I was a SIEM administrator using IBM Security QRadar for ingesting log sources from all over the digital infrastructure of the organization I worked for. After ingesting logs from all servers and applications, I used the use case manager and offenses.

I managed and handled several incidents in IBM Security QRadar by creating many rules. I created a rule for Dark Web communication from the internal network of the organization. Based on that, I created a rule named Anonymous Tor Connection in which I called the reference set from the reference set type that I created for blacklisted IPs of Tor nodes and called it in the rules. If any of those IPs were detected as the destination IP from an internal network source IP, the alerts would trigger.

I created brute-force attack rules based on Windows Event IDs and created more rules for failed login attempts and audit success.

We achieved our objectives regarding SOC metrics and monitoring metrics, and the time of incidents and alerts. All of these metrics were accurate, to the point, and straightforward as they should be.

IBM Security QRadar makes things user-friendly because in the Log Activity tab, you can make a search right away as desired. All filters are available on the tab. You can group logs by source IP, event ID, destination IP, or port. The user interface makes investigation very easy for an analyst.

IBM Security QRadar can work on big data and should start supporting big data as other Gartner's top SIEM products do. An integrated LLM with IBM Security QRadar would be very good for its reputation. I started my career with IBM Security QRadar and totally love it. I do not want it to go down to the bottom of the top 10, but rather be in the top two or three SIEM products in Gartner's rating.

Dashboards are a good feature in IBM Security QRadar, but they can be improved. Other SIEM solutions such as Splunk and LogRhythm are working on integrated LLMs or AI chat.

IBM Security QRadar has many issues nowadays, particularly with WinCollect integrations and Windows-based WinCollect agent integrations. I was exhausted handling errors in WinCollect. When a Windows server was integrated with IBM Security QRadar via WinCollect agent version 7.3.1.28 Managed Mode Agent, logs stopped coming to the QRadar console. I checked and tried to toggle the PEM file in the agent's config. After deleting the PEM file and restarting the service, the PEM file was created. Although this was a solution provided by IBM support, it was not effective. I worked with IBM support to troubleshoot this issue, but it was very prolonged and was not getting resolved. I had to forcefully install another version of the WinCollect agent.

Other solutions were available such as AlienVault, ArcSight SIEM, and Wazuh SIEM. If you have dedicated assets in your infrastructure, you can go right away for IBM Security QRadar. However, if you have larger amounts of data, IBM Security QRadar will need more resources. You should evaluate based on EPS and your assets.

I have been using IBM Security QRadar for around more than two and a half years. I switched organizations and my current organization uses a different SIEM, so I have been detached from IBM Security QRadar.

IBM Security QRadar is stable, but some current versions are not stable. When I was upgrading IBM Security QRadar to version 7.4.3, my log sources all disappeared after upgrading to the next version. I opened a support ticket and they told me that this version had a bug. They instructed me to go into the user account and change the language to US English or Canadian English. After I did that, I got all the log sources back. This was a really troubling bug in IBM Security QRadar. This is a world-class product, but it has that type of bug.

Customer support and scalability were very fine.

When I upgraded IBM Security QRadar to version 7.4.3, my log sources disappeared after upgrading to the next version. I opened a support ticket and the team told me that this version had a bug. They instructed me to go into the user account and change the language to US English or Canadian English. After I did that, I obtained all the log sources back. This was a really troubling bug in IBM Security QRadar, as it is a world-class product but has that type of bug. Customer support and scalability were very fine.

Legacy solutions were log management solutions, while IBM Security QRadar is a security information event management SIEM that does all the work which previous multiple solutions were doing separately. IBM Security QRadar does all in one, which mitigated costs. However, I cannot give exact metrics on that because I have not worked on those legacy solutions. I started my career working with IBM Security QRadar SIEM.

I did not switch solutions; I switched companies. My current company had another solution, so I had to work with that because I am not the decision-maker to change the solution of a company. Teams and management are involved in deciding which solution is best for the organization. I can only suggest based on the features of the solution.

Pricing and the license of EPS were managed by the governance team. I was not responsible for managing those. I was supposed to put up the requirement of the license needed to integrate that amount of assets of the organization, and I put the request to my GRC team. It was their responsibility to purchase that license and deal with the pricing of the EPS.

Dark theme and white theme are enabled in the latest version of IBM Security QRadar, which is great. An integrated LLM such as Watson should be included in which I can enter an IP address and perform threat hunting steps on it. IBM Security QRadar should tell me what the possibilities of threats are on the specific source IP that I provided. Unstructured data should be supported as Elastic and Splunk work on big data, so IBM Security QRadar should start doing that too.

My day-to-day tasks were to check if the nightly backup is being created, whether there are any undeployed changes in IBM Security QRadar, and to check for new vulnerabilities in my current version to ensure my version is stable and all nodes are working properly. I verify that the HA component of my QRadar's console event processor is synchronized properly and that the data node is balancing all data between the nodes of IBM Security QRadar. If any integration comes up on my desk, I work on the integrations, and if any log sources are in error, I troubleshoot them whether they are database, Linux, Windows, or custom log sources.

I am fond of IBM Security QRadar because it is very user-friendly. I gave this review a rating of 7.5 out of 10.

My main use case for IBM Security QRadar is its good features which create an offense or trigger an offense. This offense has a description and contains many events with sensitive or helpful information about the offense. My daily activity as a SOC analyst L1 is to ensure if the offense is legitimate, if it is truly a suspicious or malicious offense, or a false positive. After that, I create a ticket to close it and determine if it is suspicious or not. If I need to conduct more investigation and delegate the ticket further, I escalate it to SOC L2 or the SOC Manager to take additional activities or conduct more investigation about it.

IBM Security QRadar is a very good SIEM solution because it has features that allow me to create rules or built-in lookups specific to my company. I can tune those to reduce the attack surface and be specific about the right malicious activities to reduce risk about an attack on my company or attacks on endpoints or assets.

IBM Security QRadar offers a good dashboard because it provides many things, including offense, log activity, network flow, reporting, and rules. All of these are very helpful for me as a SOC analyst L1 or a security engineer. I can see networking activities and log activities coming from our clients. IBM Security QRadar gathers information and logs from these sources and determines based on my rules whether to trigger an offense about that rule or not.

IBM Security QRadar is also helpful because when I see any IP or source IP and destination IP, I can search in IBM X-Force to determine if it is malicious or not. I can also scan the IP to see what it is and if it is related to a domain or a suspicious domain. Another very helpful feature is the built-in work or rules created by default from IBM product sales.

IBM Security QRadar has impacted my organization positively by helping me with many things, including catching attacks and moving quickly to reduce damage or risk from attacks. I cannot share specific information about how IBM Security QRadar helped me catch attacks quickly because it is sensitive information about my company, but IBM Security QRadar is helpful and has enabled me to accomplish many things.

The GUI or graphic interface for IBM Security QRadar is neither good nor bad, but I hope for it to be more interesting, more live, and have better style. IBM Security QRadar needs to improve its graphics.

I have been using IBM Security QRadar for more than one year to detect and conduct further investigation and monitoring activities from our clients.

My advice is that IBM Security QRadar is good. Splunk is also good, but IBM Security QRadar has many features including rules by default that I can tune the speed of. The core advice is that every SIEM is good, but what you will do with them and what you will work on with them is the secret. I would rate this product a 9 out of 10.

IBM Security QRadar is primarily used for orchestration, automation, and incident response in my environment.

I use IBM Security QRadar for automation and incident response through a phishing mail playbook, where an employee sends a malicious phishing email to the SOAR inbox, and SOAR automatically generates an incident based on that email. After the incident is generated, we have created an advanced playbook that analyzes and scans the incident artifacts, extracting malicious elements in the notes. Following the identification of malicious content, another playbook sends an email notification about the findings and integrates with firewalls to automatically block the IOCs identified in the email. This is one of several playbooks we have developed.

Regarding my main use case for IBM Security QRadar, I have used most of IBM Security QRadar by integrating it with IBM Security QRadar SIEM, consolidating many IBM Security QRadar SIEM alerts in IBM Security QRadar SOAR. We have created incident types for each IBM Security QRadar alert and handle each incident carefully in IBM Security QRadar SOAR, automating incidents at an advanced level, including the use of a custom SOAR SDK to develop a custom SOAR application to meet client requirements. We have leveraged the potential of IBM Security QRadar SOAR.

The best features of IBM Security QRadar, in my experience, include multiple application integrations available through the IBM App Exchange, and I particularly appreciate the Playbook Designer feature, which allows me to design playbooks on a canvas, making it user-friendly and efficient.

The Playbook Designer in IBM Security QRadar has specifically helped my workflow by allowing the creation of advanced SOAR playbooks, with many sub-playbooks integrated into the main playbook itself. This feature enables me to create great workflows using functions, scripts, and rules tailored to client requirements, and the integration of applications enhances the feasibility of using Playbook Designer while allowing me to expand playbooks as necessary.

IBM Security QRadar has positively impacted my organization by enabling me to mitigate many incidents and reduce manual tasks by up to 40%. I have noticed a decrease in incident response time and a significant reduction in the number of manual tasks performed, leading to more efficient overall operations.

IBM Security QRadar needs to be more user-friendly; the current build is based on basic code and could benefit from updates. Making IBM Security QRadar's interface more intuitive, similar to that of Splunk, would enhance usability. Additionally, improving the installation and deployment processes to minimize setup time compared to other SIEM and SOAR tools is necessary.

I gave IBM Security QRadar a score of six or seven out of ten because it has a very basic interface; the dashboards require extension management for better usability. There should be an effort to build more effective dashboards within IBM Security QRadar itself without relying on additional applications. Additionally, maintaining good compatibility with IBM App Exchange applications is crucial, as IBM Security QRadar SIEM is an older product that would benefit from code updates.

I have been using IBM Security QRadar for more than two years.

For others looking into using IBM Security QRadar, my advice is to first learn IBM Security QRadar SOAR. Training is essential, but IBM Security QRadar SOAR is not overly complicated, and the documentation from IBM's portal is quite good. By learning IBM Security QRadar SOAR first, users can operate it more efficiently and leverage its versatile features, including rules, workflows, and various custom properties. I would rate IBM Security QRadar a score of six out of ten.

I use IBM Security QRadar to collect logs, analyze them, and share details. When I began investigating incidents and working with the SOC team, I was using IBM Security QRadar.

IBM Security QRadar has been a game-changer for our SOC at Kantar. It pulls everything together—logs from endpoints, networks, you name it—letting us spot threats faster and cut down response times by about 40% on stuff like phishing alerts and endpoint issues across our 6,000 machines.

IBM Security QRadar offers a wide range of powerful features. During phishing-related investigations, it greatly assists from an analyst’s investigation point of view. A core capability of IBM Security QRadar is visibility — it collects and normalizes logs and network flow events from multiple tools. It can ingest logs from almost any source. Its advanced, modular architecture supports real-time log collection from diverse systems, making it well-suited for environments using platforms such as CrowdStrike, Microsoft Defender, Trend Micro, and Symantec.

These features are highly beneficial in our environment because, from a security perspective, proper log collection and management are crucial. QRadar streamlines SOC operations by automating alert triggers and providing unified visibility across multiple environments, which enhances our team’s ability to handle phishing and EDR alerts effectively. The shift handover capability is another valuable feature of IBM Security QRadar. Real-time log normalization and its advanced analytics engine help reduce high-risk alerts and false positives by up to 50%.

From an analyst’s perspective, threat hunting and groundwork during rotational shifts, combined with SOAR playbook automation, enable efficient endpoint isolation and quarantine actions. IBM Security QRadar also features a custom rules engine that allows analysts to create dynamic rules using AQL, targeting niche threats such as suspicious domains, all without vendor lock-in. Unlike rigid EDR policies, its petabyte-scale indexing efficiently handles massive event-per-second (EPS) volumes without performance degradation, making it ideal for expanding enterprise environments compared to lighter SIEM solutions.

IBM Security QRadar needs improvement in several areas. It should be better integrated with AI, as L1 analysts often deal with noisy rules that require constant fine-tuning. Smarter, out-of-the-box analytics — comparable to CrowdStrike’s low false-positive performance — would significantly enhance efficiency. Additionally, a more intuitive and customizable dashboard would provide better visibility, making it easier to identify available options and streamline operations.

The QRadar mobile app also requires upgrades, as it currently lags behind with limited incident (offense) visibility and lacks push alerts for high-severity events. This becomes challenging during shift rotations. Adding an option for bulk offense closure with multi-select capabilities and predefined reason templates would save time, as manual tagging is currently cumbersome. These improvements are essential for optimizing the overall analyst experience.

I have used IBM Security QRadar for more than two years.

QRadar scales like a champ for our setup—handles petabyte-scale data

Good

Yeah, before QRadar, we were piecing things together with a mix of Microsoft Defender for logs from endpoints and some basic syslog forwarding from Trend Micro Deep Security, but it wasn't a full SIEM—just siloed tools that made correlation a nightmare.

complex

consultant

I can say that almost 35% of time is reduced, specifically 30 to 35% time reduction.

We looked at Splunk and Azure Sentinel as main alternatives before landing on QRadar—Splunk for its search power and Sentinel since we're heavy on Azure.

I recommend IBM Security QRadar because it is a trusted IBM product that many organizations and financial institutions use for its strong visibility and analytical capabilities. I have had a great experience working with IBM Security QRadar. From what I know, most SOC professionals agree that once you gain experience with QRadar, adapting to any other SIEM tool becomes much easier. Overall, I would rate my experience with IBM Security QRadar highly due to its robust features and wide industry adoption.

My main use case for IBM Security QRadar is building a SOC with IBM Security QRadar as a SIEM.

I use IBM Security QRadar in my SOC operations as an information security management, security and event management tool, to correlate events and build use cases for incident response.

My main use case helps us to deep dive into the logs and correlate events from many other products like firewalls, endpoints, and also a lot of products.

The best features IBM Security QRadar offers include vulnerability management, a powerful integration, and being a stable product. The vulnerability management feature helps to build an asset library for our organization, and with integrations, we can integrate this vulnerability with other ticketing systems to discover new vulnerabilities and build a patch management for it.

IBM Security QRadar has positively impacted my organization by allowing me to get offenses and threats into our organization, helping me to discover the real threats attacking our organization. The real threats that IBM Security QRadar helps us with are provided as offenses, real offenses with real examples that allow us to discover new offenses and assist in closing these offenses.

IBM Security QRadar can be improved; perhaps IBM support needs improvement in fast response and also the team response.

I have been using IBM Security QRadar for about nine years.

IBM Security QRadar is stable.

IBM Security QRadar's scalability is great; you can have a new collector to deploy if you have increased EPS per second.

Customer support for IBM Security QRadar needs improvement.

I have not used a different solution before IBM Security QRadar; this is my first use.

I have seen a return on investment; I can share that it includes time saved, money saved, and fewer employees needed.

My experience with pricing, setup cost, and licensing is great compared to the other vendor.

I did not evaluate other options before choosing IBM Security QRadar.

IBM Security QRadar is stable and has great support.

I advise others looking into using IBM Security QRadar that it is really helpful for building a SOC and to get a deep dive into your real threats at the earliest time. I have given this product a review rating of 10.

The use cases are daily monitoring, asset management, asset monitoring, asset health status monitoring, and alert monitoring. That is the current use case of what SIEM is being used for.

The query search and log fetching are really helpful in IBM Security QRadar when compared to other tools.

Compared to ArcSight, Splunk, or any other SIEM tools where you need their processing language such as structured query language, SPL, and in Sentinel there is KQL query languages, IBM Security QRadar doesn't require reliance on query languages. There are filters which you can use directly and apply to get the data you want fairly easily.

It's still very manual and doesn't work on its own. It's still in an early stage and not on par where we can consider it a really successful detection system. The accuracy is not there.

The UI could be better when compared to Sentinels where we can use flags and tagging. It could be much more user-friendly. IBM Security QRadar has all features and is fully competitive with other SIEM tools, but when it comes to user-friendliness, a new user takes time to get used to it. More intuitive, user-friendly interfaces and more helpful documentation would be beneficial.

The query searching and data fetching could be faster. In large to very large organizations with around 5,000 or 6,000 assets or beyond, even with proper configurations and RAM and hardware backing up, the query is fairly slow.

I have been using it for almost nine months.

The solution is extremely stable because it's on cloud. On cloud, you don't see any disconnections or instability. Any solution that is on cloud works really stably.

I am both a customer and we provide service to that.

I never needed to reach out to support because most of the expertise was already available.

I have used ArcSight and parallelly we are using Sentinel. I have also used Wazuh and Splunk.

There are analytical workspaces where we create automatic ticket creations and automatic email notifications.

I have worked on technologies including Qualys, Group-IB, and QRadar. I have experience with CrowdStrike EDR and Bitdefender. On the EDR front, I have worked on CrowdStrike and Bitdefender. For SIEMs, I work with IBM Security QRadar and Sentinel. For vulnerability assessments, I work with Qualys.

There are no observable benefits on ROI process-wise, workability-wise, or usability-wise.

We chose IBM Security QRadar because we were moving to cloud. Previously it was an on-prem solution. Compared to Splunk and Sentinel, it's much more cost-effective.

IBM Security QRadar is capable of handling much of the market requirements. It's comparable to any other SIEM tool without standing out significantly.

It's fairly open for custom integrations, but it depends on what type of logs we are receiving and what kind of parsing we are getting done. The integrations are totally based on the skill sets if third-party or custom integrations are required.

When it comes to log management, it's fairly easy to manage and the log rotate is really good compared to any standard SIEM tool. It just gets the work done.

I rate IBM Security QRadar an 8 out of 10.

We use IBM Security QRadar to monitor, and it's our main source of information. It's our main SIEM platform for our SOC, and we've collected everything on that platform.

We don't use IBM Security QRadar's Risk Manager; mainly, it was our main tool to collect information and conduct some analytics on logs and events. That's the primary use case we've been utilizing.

The best features of IBM Security QRadar are that it's pervasive. You can have IBM Security QRadar in the dust quite easily, and almost everybody knows the platform. Almost nobody's going to say you bought the wrong SIEM if you buy IBM Security QRadar.

The integration of third-party technologies with IBM Security QRadar is one of the high points they have. They integrate with almost anybody, anywhere. There's an integrator tool for almost anything. Everybody talks with IBM Security QRadar because they were the SIEM name of the game, at least in this country. So the integration part is one of their key advantages.

Long ago, IBM Security QRadar enabled us to have some analytics pre-thought for us. When we started with our SOC, we used some log collectors and other tools, and IBM Security QRadar gave us the advantage of having some analytics pre-considered for us. However, that was long ago. It has become just a log and events collector and our main repository of security events.

As far as reliability, security, and how it operates, I think it's because they hit first on the market, and then they built upon that, our name alongside the IBM name. Those are the reasons. It's quite awkward to use the platform; it's not intuitive, the learning curve is quite deep, and I really don't understand why it was so pervasive. However, if you have to sell managed security services to some people that use a SIEM, more than half the time you end up with an IBM Security QRadar platform on the other side. The other half you end up with WSO2, at least in Latin America.

I haven't tried IBM Security QRadar's AI and machine learning capabilities for threat detection and response fully enough to evaluate them yet.

We've been building our SOAR capabilities with other tools, and we haven't used IBM Security QRadar's Analytics Engine for automating SOC tasks.

We are not using it as we used to, and I think that advantage is fading out, particularly after the selling of the product to Palo Alto. We are considering some roadmaps to get out of IBM Security QRadar right now; that's the truth.

We have been using IBM Security QRadar since pre-pandemic; I think maybe 10 to 12 years right now.

I find IBM support to be nice. However, as a former IBMer, I may have had some advantages in getting support because I had some contacts. The support information is correct; you get to the information and access the technical documents you need because the information is there, and they used to care about their product. I don't know how it's going to be once the program is fully under Palo Alto's management.

For the support team, I would rate IBM support an eight, a solid eight. With the support we used to have within IBM, it was good.

Setting up IBM Security QRadar is difficult; it has a deep learning curve for the analysts, and there are several hurdles to handle to get IBM Security QRadar running on your infrastructures. On the other hand, once you connect the dots, they keep sending the information, and you can continue getting those events.

The pricing, setup cost, or licensing with IBM Security QRadar was costly. It was costly mainly for the things we used to use it for. The customers used to pay the price, but it was one of the problems to onboard some people with IBM Security QRadar. It was costly mainly because of the value you can get right now compared to other solutions.

We are thinking about moving outside of IBM Security QRadar ecosystem due to cost and the belief that some functionalities of new SIEM platforms are surpassing IBM Security QRadar. We think they are not keeping pace with SIEM, which makes it harder for them to differentiate their product or compete against others that are cheaper and easier to deploy.

If you had asked me this question five or seven years ago, I would have given it a solid 10, maybe a nine, but today I believe they are losing track of that. The overall rating for IBM Security QRadar is seven out of ten.

We were partners when they were under IBM. We've been in an IBM program of MSSP for Latin America, so we were partners of IBM Security QRadar when it was within IBM. However, with the selling to Palo Alto this year, we lost that partnership and are now just customers of a reseller.

We operate the platform for our customers. We don't have IBM Security QRadar for our own use.