My use case is the deployment of an X-Force successful connection with a botnet and malware website. An X-Force feed is free with QRadar.
I have been using the product for three years now. I used it for six month at an internship to PoC some different SIEM and for two and a half years as an administrator. Now, I am using it as an architect.
Previously, we had to do a lot of debugging when we wanted to change our firewall policy to find out which rule was blocking things, etc. With Qradar, when you integrate the logs of the firewall, you have with two clicks, the info in real-time.
The correlation and the parsing are important features, since it is very important for a SIEM to have a good scalability and performance.
The weak signal detection with QRadar needs improvement. You can detect what you know, but what is unknown to the rule engine can't be detected, similar to a base rule of SIEM.
Three to five years.
Sometimes, but not from the system itself, but from the amount of logs it has received.
Technical support is good when they using WebEx. By portal, they are slow and inefficient.
My service since the beginning has been to only sell and manage QRadar.
It is very easy to deploy. It is not a user-friendly way to deploy, but for IT guys who have the skills of Linux servers, etc., it is easy.
Think what you will integrate into QRadar. It is a SIEM. You need to send it logs, but not everything.
Pricing (based on EPS) will be more accurate.
I had the chance to test some other products, and there is a lot of them on the market. However, when you have to deploy and manage it, not just demo it, it is a total different story.
QRadar is not perfect, but I have had the chance to manage ArcSight, Sumo Logic, Unomaly, and RSA for some specific features, and comparatively, QRadar is good
Think scalability and make sure your product can be integrate into QRadar.