same way."
  • "Needs better visualization options beyond the time series charts and a few other options that they have."

What other advice do I have?

Understand how your analysts need to use SIEM to execute use cases. This platform can collect and normalize data better than just about anything (if you want it to), but it will not be useful if it is not presented in a useful way.
Vulnerability Manager at a tech services company with 51-200 employees
Reseller
Top 10
Once an offense comes through, you can then see from the log sources who or what triggered it.

What other advice do I have?

Just spec it correctly and it will do its job for you. It has an active community. IBM patches the product regularly when problems are picked up. I haven’t heard about a lot of problems from other people using the product. When we only have four hours to respond, an hour can make a difference in waiting for support.
Security Analyst at a security firm with 11-50 employees
Real User
With more than 120 extensions, it can improve your event analysis

What is our primary use case?

SIEM solutions must be business driven. Utilizing a SIEM solution depends on your enterprise goals, from meeting compliance requirements to implementing security controls and identifying the absence of controls. A SIEM solution can also be used to improve your business and increase your sales. With QRadar, you can do all these, even if you are not a security expert. It comes with a set of default rules which makes your life easier, from ransomware attacks to DDoS attacks. Everything can be detected if your logs are properly integrated into QRadar. It gets better with extensions and other rules… more »

Pros and Cons

  • "There are more than 120 extensions in QRadar, which are easy to install and configure. These can improve your analysis of events."
  • "It comes with many rules disabled. You can tune them and modify them according to your enterprise needs and avoid false positives."
  • "QRadar log integration of various applications can be a tough job at times. There may be occasions when you will not find any QRadar guide on adding logs of a particular application. Even if you come across one, adding a log process is not an easy one."
Operations Analyst at a logistics company with 51-200 employees
Real User
Helps a company when investigating a case and with preventive actions

What is our primary use case?

I used the IBM QRadar product from 2015 until 2017.

How has it helped my organization?

When the WannaCry attack happened, QRadar helped the company a lot with the investigation of the firewall, antivirus, and other appliances.

What is most valuable?

The "Network Activity" feature was really good. An engineer can live monitor all the flow happening in real-time. This would help us a lot while investigating a case, and it would even help us with preventive actions.

What needs improvement?

QRadar needs to be improved on the storage side, particularly when the disc exceeded the maximum threshold.

For how long have I used the solution?

One to three years.
Cybersecurity Engineer Consultant at a tech services company with 501-1,000 employees
Consultant
Its correlation and the parsing features result in good scalability and performance

What is our primary use case?

My use case is the deployment of an X-Force successful connection with a botnet and malware website. An X-Force feed is free with QRadar. I have been using the product for three years now. I used it for six month at an internship to PoC some different SIEM and for two and a half years as an administrator. Now, I am using it as an architect.

Pros and Cons

  • "The correlation and the parsing are important features, since it is very important for a SIEM to have a good scalability and performance."
  • "The weak signal detection with QRadar needs improvement. You can detect what you know, but what is unknown to the rule engine can't be detected."

What other advice do I have?

Think scalability and make sure your product can be integrate into QRadar.
Network and Security Technical Team Leader at a wholesaler/distributor with 201-500 employees
Real User
A good integration with the artificial intelligence engine of Watson

What is our primary use case?

We work with it in the banking sector. We had torrent limitations and big banks could join them. It has performed well. However, the limitation is not easy, so the product is not easy. You cannot get the real value of the product unless you combine it with the other products from IBM, like BigFix, the full integration of Vulnerability Management, and so on.

Pros and Cons

  • "It does good correlation for events. It does good general analysis, and it has good apps as well."
  • "It has a good integration with the artificial intelligence engine of Watson."
  • "IBM needs to invest more into the collaboration with other vendors."
  • "The implementation and configuration are not easy."

What other advice do I have?

IBM needs to invest more into the collaboration with other vendors. If you want to go to IBM, do not just go for QRadar. You need QRadar and all the products that surround QRadar, especially BigFix, because the product is ten times stronger with it. Most important criteria when selecting a vendor: * The technical features of the solution. * The people in my region at the vendor. * The perspective of the project manager on the customer side. * Data involved and time of the implementation. * The needs of the customer. * The cost of the project. * Training involved.
JC
Director, Cybersecurity at a tech company with 51-200 employees
User
It has a logical, user-friendly GUI

What is our primary use case?

We used QRadar SIEM over Juniper Secure Analytics platform.  The company profile is telecom. The infrastructure has a large geographical spread.

How has it helped my organization?

IBM QRadar is great help from its security event monitoring to data center and NOC troubleshooting of issues hard for other departments to spot.

What is most valuable?

It has a logical, user-friendly GUI.  Very easy to drill down in offenses and get to the bottom of raw data.

What needs improvement?

Dashboards and reports could provide better visualization of SIEM activity.  An executive or CISO dashboard would be nice to have by default.

For how long have I used the solution?

Three to five years.

What other advice do I have?

The tool gets better value in…
Sr SIEM Consultant at a tech services company with 51-200 employees
Consultant
Built-in rules are enabled by default and tunable to meet the specific needs of each organization.

What is our primary use case?

As a PS consultant on projects where the customer is transitioning from a competitor's SIEM to QRadar, they are very pleased when they see the number of quality offenses being caught soon after implementation and integration of log sources just from the out-of-the box rules enabled by default.

Pros and Cons

  • "Network-Based Anomaly Detection (NBAD): Using NetFlow, JFlow, SFlow, or QFlow (all 7 layers), offenses are detected as a response when a rule is triggered."
  • "Some UI enhancements would be nice, such as exporting custom event properties and the ability to export rules."

What other advice do I have?

Every SIEM tool has a certain degree of complexity, especially where use cases and rules are concerned. I advise using Professional Services so your SIEM is configured by trained professionals.
GM
Solution Architect with 201-500 employees
User
Improved our organization's total cost of ownership

What is our primary use case?

Users' behavior analytics Monitor leakage for data Payment card industry compliance Integration with end points management system Integration with Incident Response and Ticketing System

How has it helped my organization?

Easy to deploy Time to value Total cost of ownership (TCO) Deployment options for on-premise SaaS Hybrid

What is most valuable?

X-Force feed Watson for cyber security App Exchange Scalability and licensing model Vulnerability and risk management on network topology

What needs improvement?

Needs to be improved: Graphical User Interface (GUI)  Multi-tenancy and domain(s) segregation.

For how long have I used the solution?

One to three years.
IT Director at MyEyeDr.
Vendor
It summarizes all the other security products.

What other advice do I have?

We try to do everything all at once. Find the right partner to help you do the implementation. When picking a vendor, we look for the support, the ease of the installation, and the future of the product.
IT Security Manager at a tech services company
Real User
Some of the valuable features are QM, QRM, and forensics.

What is most valuable?

Some of the valuable features are QM, QRM, and forensics.

How has it helped my organization?

There many use cases.

What needs improvement?

I would like to see SOC.

For how long have I used the solution?

We have been using this for three years.

What was my experience with deployment of the solution?

There were no deployment issues.

What do I think about the stability of the solution?

There were no stability issues.

What do I think about the scalability of the solution?

There were no scalability issues.

How are customer service and technical support?

Customer Service: Customer service is very good. Technical Support: Technical support is excellent.

Which solution did I use previously and why did I switch?

We used another solution…
Vulnerability Manager at a tech services company with 51-200 employees
Reseller
Top 10
The threat protection network is the most valuable feature

Pros and Cons

  • "The threat protection network is the most valuable feature, because when you get an offense, you can actually trace it back to where it originated from, how it originated, and why."
  • "The threat protection network is the most valuable feature, because when you get an offense, you can actually trace it back to where it originated from, how it originated, and why."
  • "I would like to see a more user-friendly product."

What other advice do I have?

Just spec it correctly and it will do its job for you. It has an active community. IBM patches the product regularly when problems are picked up. I haven’t heard about a lot of problems from other people using the product.
Sr. Security Engineer at a tech services company with 11-50 employees
Consultant
We use it to create use cases and review offenses. One of the valuable features is its correlation engine.

What other advice do I have?

Work on sizing as much as you can so you can avoid any issues after deployment. You should also fulfill hardware requirements for this product. Otherwise, you will not get its full functionality.
IT Manager at a comms service provider with 1,001-5,000 employees
Real User
Contextual and threat-based incident management.

What other advice do I have?

Trust it, test it, and deploy it.
Lead Developer
Vendor
Based on the analysis, we can easily identify from where the threat is originating.

What other advice do I have?

Definitely invest in the QRadar solution.
Senior System Administrator at a tech services company with 11-50 employees
Consultant
Offers device auto-discovery, along with rules and reports already created.

What other advice do I have?

You should ask the sales representative to give you the Excel sheet to calculate EPS. Keep in mind that the firewalls, proxies and networking devices such as those will consume lots of EPS, but they do provide really nice information and insight from your network. On Gartner, this is one of the top 10 SIEM solutions in the market. It is robust and IBM is investing a lot of money to get it running even better than it is running right now. You feel secured when you use it. This solution is being implemented around the world and every day, a new feature or add-on is created for it.
Senior security analyst at a financial services firm with 1,001-5,000 employees
Vendor
Provides custom parsers. I'd like to see more integration with other security products, especially bidirectional.

What other advice do I have?

Make sure you understand how many log sources you have in your environment. Kind of get an idea of how many per second you're going to be getting. That way, you have a good idea for your licensing model to start out with. In the past, we had a certain set we thought we were going to have, and then we had to upgrade, and then upgrade again, for the license count. Also, make sure you're doing correct tuning. Otherwise, you're just going to flood your SOC, and they're gonna' spend too much time sifting through white noise.
Security Consultant at Dimension Data
Consultant
The most valuable features are the implementations, the plug-ins, and the UBA.

Pros and Cons

  • "The most valuable features are all the implementations, the plug-ins, and the User Behavior Analytics (UBA)."
  • "Maybe there should be more custom rules in the exchange. Basically, we are using a lot of threat rules, so maybe they'll develop something like that."

What other advice do I have?

Definitely try it. Do a PoC with a customer. You can get the value for the customer quickly. It's great.
Cyber Security Manager at a energy/utilities company with 1,001-5,000 employees
Vendor
In general, if you have any botnets or malware, you identify and mitigate it. The biggest challenge is in the upgrade.

What other advice do I have?

It's a very solid product. However, there are a lot of things that can be improved. Definitely get a team or hire a professional to install this product. Otherwise, I guarantee you're not going to be successful. There is a lot of filtering that needs to be done; otherwise, you are going to get overwhelmed with the events coming in and will have no idea, as to what is right and wrong. You definitely want to hire a trained team or some professionals. The price is the most important criteria when selecting a vendor. Other factors such as the quality of the product, PoC, how well the team…
Cyber Security Engineer at a tech services company with 501-1,000 employees
Consultant
Provides a view into our network events and flows from log sources across our enterprise.

What other advice do I have?

I would definitely recommend QRadar to anyone looking for an SIEM solution in their organization. This is especially the case for mid- to large-scale enterprise solutions, compared with the competitors.
Cybersecurity Expert at a financial services firm with 10,001+ employees
Real User
AQL allows me extract data directly from the QRadar database.

What other advice do I have?

Don't forget to hire the right people. They are expensive, but it is far more cost-effective to pay them now than to try to integrate SIEM without professional knowledge and break it (it is especially important in the architecture and integration phase). Because, then you will pay twice and your security monitoring program can be delayed months. In the operation phase, don't forget to invest in training for both analysts and SIEM administrator teams. It is very easy to use this tool the wrong way and then it will give you almost no value.
Director SOC at a tech services company with 51-200 employees
Consultant
Integration with other platforms and the ease of rule making are valuable features.

What other advice do I have?

First, identify the most critical assets to be included in SIEM and then the most critical events of my organization. With that, you avoid bringing unnecessary events into SIEM. It's a very good and versatile correlator.
Cyber Security Engineer
Vendor
The most valuable feature is the ability to get the logs and analyze them.

What other advice do I have?

I would suggest QRadar. The security intelligence is one of the best right now. When looking for a vendor, I want to be able to win them. I want them to accept the fact that I’m looking for a product for what I am doing and I have a couple of requirements. From there, I can actually tell them what they need to do, or what I need to do, in the environment.
Information Security Analyst at Allegiance Air
Vendor
The UI is the most valuable feature, and the product is stable.

What other advice do I have?

Make sure you try them all and then, pick the one that you think would work the best. It's nice to value other people's opinions, but it's better to test all the products and choose what you think would be best, for whatever your need is. It's very easy and initiative. It's just a good overall solution, compared to the other ones I've used.
Global Security Engineering and Operations Director at a wellness & fitness company with 10,001+ employees
Vendor
Correlates data across our global enterprise and integrates third-party solutions.

What other advice do I have?

When picking a vendor, the most important thing is partnership. I honestly have nothing but good things to say about the IBM relationship that we have related to QRadar. Partnership is going be important. Having the right skillset from an engineering standpoint is important to ensure that you don't set up things backwards. You have a high probability of doing it. This is one of those pieces where IBM doesn't “dummify” the solution for you. On one side for my senior engineers, they don't want it “dummified” because they need to do it. On the other side of it, there are some aspects that don’t…
Security Analyst at a government with 10,001+ employees
Vendor
For vulnerabilities, you see a popup on the screen. We do not have to look for it. It is pushed to us.

What other advice do I have?

When choosing a vendor, we look for a stable and trustworthy company. I think QRadar is the best solution you can get.
Sr. Security Architect at American Airlines
Vendor
If we feel that there is anything going on in the application, it collects the logs, we monitor them, and we get alerts. I would like proper integration with the cloud, not only the IBM cloud.

What other advice do I have?

If you have the budget, go for QRadar. It depends on the company size. It's expensive.
Information Security Analyst at a transportation company with 5,001-10,000 employees
Vendor
The pre-canned rules and reports are a plus. They have new apps to integrate different tools into the dashboard.

Pros and Cons

  • "The pre-canned rules and reports in this product are a huge plus."
  • "QVM is another instance where they need to revise the vulnerability scoring and the proper remediation details."

What other advice do I have?

Evaluate your network first. Determine the target audience that you will be monitoring and working on this tool. It is important to note whether your organization is looking for a compliance-based check mark practice (defensive security), or active threat monitoring and out-of-the-box security posture.
Assistant Manager-Information Security at a transportation company with 1,001-5,000 employees
Vendor
Integrates with other applications and systems.

What is most valuable?

SIEM technology is the most valuable feature of this solution, as it can be integrated with almost every application and system. If not, then you may ask IBM to write a parser for it.

How has it helped my organization?

You have the visibility of different events, thus we can resolve the issue.

What needs improvement?

They should provide more integration with more devices.

For how long have I used the solution?

I have been using this solution for three years.

How is customer service and technical support?

I would give the technical support a 8/10 rating. They are excellent.

How was the initial setup?

The setup was straightforward.

What's my experience with pricing, setup cost, and licensing?

The pricing policy is good.

Which other solutions

Senior Manager at a pharma/biotech company with 1,001-5,000 employees
Vendor
It has a predefined set of templates. In order to secure patient data, they may have to incorporate certain legislation / regulations.

What other advice do I have?

The solution seems to be very promising on paper, i.e., in theory, some things look good but practically, after we apply the solution in the next one or two years, we'll come to know more. You should first conduct an assessment from IBM and the system should follow the selection of the tool. You should not just go by what you want, but instead by what you need. Most of the companies don't know what they need in terms of the security.
Group CIO at a tech services company with 501-1,000 employees
Consultant
Provides visibility in terms of the threat surface and proactively looks at mitigation measurements.

What other advice do I have?

This is quite an established solution so, I will have no hesitations in recommending it.
Senior Security Engineer at a consumer goods company with 1,001-5,000 employees
Vendor
It helps our incident handlers find incidents within our environment and track down new threats.

What other advice do I have?

First, make sure that it's sized right and read all the manuals, before you do it. Interoperability with other products is what I look for in a vendor. An open API is the big thing. I want be able to make sure that if I buy something, it will be able to talk with other products. I won't need to keep going down the same path, i.e., if I buy company X, I have to buy company X products all the way; otherwise, they won't talk to each other. Being able to talk with other products really makes a difference.
Security Operation Manager at a transportation company with 10,001+ employees
Vendor
Provides user behavior analytics.

What other advice do I have?

Ensure that it's scalable and that you have good customer support. Also, take your time doing the implementation.
Director of Cyber Security at a insurance company with 10,001+ employees
Vendor
The ability to correlate large amounts of data into rules that provide real-time alerting is valuable.

What other advice do I have?

Make sure you really understand all the requirements before you implement. I think the group that did this implementation didn't necessarily understand fully what we were going to use it for, so it was maybe designed for smaller things. So, you should really understand the requirements prior to stepping into it. If QRadar is going to be a central sort of hub for IBM's security solutions, make sure that the other tools integrate very easily into it. That would probably be the biggest task.
Senior Security Analyst at The Hartford
Vendor
The organizational value we derive from it is that it helps us track down where we have problems.

What other advice do I have?

It's a great product. They're obviously an industry leader right now in this field, if you're looking for SIEM, I would recommend it.
Security Consultant at a tech services company with 11-50 employees
Consultant
It can collect different types of security feeds and correlate them in real-time with your logs.

What other advice do I have?

If you have an experienced group of security members, then you may not at all need the advisor for the product. If not, then you will have to find the path to build your team, so as to become more knowledgeable.
Application Infrastructure innovation at a financial services firm with 1,001-5,000 employees
Vendor
Using it through IBM's Managed Security Services, they keep us alerted of what events are hitting, and adapting for it. I'd like to see tighter integration with other IBM products.

What other advice do I have?

If you're going to implement it, implement it using managed services, because it's too complex of a product to try to do yourself.
Security Intelligence at a tech services company with 10,001+ employees
MSP
We can build interactive dashboards around it. Mathematical operators currently cannot be used within the reference maps.

What other advice do I have?

It should be implemented by the best professionals available within IBM. It is really important to have a clean base installation, so that you can build things on the top of it. When we are selecting a vendor, first and foremost, we look for the stability of the vendor, and what level of resources they are investing in their research and development. These are a couple of things that we look for while selecting a vendor and of course, the kind of resources we are looking for to get certain engagement and make sure those resources are aligned.
Security Consultant at a tech services company with 11-50 employees
Consultant
Some of the valuable features are vulnerability management, cognitive security, and risk management.

What other advice do I have?

If you are a security officer who wants to protect his job, go for Splunk :) If you are a customer who wants to have an easy tool and save time and resources, definitely go for QRadar.
Security Operations Center Manager at a financial services firm with 1,001-5,000 employees
Real User
Search capabilities are sufficient for most tasks. We need to see improved rule based access controls and rule/event tuning.

Pros and Cons

  • "Search capabilities are sufficient for most tasks."
  • "Search capability and indexing still lag behind competitors. We also need to see improved rule based access controls and rule/event tuning."

What other advice do I have?

Evaluate the product based on a full set of requirements and your security analyst workflow. Do not base your decision on the company name or promises of new abilities years down the line.
Technical Security Specialist at a tech services company with 51-200 employees
Consultant
Provides log management, application monitoring, vulnerability scanning, full packet capture and risk analysis.
Information Security Analyst at a media company with 1,001-5,000 employees
Vendor
It takes log files from different viewpoints and puts them together in one place. I would like to see better support.

What other advice do I have?

You should totally go for it. I've seen a couple systems out there, but I think IBM QRadar is one of the better solutions available. Professionalism and to always be there when I call are the most important criteria when selecting a vendor. With IBM it's pretty good. We have our sales guy, who is always on top of everything.
Security Manager at a pharma/biotech company with 1,001-5,000 employees
Vendor
The search capability and data consolidation are some of the key features. I want to see a three-dimensional perspective of the data.

What other advice do I have?

From an analytics perspective, it's a good tool. But you have to have the resources to own it. It's not only about buying it. It's not only about capacity, but somebody has to care and feed it. It's not one of those things that you can put it in, walk away and just consume the data. If you don't take care of it and feed it, you won't get what you need out of it.
IT Security Consultant at a tech vendor with 201-500 employees
Vendor
It captures and processes large volumes of event data, and scales to support them in a unified database. But, it'd be good to have a default configuration to meet PCI requirements.
Cyber Security Advisor / CISO / Healthcare Security Pro at OMC SYSTEMS LLC
Vendor
The dashboards give us an overview of traffic flow and pinpoint configuration issues.

Valuable Features

I find that the dashboards are the most helpful to get an overview of traffic flow and issues.

Improvements to My Organization

We find that reviewing Q1 Radar is very helpful to pinpoint configuration issues, as well as go back and find traffic flows from comprimised hosts.

Deployment Issues

No.

Stability Issues

None.

Scalability Issues

N/A

Customer Service and Technical Support

Customer Service: N/A Technical Support: N/A
Manager, Enterprise Risk Consulting at a tech company with 1,001-5,000 employees
Consultant
Qradar vs. ArcSight
Continuing with the SIEM posts we have done at Infosecnirvana, this post is a Head to head comparison of the two Industry leading SIEM products in the market – HP ArcSight and IBM QRadar. Both the products have consistently been in the Gartner Leaders Quadrant. Both HP and IBM took over niche SIEM players and have made themselves relevant in the SIEM market. We have worked on both the products and feel that this comparison is a good way to start the discussion rolling on features of both the products and how they approach the problem of Security Information & Event Management. Okay, let’s get started!!! ArcSight vs QRadar Subject ArcSight QRadar Product Birth Year 2000, ArcSight SIEM came into the market and incidentally this was the only product they have…
Security Solution Architect with 1,001-5,000 employees
Vendor
No matter what technology you choose the technology area is 15% of the effort. Your process’s are 85%

What other advice do I have?

* First gather your requirements * From that build a business case. * Understand that no matter what technology you choose the technology area is 15% of the effort. Your processes are 85%. No process…then 5h1t in …5h1t out. * Make sure you know your business reasons for the implementation
Information Security Consultant at a tech services company with 51-200 employees
Consultant
Although it provides incident management of the alerts it produces, this could be improved to allow more restrictions

What other advice do I have?

The advice I would give to others is to work with the implementation team to properly fine tune the out-of-the-box “building block rules” and to enter their network hierarchy in QRadar in order for it to give best results and reduce false positive alerts.
Buyer's Guide
Download our free IBM QRadar Report and get advice and tips from experienced pros sharing their opinions.