IBM Security QRadar Suite Software: SIEM & SOAR

I was a SIEM  administrator using IBM Security QRadar  for ingesting log sources from all over the digital infrastructure of the organization I worked for. After ingesting logs from all servers and applications, I used the use case manager and offenses.

I managed and handled several incidents in IBM Security QRadar  by creating many rules. I created a rule for Dark Web communication from the internal network of the organization. Based on that, I created a rule named Anonymous Tor Connection in which I called the reference set from the reference set type that I created for blacklisted IPs of Tor nodes and called it in the rules. If any of those IPs were detected as the destination IP from an internal network source IP, the alerts would trigger.

I created brute-force attack rules based on Windows Event IDs and created more rules for failed login attempts and audit success.

We achieved our objectives regarding SOC metrics and monitoring metrics, and the time of incidents and alerts. All of these metrics were accurate, to the point, and straightforward as they should be.

IBM Security QRadar makes things user-friendly because in the Log Activity tab, you can make a search right away as desired. All filters are available on the tab. You can group logs by source IP, event ID, destination IP, or port. The user interface makes investigation very easy for an analyst.

IBM Security QRadar can work on big data and should start supporting big data as other Gartner's top SIEM  products do. An integrated LLM with IBM Security QRadar would be very good for its reputation. I started my career with IBM Security QRadar and totally love it. I do not want it to go down to the bottom of the top 10, but rather be in the top two or three SIEM products in Gartner's rating.

Dashboards are a good feature in IBM Security QRadar, but they can be improved. Other SIEM solutions such as Splunk and LogRhythm  are working on integrated LLMs or AI chat.

IBM Security QRadar has many issues nowadays, particularly with WinCollect integrations and Windows-based WinCollect agent integrations. I was exhausted handling errors in WinCollect. When a Windows server was integrated with IBM Security QRadar via WinCollect agent version 7.3.1.28 Managed Mode Agent, logs stopped coming to the QRadar console. I checked and tried to toggle the PEM file in the agent's config. After deleting the PEM file and restarting the service, the PEM file was created. Although this was a solution provided by IBM support, it was not effective. I worked with IBM support to troubleshoot this issue, but it was very prolonged and was not getting resolved. I had to forcefully install another version of the WinCollect agent.

Other solutions were available such as AlienVault , ArcSight SIEM, and Wazuh  SIEM. If you have dedicated assets in your infrastructure, you can go right away for IBM Security QRadar. However, if you have larger amounts of data, IBM Security QRadar will need more resources. You should evaluate based on EPS and your assets.

I have been using IBM Security QRadar for around more than two and a half years. I switched organizations and my current organization uses a different SIEM, so I have been detached from IBM Security QRadar.

IBM Security QRadar is stable, but some current versions are not stable. When I was upgrading IBM Security QRadar to version 7.4.3, my log sources all disappeared after upgrading to the next version. I opened a support ticket and they told me that this version had a bug. They instructed me to go into the user account and change the language to US English or Canadian English. After I did that, I got all the log sources back. This was a really troubling bug in IBM Security QRadar. This is a world-class product, but it has that type of bug.

Customer support and scalability were very fine.

When I upgraded IBM Security QRadar to version 7.4.3, my log sources disappeared after upgrading to the next version. I opened a support ticket and the team told me that this version had a bug. They instructed me to go into the user account and change the language to US English or Canadian English. After I did that, I obtained all the log sources back. This was a really troubling bug in IBM Security QRadar, as it is a world-class product but has that type of bug. Customer support and scalability were very fine.

Legacy solutions were log management solutions, while IBM Security QRadar is a security information event management SIEM that does all the work which previous multiple solutions were doing separately. IBM Security QRadar does all in one, which mitigated costs. However, I cannot give exact metrics on that because I have not worked on those legacy solutions. I started my career working with IBM Security QRadar SIEM.

I did not switch solutions; I switched companies. My current company had another solution, so I had to work with that because I am not the decision-maker to change the solution of a company. Teams and management are involved in deciding which solution is best for the organization. I can only suggest based on the features of the solution.

Pricing and the license of EPS were managed by the governance team. I was not responsible for managing those. I was supposed to put up the requirement of the license needed to integrate that amount of assets of the organization, and I put the request to my GRC  team. It was their responsibility to purchase that license and deal with the pricing of the EPS.

Dark theme and white theme are enabled in the latest version of IBM Security QRadar, which is great. An integrated LLM such as Watson should be included in which I can enter an IP address and perform threat hunting steps on it. IBM Security QRadar should tell me what the possibilities of threats are on the specific source IP that I provided. Unstructured  data should be supported as Elastic and Splunk work on big data, so IBM Security QRadar should start doing that too.

My day-to-day tasks were to check if the nightly backup is being created, whether there are any undeployed changes in IBM Security QRadar, and to check for new vulnerabilities in my current version to ensure my version is stable and all nodes are working properly. I verify that the HA component of my QRadar's console event processor is synchronized properly and that the data node is balancing all data between the nodes of IBM Security QRadar. If any integration comes up on my desk, I work on the integrations, and if any log sources are in error, I troubleshoot them whether they are database, Linux, Windows, or custom log sources.

I am fond of IBM Security QRadar because it is very user-friendly. I gave this review a rating of 7.5 out of 10.

My main use case for IBM Security QRadar  is its good features which create an offense or trigger an offense. This offense has a description and contains many events with sensitive or helpful information about the offense. My daily activity as a SOC analyst L1 is to ensure if the offense is legitimate, if it is truly a suspicious or malicious offense, or a false positive. After that, I create a ticket to close it and determine if it is suspicious or not. If I need to conduct more investigation and delegate the ticket further, I escalate it to SOC L2 or the SOC Manager to take additional activities or conduct more investigation about it.

IBM Security QRadar  is a very good SIEM  solution because it has features that allow me to create rules or built-in lookups specific to my company. I can tune those to reduce the attack surface and be specific about the right malicious activities to reduce risk about an attack on my company or attacks on endpoints or assets.

IBM Security QRadar offers a good dashboard because it provides many things, including offense, log activity, network flow, reporting, and rules. All of these are very helpful for me as a SOC analyst L1 or a security engineer. I can see networking activities and log activities coming from our clients. IBM Security QRadar gathers information and logs from these sources and determines based on my rules whether to trigger an offense about that rule or not.

IBM Security QRadar is also helpful because when I see any IP or source IP and destination IP, I can search in IBM X-Force  to determine if it is malicious or not. I can also scan the IP to see what it is and if it is related to a domain or a suspicious domain. Another very helpful feature is the built-in work or rules created by default from IBM product sales.

IBM Security QRadar has impacted my organization positively by helping me with many things, including catching attacks and moving quickly to reduce damage or risk from attacks. I cannot share specific information about how IBM Security QRadar helped me catch attacks quickly because it is sensitive information about my company, but IBM Security QRadar is helpful and has enabled me to accomplish many things.

The GUI or graphic interface for IBM Security QRadar is neither good nor bad, but I hope for it to be more interesting, more live, and have better style. IBM Security QRadar needs to improve its graphics.

I have been using IBM Security QRadar for more than one year to detect and conduct further investigation and monitoring activities from our clients.

My advice is that IBM Security QRadar is good. Splunk is also good, but IBM Security QRadar has many features including rules by default that I can tune the speed of. The core advice is that every SIEM  is good, but what you will do with them and what you will work on with them is the secret. I would rate this product a 9 out of 10.

IBM Security QRadar  is primarily used for orchestration, automation, and incident response in my environment.

I use IBM Security QRadar  for automation and incident response through a phishing mail playbook, where an employee sends a malicious phishing email to the SOAR  inbox, and SOAR  automatically generates an incident based on that email. After the incident is generated, we have created an advanced playbook that analyzes and scans the incident artifacts, extracting malicious elements in the notes. Following the identification of malicious content, another playbook sends an email notification about the findings and integrates with firewalls to automatically block the IOCs identified in the email. This is one of several playbooks we have developed.

Regarding my main use case for IBM Security QRadar, I have used most of IBM Security QRadar by integrating it with IBM Security QRadar SIEM , consolidating many IBM Security QRadar SIEM  alerts in IBM Security QRadar SOAR. We have created incident types for each IBM Security QRadar alert and handle each incident carefully in IBM Security QRadar SOAR, automating incidents at an advanced level, including the use of a custom SOAR SDK to develop a custom SOAR application to meet client requirements. We have leveraged the potential of IBM Security QRadar SOAR.

The best features of IBM Security QRadar, in my experience, include multiple application integrations available through the IBM App Exchange, and I particularly appreciate the Playbook Designer feature, which allows me to design playbooks on a canvas, making it user-friendly and efficient.

The Playbook Designer in IBM Security QRadar has specifically helped my workflow by allowing the creation of advanced SOAR playbooks, with many sub-playbooks integrated into the main playbook itself. This feature enables me to create great workflows using functions, scripts, and rules tailored to client requirements, and the integration of applications enhances the feasibility of using Playbook Designer while allowing me to expand playbooks as necessary.

IBM Security QRadar has positively impacted my organization by enabling me to mitigate many incidents and reduce manual tasks by up to 40%. I have noticed a decrease in incident response time and a significant reduction in the number of manual tasks performed, leading to more efficient overall operations.

IBM Security QRadar needs to be more user-friendly; the current build is based on basic code and could benefit from updates. Making IBM Security QRadar's interface more intuitive, similar to that of Splunk, would enhance usability. Additionally, improving the installation and deployment processes to minimize setup time compared to other SIEM and SOAR tools is necessary.

I gave IBM Security QRadar a score of six or seven out of ten because it has a very basic interface; the dashboards require extension management for better usability. There should be an effort to build more effective dashboards within IBM Security QRadar itself without relying on additional applications. Additionally, maintaining good compatibility with IBM App Exchange applications is crucial, as IBM Security QRadar SIEM is an older product that would benefit from code updates.

I have been using IBM Security QRadar for more than two years.

For others looking into using IBM Security QRadar, my advice is to first learn IBM Security QRadar SOAR. Training is essential, but IBM Security QRadar SOAR is not overly complicated, and the documentation from IBM's portal is quite good. By learning IBM Security QRadar SOAR first, users can operate it more efficiently and leverage its versatile features, including rules, workflows, and various custom properties. I would rate IBM Security QRadar a score of six out of ten.

I use IBM Security QRadar  to collect logs, analyze them, and share details. When I began investigating incidents and working with the SOC team, I was using IBM Security QRadar .

IBM Security QRadar has been a game-changer for our SOC at Kantar. It pulls everything together—logs from endpoints, networks, you name it—letting us spot threats faster and cut down response times by about 40% on stuff like phishing alerts and endpoint issues across our 6,000 machines.

IBM Security QRadar offers a wide range of powerful features. During phishing-related investigations, it greatly assists from an analyst’s investigation point of view. A core capability of IBM Security QRadar is visibility — it collects and normalizes logs and network flow events from multiple tools. It can ingest logs from almost any source. Its advanced, modular architecture supports real-time log collection from diverse systems, making it well-suited for environments using platforms such as CrowdStrike, Microsoft Defender, Trend Micro, and Symantec.

These features are highly beneficial in our environment because, from a security perspective, proper log collection and management are crucial. QRadar streamlines SOC operations by automating alert triggers and providing unified visibility across multiple environments, which enhances our team’s ability to handle phishing and EDR alerts effectively. The shift handover capability is another valuable feature of IBM Security QRadar. Real-time log normalization and its advanced analytics engine help reduce high-risk alerts and false positives by up to 50%.

From an analyst’s perspective, threat hunting and groundwork during rotational shifts, combined with SOAR  playbook automation, enable efficient endpoint isolation and quarantine actions. IBM Security QRadar also features a custom rules engine that allows analysts to create dynamic rules using AQL, targeting niche threats such as suspicious domains, all without vendor lock-in. Unlike rigid EDR policies, its petabyte-scale indexing efficiently handles massive event-per-second (EPS) volumes without performance degradation, making it ideal for expanding enterprise environments compared to lighter SIEM  solutions.

IBM Security QRadar needs improvement in several areas. It should be better integrated with AI, as L1 analysts often deal with noisy rules that require constant fine-tuning. Smarter, out-of-the-box analytics — comparable to CrowdStrike’s low false-positive performance — would significantly enhance efficiency. Additionally, a more intuitive and customizable dashboard would provide better visibility, making it easier to identify available options and streamline operations.

The QRadar mobile app also requires upgrades, as it currently lags behind with limited incident (offense) visibility and lacks push alerts for high-severity events. This becomes challenging during shift rotations. Adding an option for bulk offense closure with multi-select capabilities and predefined reason templates would save time, as manual tagging is currently cumbersome. These improvements are essential for optimizing the overall analyst experience.

I have used IBM Security QRadar for more than two years.

QRadar scales like a champ for our setup—handles petabyte-scale data

Good

Yeah, before QRadar, we were piecing things together with a mix of Microsoft Defender for logs from endpoints and some basic syslog forwarding from Trend Micro Deep Security , but it wasn't a full SIEM —just siloed tools that made correlation a nightmare.

complex

consultant

I can say that almost 35% of time is reduced, specifically 30 to 35% time reduction.

We looked at Splunk and Azure Sentinel  as main alternatives before landing on QRadar—Splunk for its search power and Sentinel  since we're heavy on Azure .

I recommend IBM Security QRadar because it is a trusted IBM product that many organizations and financial institutions use for its strong visibility and analytical capabilities. I have had a great experience working with IBM Security QRadar. From what I know, most SOC professionals agree that once you gain experience with QRadar, adapting to any other SIEM tool becomes much easier. Overall, I would rate my experience with IBM Security QRadar highly due to its robust features and wide industry adoption.