I was a SIEM administrator using IBM Security QRadar for ingesting log sources from all over the digital infrastructure of the organization I worked for. After ingesting logs from all servers and applications, I used the use case manager and offenses.

I managed and handled several incidents in IBM Security QRadar by creating many rules. I created a rule for Dark Web communication from the internal network of the organization. Based on that, I created a rule named Anonymous Tor Connection in which I called the reference set from the reference set type that I created for blacklisted IPs of Tor nodes and called it in the rules. If any of those IPs were detected as the destination IP from an internal network source IP, the alerts would trigger.

I created brute-force attack rules based on Windows Event IDs and created more rules for failed login attempts and audit success.

We achieved our objectives regarding SOC metrics and monitoring metrics, and the time of incidents and alerts. All of these metrics were accurate, to the point, and straightforward as they should be.

IBM Security QRadar makes things user-friendly because in the Log Activity tab, you can make a search right away as desired. All filters are available on the tab. You can group logs by source IP, event ID, destination IP, or port. The user interface makes investigation very easy for an analyst.

IBM Security QRadar can work on big data and should start supporting big data as other Gartner's top SIEM products do. An integrated LLM with IBM Security QRadar would be very good for its reputation. I started my career with IBM Security QRadar and totally love it. I do not want it to go down to the bottom of the top 10, but rather be in the top two or three SIEM products in Gartner's rating.

Dashboards are a good feature in IBM Security QRadar, but they can be improved. Other SIEM solutions such as Splunk and LogRhythm are working on integrated LLMs or AI chat.

IBM Security QRadar has many issues nowadays, particularly with WinCollect integrations and Windows-based WinCollect agent integrations. I was exhausted handling errors in WinCollect. When a Windows server was integrated with IBM Security QRadar via WinCollect agent version 7.3.1.28 Managed Mode Agent, logs stopped coming to the QRadar console. I checked and tried to toggle the PEM file in the agent's config. After deleting the PEM file and restarting the service, the PEM file was created. Although this was a solution provided by IBM support, it was not effective. I worked with IBM support to troubleshoot this issue, but it was very prolonged and was not getting resolved. I had to forcefully install another version of the WinCollect agent.

Other solutions were available such as AlienVault, ArcSight SIEM, and Wazuh SIEM. If you have dedicated assets in your infrastructure, you can go right away for IBM Security QRadar. However, if you have larger amounts of data, IBM Security QRadar will need more resources. You should evaluate based on EPS and your assets.

I have been using IBM Security QRadar for around more than two and a half years. I switched organizations and my current organization uses a different SIEM, so I have been detached from IBM Security QRadar.

IBM Security QRadar is stable, but some current versions are not stable. When I was upgrading IBM Security QRadar to version 7.4.3, my log sources all disappeared after upgrading to the next version. I opened a support ticket and they told me that this version had a bug. They instructed me to go into the user account and change the language to US English or Canadian English. After I did that, I got all the log sources back. This was a really troubling bug in IBM Security QRadar. This is a world-class product, but it has that type of bug.

Customer support and scalability were very fine.

When I upgraded IBM Security QRadar to version 7.4.3, my log sources disappeared after upgrading to the next version. I opened a support ticket and the team told me that this version had a bug. They instructed me to go into the user account and change the language to US English or Canadian English. After I did that, I obtained all the log sources back. This was a really troubling bug in IBM Security QRadar, as it is a world-class product but has that type of bug. Customer support and scalability were very fine.

Legacy solutions were log management solutions, while IBM Security QRadar is a security information event management SIEM that does all the work which previous multiple solutions were doing separately. IBM Security QRadar does all in one, which mitigated costs. However, I cannot give exact metrics on that because I have not worked on those legacy solutions. I started my career working with IBM Security QRadar SIEM.

I did not switch solutions; I switched companies. My current company had another solution, so I had to work with that because I am not the decision-maker to change the solution of a company. Teams and management are involved in deciding which solution is best for the organization. I can only suggest based on the features of the solution.

Pricing and the license of EPS were managed by the governance team. I was not responsible for managing those. I was supposed to put up the requirement of the license needed to integrate that amount of assets of the organization, and I put the request to my GRC team. It was their responsibility to purchase that license and deal with the pricing of the EPS.

Dark theme and white theme are enabled in the latest version of IBM Security QRadar, which is great. An integrated LLM such as Watson should be included in which I can enter an IP address and perform threat hunting steps on it. IBM Security QRadar should tell me what the possibilities of threats are on the specific source IP that I provided. Unstructured data should be supported as Elastic and Splunk work on big data, so IBM Security QRadar should start doing that too.

My day-to-day tasks were to check if the nightly backup is being created, whether there are any undeployed changes in IBM Security QRadar, and to check for new vulnerabilities in my current version to ensure my version is stable and all nodes are working properly. I verify that the HA component of my QRadar's console event processor is synchronized properly and that the data node is balancing all data between the nodes of IBM Security QRadar. If any integration comes up on my desk, I work on the integrations, and if any log sources are in error, I troubleshoot them whether they are database, Linux, Windows, or custom log sources.

I am fond of IBM Security QRadar because it is very user-friendly. I gave this review a rating of 7.5 out of 10.

My main use case for IBM Security QRadar is its good features which create an offense or trigger an offense. This offense has a description and contains many events with sensitive or helpful information about the offense. My daily activity as a SOC analyst L1 is to ensure if the offense is legitimate, if it is truly a suspicious or malicious offense, or a false positive. After that, I create a ticket to close it and determine if it is suspicious or not. If I need to conduct more investigation and delegate the ticket further, I escalate it to SOC L2 or the SOC Manager to take additional activities or conduct more investigation about it.

IBM Security QRadar is a very good SIEM solution because it has features that allow me to create rules or built-in lookups specific to my company. I can tune those to reduce the attack surface and be specific about the right malicious activities to reduce risk about an attack on my company or attacks on endpoints or assets.

IBM Security QRadar offers a good dashboard because it provides many things, including offense, log activity, network flow, reporting, and rules. All of these are very helpful for me as a SOC analyst L1 or a security engineer. I can see networking activities and log activities coming from our clients. IBM Security QRadar gathers information and logs from these sources and determines based on my rules whether to trigger an offense about that rule or not.

IBM Security QRadar is also helpful because when I see any IP or source IP and destination IP, I can search in IBM X-Force to determine if it is malicious or not. I can also scan the IP to see what it is and if it is related to a domain or a suspicious domain. Another very helpful feature is the built-in work or rules created by default from IBM product sales.

IBM Security QRadar has impacted my organization positively by helping me with many things, including catching attacks and moving quickly to reduce damage or risk from attacks. I cannot share specific information about how IBM Security QRadar helped me catch attacks quickly because it is sensitive information about my company, but IBM Security QRadar is helpful and has enabled me to accomplish many things.

The GUI or graphic interface for IBM Security QRadar is neither good nor bad, but I hope for it to be more interesting, more live, and have better style. IBM Security QRadar needs to improve its graphics.

I have been using IBM Security QRadar for more than one year to detect and conduct further investigation and monitoring activities from our clients.

My advice is that IBM Security QRadar is good. Splunk is also good, but IBM Security QRadar has many features including rules by default that I can tune the speed of. The core advice is that every SIEM is good, but what you will do with them and what you will work on with them is the secret. I would rate this product a 9 out of 10.

The use cases are daily monitoring, asset management, asset monitoring, asset health status monitoring, and alert monitoring. That is the current use case of what SIEM is being used for.

The query search and log fetching are really helpful in IBM Security QRadar when compared to other tools.

Compared to ArcSight, Splunk, or any other SIEM tools where you need their processing language such as structured query language, SPL, and in Sentinel there is KQL query languages, IBM Security QRadar doesn't require reliance on query languages. There are filters which you can use directly and apply to get the data you want fairly easily.

It's still very manual and doesn't work on its own. It's still in an early stage and not on par where we can consider it a really successful detection system. The accuracy is not there.

The UI could be better when compared to Sentinels where we can use flags and tagging. It could be much more user-friendly. IBM Security QRadar has all features and is fully competitive with other SIEM tools, but when it comes to user-friendliness, a new user takes time to get used to it. More intuitive, user-friendly interfaces and more helpful documentation would be beneficial.

The query searching and data fetching could be faster. In large to very large organizations with around 5,000 or 6,000 assets or beyond, even with proper configurations and RAM and hardware backing up, the query is fairly slow.

I have been using it for almost nine months.

The solution is extremely stable because it's on cloud. On cloud, you don't see any disconnections or instability. Any solution that is on cloud works really stably.

I am both a customer and we provide service to that.

I never needed to reach out to support because most of the expertise was already available.

I have used ArcSight and parallelly we are using Sentinel. I have also used Wazuh and Splunk.

There are analytical workspaces where we create automatic ticket creations and automatic email notifications.

I have worked on technologies including Qualys, Group-IB, and QRadar. I have experience with CrowdStrike EDR and Bitdefender. On the EDR front, I have worked on CrowdStrike and Bitdefender. For SIEMs, I work with IBM Security QRadar and Sentinel. For vulnerability assessments, I work with Qualys.

There are no observable benefits on ROI process-wise, workability-wise, or usability-wise.

We chose IBM Security QRadar because we were moving to cloud. Previously it was an on-prem solution. Compared to Splunk and Sentinel, it's much more cost-effective.

IBM Security QRadar is capable of handling much of the market requirements. It's comparable to any other SIEM tool without standing out significantly.

It's fairly open for custom integrations, but it depends on what type of logs we are receiving and what kind of parsing we are getting done. The integrations are totally based on the skill sets if third-party or custom integrations are required.

When it comes to log management, it's fairly easy to manage and the log rotate is really good compared to any standard SIEM tool. It just gets the work done.

I rate IBM Security QRadar an 8 out of 10.

Most of the use cases are based on MITRE ATT&CK, such as phishing email, DDoS attack, privilege escalation, all MITRE ATT&CKs with scanning the environments, using suspicious activity internal to our network. We have thousands of use cases covering different domains at network levels.

We have use cases covering security controls and firewalls. We also have use cases that cover Active Directory, server events, and Citrix. Because we are working in a telecom company, we are covering 5G and 4G logs.

The aggregations are valuable when creating use cases with aggregations, which is beneficial for us.

For automation, we are using multi-platform solutions. We have FortiSOAR and IBM Resilient for IBM Security QRadar orchestration. We integrate with both IBM Security QRadar and ArcSight, as we are working with customers who use both systems.

IBM Security QRadar has some areas for improvement. We have missed some DSM components. We need to customize logs where there is no DSM or connector for certain products.

We can integrate but we have missed the DSM, which is the connector to pass logs coming from different applications. For example, with a university customer, we tried onboarding Canvas service. IBM Security QRadar does not support Canvas, so we had to create custom scripts and workarounds to pull logs from Canvas.

We have been using the solution for around five years.

The deployment is straightforward and easy for both installation types: standalone console, all-in-one, or in distribution modes.

Currently, it is very stable.

For EPS license, if you increase or exceed the EPS license, you cannot receive events and IBM Security QRadar comes with this server. This issue existed previously when exceeding the limit for EPS license.

The customer service experience is mixed. For critical issues, they provide L1 support rather than expert support initially. The L1 support follows standard steps before escalating to the development team or expertise team. In critical situations, this process can be problematic. Support needs to understand the issue first, then escalate it to the engineering team. The engineering team then sends an appointment meeting about the issue. This process can result in outages lasting three to four hours.

I have been in the cybersecurity field since 2012. I have experience with many cybersecurity products including IBM Security QRadar, Splunk, SOAR, IBM Resilient SOAR, Phantom, and various security controls and products.

ROI calculation is more applicable when using SOAR rather than SIM. In SIM, you don't have functions or enrichment to check if an IP is malicious or different reputations or websites. With SOAR, you can calculate ROI. For example, when an analyst receives alerts on IBM Security QRadar Offense, they would typically take 10 to 15 minutes to check an IP in VirusTotal, AbuseIPDB, TotalVirus, and other sources. With SOAR, the workflow takes one minute or less to complete the analysis.

When comparing with Splunk, IBM Security QRadar's cost is reasonable. Splunk is more expensive than IBM Security QRadar.

We have machine learning for User Behavior Analytics (UBA), but IBM Security QRadar does not have AI connectors or integration with ChatGPT. Some SOARs are working with AI, such as FortiSOAR, which has chatbot and AI integration with ChatGPT to create playbooks, assist analysts in exporting reports, and provide recommendations for alert responses.

This implementation process receives a rating of six. In UAE, we have strict restrictions regarding compliance, particularly NIST compliance. Most companies should have local LLM, not public. Most SIM solutions or SOAR don't have the capability to build or need custom connectors for using AI with internal LLM, rather than cloud-based solutions ChatGPT or Gemini. Overall, I would rate IBM Security QRadar an eight out of ten.

I use it daily because it's shared as a log alert, and we have a security operations center. Every now and then, and almost every day, there are some alerts. I utilize it every day, twenty-four by seven, as you can see.

Actually, the dashboard is very good. The dashboard is easy to use and easy to understand what's going on and what the alerts mean. It's very user-friendly, I would say. So far, it's very good. Recently, I faced an incident, a cyber incident, and it was detected in real time. It correlates well with other solutions. I have EDR, vulnerability, and IPS, and it shows useful findings for root cause analysis.

There are many types of AI, and this AI is very limited in SQL and features. There may be potential for improvement. So far, it seems very limited. It shows some good features in the correlation part, but I think there is room for improvement. For instance, when creating rules, it can suggest more rules, reducing the effort needed. If AI-related support can suggest rules and integrate with existing security devices like MD, IPS, this SIM can create more relevant rules. Sometimes logs I receive don't mean anything, and I need technical stakeholders to share or forward logs, but these are sometimes inadequate. Keywords can help identify insufficient logs. I often lack time to verify logs. Sharing false positive results could be reduced to help my team.

I have been working with the product for the last four months.

The product has been stable so far. I didn’t face any issues after deployment. I haven't encountered any software deployment issues, although I have only used it for four or five months. I might face issues after a year, two years, or with a major release or software update.

I am satisfied with the scalability. It depends on my budget. How much I spend on licensing size is up to me.

I received very good support, possibly due to a good relationship with IBM. I don't know about other companies, but I am happy with the support.

Previously, I had another SIM before IBM brought it up, but I couldn't correlate with different solutions. Now it saves me at least one hour, sometimes up to three hours. I used Micro Focus, which I think was acquired by another company, possibly OpenText. The ownership changed. I am very satisfied with Qradar compared to OpenText. It's superior. I am not sure which one is best, but so far it is. My people had good training and needed to invest time to get good results.

The initial setup was very difficult. I needed help from the local partner and expert users. Without expert users, it's challenging to deploy.

Assistance from the support system is always needed.

It's still very early, but I have saved significant damage. Investing this amount was very much worth it for my organization.

The cost depends. The price I negotiated varies by region and relationship with the OEM. Cost is not shared due to another procurement team handling negotiations, but it was reasonable as far as I know.

My advice is to understand your infrastructure first. Assess the size before sending any protocol requests or RFPs to adjust licensing costs. You may procure licenses less or more than needed, impacting finances. Analyzing your infrastructure is crucial, considering the logs and security issues you will set. Trained personnel are necessary. Without them, usage is challenging. Overall, the product rating is eight out of ten.

I have experience with Centimeters solutions, one of which is Microsoft Sentinel. I often confuse the names, but I mean Sentinel. I also have experience with QRadar. In the past, I worked with Elasticsearch. I have generally configured some integrations, for example, between QRadar and other production environments for sending custom logs, though not all of them. I have been doing this for about two to three years. Usually, devices do not send CF in syslog or CS format logs, so we often troubleshoot on a Vural collector. Sometimes a device does not send the packet to a local collector, and we troubleshoot from the local collector's side. My colleagues and I generally use this management for production. I have integrated some network and security devices to send logs. In Turkey, there are regulations by the government that require collecting Internet traffic from VDS users. We need encryption on each log on QRadar. I focus on setting up this configuration. Our customers use Cisco StealthWatch, formerly known as NDR solutions, and we integrated these logs with QRadar and StealthWatch because we prefer not using all of them on NDR solutions. We send specific logs from StealthWatch. This integration is basic, not advanced, though there are some easy API integrations for communication between devices.

I think there is room for improvement with correlations in QRadar, especially in terms of customer logs. We receive logs from different types of devices and need a way to correlate them effectively. This would help identify critical or high-priority alarms in QRadar. Perhaps we are missing parameters in QRadar and need to double-check to enhance functionality.

I have used the solution for approximately two to three years.

We sometimes experience downtime, but it depends on the version. There is some variability.

Our partners in Turkey support QRadar integration because our team does not manage all aspects. We usually rely on local partners for support. They assist with advanced issues, such as hardware or other problems, that are not part of standard operations.

All technologies are advancing towards AI integration. It is essential to integrate AI capabilities into devices to keep pace with future technologies and integrations. We should configure AI technologies in these products, though we currently lack experience and information. My overall rating for this solution is nine out of ten.

One major drawback we are facing is in the area of IBM Security QRadar integration with flat file databases. IBM Security QRadar does not support flat file database integration. We are currently facing an issue with respect to the database, which you normally call a NoSQL database. There is no direct integration mechanism available with IBM Security QRadar. We have to approach IBM and generate a ticket so that they can develop a custom method for the integration. In database integration, we are facing issues with IBM Security QRadar.

The solution does not support the integration of flat file databases. Certain organizations have flat file databases. IBM does not support direct integration with some databases. We had to create a plug, and we requested IBM to develop a parser, but it is taking IBM a couple of months to develop it. I think a flat-file database should be supported directly instead of developing a parser plugin. There should be a more refined threat intelligence platform, and cross-integration should be possible with locally available threat intelligence platforms.

I have been using IBM Security QRadar for three years. I use the solution's latest version.

Stability-wise, I rate the solution a seven out of ten.

It is a scalable solution. With respect to threat intelligence platform integration with locally developed software solutions, IBM works on and provides certain sorts of APIs. The tool also leads to advancement in threat intelligence, which could be beneficial during product deployment.

My company has an unlimited number of user versions. Basically, it does not depend on the number of users. It basically works on events per second. We already acquired unlimited EPS on our IBM QRadar.

I rate the scalability an eight out of ten.

We have two teams using the tool. If you talk about engineering, we have five to ten people on the engineering side who look after the administration. There are also twenty-four hours and seven weeks of managed SOC services catering to the needs of twenty people in each shift. We pursue the principle of following the sun, so you can say the managed SOC services are used in three shifts.

My company is only using IBM.

We didn't face any difficulty in the deployment process. The strategy we follow in the deployment is a phased approach. Initially, we deployed the workspace, and then we moved to routers and hardware-related things. In phase two, we start integrating the tool with business applications.

The solution is deployed on an on-premises version.

The solution can be installed for the initial configuration and settings in around three to four hours or five hours. Asset onboarding varies. Through assets, we integrate very quickly, like switches and data, with instances where no approval is required. Other typical assets like this are applications where certain views we have to create certain views in order to create our fetch logs. It all depends from application to application.

Three or four people are required to install the tool. Actually, we have a team and deployed the tool with five people. Two people did installations, and two people are supporting, and getting the required things or approvals would be done. You can say it is normally a team of five engineers. They actually take part in maintenance, too. Actually, we divided it into two phases, like team deployment and implementation. One has a team of engineers with whom we are involved with the deployment and installation. Another is the SOC team, which is responsible for monitoring logs on IBM Security QRadar.

IBM solutions are always expensive, as it offers some industry-leading solutions, which is why we have implemented them. Now, locally developed and open-source solutions like Wazuh are available. Certain organizations are deploying the solutions. We receive no cost-benefit from IBM. It is an expensive solution, and we have to incur these costs.

The tool's price is high. Our company faces pricing-related challenges with locally available products and other offerings like Splunk and Wazuh. In addition, there is a need to pay the tool's standard licensing fee. We outsource our SOC operations, so such expenses are in addition to the deployment.

After going through the different reviews over the internet, we found out that IBM is a leader, and we also did a study of the various banks in Pakistan and internationally to find what products they use. After comparing these banks, international banks, and locally made products, we decided to go for IBM.

IBM Security QRadar enhances threat detection and incident response in our specific industry. The threat intelligence is somewhat different in Pakistan. We also have to deploy other open-source solutions and integrate them with the new system. We have IBM X-Force, and the solution provides threat intelligence releases for global incidents. Basically, we have CTM360, which helps with the threat intelligence part. We are actually using both with the solution. I think IBM X-Force complements our challenges, but it is not up to the mark we require. We have to collaborate with different solutions as well with CTM360.

The tool's anomaly detection was useful with respect to application integration. We use a use case where we recently implemented the tool with respect to business applications where we define a rule set, and the system perfectly identifies and triggers an event against the rule set we define, so it is related to business applications. Our use cases are related to the event. An incident was caused a couple of days ago due to the Log4j vulnerability. For such vulnerabilities, the use case will also be helpful.

It is easy to integrate with different solutions or different databases like MySQL and Oracle. It has the edge over other solutions, like open-source solutions like Wazuh and Splunk, so IBM Security QRadar is very much refined with respect to these solutions.

Regarding the tool's ability to maintain high-security standards, I rate it ten out of ten.

So far, we haven't used any AI feature in the tool, or it may not be available in the version we use.

Overall, I recommend the tool to others. We are currently recommending it to peer banks and peer colleagues who need to make a decision to buy a product.

Maintenance is not required, but we regularly check the tool's health reports. If any event occurs monthly or quarterly, then we need to maintain it. Otherwise, no maintenance is required.

I rate the tool an eight out of ten.