Large IBM Qradar deployment and SOC Build out

Project Description

Large IBM Qradar deployment and SOC Build out. Deployed 160+ QRadar appliances over multiple countries. The Qradar components deployed were:

Qradar Console, QRIF, QVM, QRIF, AppNodes, Flow Collectors (Cu & Fi), Log Collectors and Processors

IBM Resilient (SOAR).

At the end we had over 9000 log sources from enterprise infra such Servers, Routers, Switches, Firewalls, Mainframes, Mcafee EPO, SWIFT systems and many other. In addition we were rolling out logging from end points as well. The daily influx of logs was over 2 billion events distilling down to around ~100 offences (after tuning).

Lessons Learned

Ensure that sufficient engineering resources were available with Qradar experience to not only deploy, maintain and update the appliances but also create/tune use cases.


received a promotion
support from colleagues


management had to be convinced
equipment incompatibility
steep learning curve
hard to meet schedule
  • London (ENG-GB)51.5085-0.12574
  • Helsinki (FI)60.169524.9354
  • Paris (A8-FR)48.85342.3488
  • Brussels (BRU-BE)50.85044.34878
Ask me a question