External reviews are not included in the AWS star rating for the product.
My main use case for IBM Security QRadar is building a SOC with IBM Security QRadar as a SIEM.
I use IBM Security QRadar in my SOC operations as an information security management, security and event management tool, to correlate events and build use cases for incident response.
My main use case helps us to deep dive into the logs and correlate events from many other products like firewalls, endpoints, and also a lot of products.
The best features IBM Security QRadar offers include vulnerability management, a powerful integration, and being a stable product. The vulnerability management feature helps to build an asset library for our organization, and with integrations, we can integrate this vulnerability with other ticketing systems to discover new vulnerabilities and build a patch management for it.
IBM Security QRadar has positively impacted my organization by allowing me to get offenses and threats into our organization, helping me to discover the real threats attacking our organization. The real threats that IBM Security QRadar helps us with are provided as offenses, real offenses with real examples that allow us to discover new offenses and assist in closing these offenses.
IBM Security QRadar can be improved; perhaps IBM support needs improvement in fast response and also the team response.
I have been using IBM Security QRadar for about nine years.
IBM Security QRadar is stable.
IBM Security QRadar's scalability is great; you can have a new collector to deploy if you have increased EPS per second.
Customer support for IBM Security QRadar needs improvement.
Negative
I have not used a different solution before IBM Security QRadar; this is my first use.
I have seen a return on investment; I can share that it includes time saved, money saved, and fewer employees needed.
My experience with pricing, setup cost, and licensing is great compared to the other vendor.
I did not evaluate other options before choosing IBM Security QRadar.
IBM Security QRadar is stable and has great support.
I advise others looking into using IBM Security QRadar that it is really helpful for building a SOC and to get a deep dive into your real threats at the earliest time. I have given this product a review rating of 10.
The use cases are daily monitoring, asset management, asset monitoring, asset health status monitoring, and alert monitoring. That is the current use case of what SIEM is being used for.
The query search and log fetching are really helpful in IBM Security QRadar when compared to other tools.
Compared to ArcSight, Splunk, or any other SIEM tools where you need their processing language such as structured query language, SPL, and in Sentinel there is KQL query languages, IBM Security QRadar doesn't require reliance on query languages. There are filters which you can use directly and apply to get the data you want fairly easily.
It's still very manual and doesn't work on its own. It's still in an early stage and not on par where we can consider it a really successful detection system. The accuracy is not there.
The UI could be better when compared to Sentinels where we can use flags and tagging. It could be much more user-friendly. IBM Security QRadar has all features and is fully competitive with other SIEM tools, but when it comes to user-friendliness, a new user takes time to get used to it. More intuitive, user-friendly interfaces and more helpful documentation would be beneficial.
The query searching and data fetching could be faster. In large to very large organizations with around 5,000 or 6,000 assets or beyond, even with proper configurations and RAM and hardware backing up, the query is fairly slow.
I have been using it for almost nine months.
The solution is extremely stable because it's on cloud. On cloud, you don't see any disconnections or instability. Any solution that is on cloud works really stably.
I am both a customer and we provide service to that.
I never needed to reach out to support because most of the expertise was already available.
Neutral
There are analytical workspaces where we create automatic ticket creations and automatic email notifications.
I have worked on technologies including Qualys, Group-IB, and QRadar. I have experience with CrowdStrike EDR and Bitdefender. On the EDR front, I have worked on CrowdStrike and Bitdefender. For SIEMs, I work with IBM Security QRadar and Sentinel. For vulnerability assessments, I work with Qualys.
There are no observable benefits on ROI process-wise, workability-wise, or usability-wise.
We chose IBM Security QRadar because we were moving to cloud. Previously it was an on-prem solution. Compared to Splunk and Sentinel, it's much more cost-effective.
IBM Security QRadar is capable of handling much of the market requirements. It's comparable to any other SIEM tool without standing out significantly.
It's fairly open for custom integrations, but it depends on what type of logs we are receiving and what kind of parsing we are getting done. The integrations are totally based on the skill sets if third-party or custom integrations are required.
When it comes to log management, it's fairly easy to manage and the log rotate is really good compared to any standard SIEM tool. It just gets the work done.
I rate IBM Security QRadar an 8 out of 10.
In IBM Security QRadar, I used to work for a company that wanted to implement AI, generative AI, to help financials and banks improve their process of software development, including testing for their tools and all the releases they are doing for the improvements of the applications of software on the cloud.
IBM Security QRadar's AI and machine learning capabilities for threat detection and response are exceptional, and Q Site is used to create panels and visualizations of software development processes. It's really fast and impressive compared to QuickSight. The detector library contributes significantly to its functionality. The main importance is the releases without any kind of security breaches, and IBM Security QRadar gives the opportunity to improve the time to market of the releases with a great evaluation of cybersecurity breaches. It's currently the top solution in the industry.
I assess the integration of third-party technologies with IBM Security QRadar's open architecture as lacking compared with what is available, because there are more genesis and solutions, but nothing compares with AWS cloud solutions. The top integrations happen here. The only difficulty is when integrating with ServiceNow; solutions from Microsoft, Google, Rackspace are really complex to integrate with ServiceNow, but Amazon is easier than other solutions.
I'm talking about IT Operation Management or hardware as management, DevOps or SecOps of ServiceNow, and those are really complex use cases to integrate with third parties, but Amazon does it better.
Overall, I would rate IBM Security QRadar an 8.5, because it depends on the use case, but there should be more focus on small and medium businesses, especially given the number of FinTechs and entrepreneurs in Mexico that require easier solutions with less budget. AWS Cloud is amazing for macro projects on software development, but it needs to be more accessible for SMBs, which is why I give it an 8.5; there's room for improvement in that area.
With AWS as a cloud provider, I used to work for a company that implements solutions for AWS cloud solutions.
I would rate their customer service or technical support as the best in Mexico. The only issue is the language barrier sometimes, because customer support services are used from India, and that can be challenging. While I speak English, it's difficult to understand some accents. However, besides that, local support in Mexico has people ready to provide level one, level two, and level three support. When something complex arises, the ticket gets transferred to India or to third parties not in Mexico, but it's very difficult to scale a ticket that far. The customer support located in Mexico speaks Spanish and they help to resolve issues, depending on the agent.
Neutral
For the initial setup of IBM Security QRadar, you need to have the right people, but if you are a newbie to these kinds of solutions and want to do out-of-the-box implementations, Amazon provides out-of-the-box use cases that you can implement immediately, and the personalization is easy to accomplish.
In terms of return on investment, I have worked on exercises where the payback occurs within three or four months, which is very good for a cloud solution because implementation cycles can be really long. AWS gives the chance to implement a solution out of the box with use cases that are already in IBM Security QRadar. Solutions such as Q Business, Q Site, QuickSight are already out of the box, so implementing and configuring a use case takes about two to three months, with the payback being almost immediate.
The pricing for IBM Security QRadar is not the best, but it's not the worst. It depends on how much you want to spend. The last time I worked with this technology was in 2023. The pricing reflects how much you want to spend for the results you want to have. If you want the best of the best, you go to AWS Cloud.
I rate IBM Security QRadar 8.5 out of 10.
We use IBM Security QRadar to monitor, and it's our main source of information. It's our main SIEM platform for our SOC, and we've collected everything on that platform.
We don't use IBM Security QRadar's Risk Manager; mainly, it was our main tool to collect information and conduct some analytics on logs and events. That's the primary use case we've been utilizing.
The best features of IBM Security QRadar are that it's pervasive. You can have IBM Security QRadar in the dust quite easily, and almost everybody knows the platform. Almost nobody's going to say you bought the wrong SIEM if you buy IBM Security QRadar.
The integration of third-party technologies with IBM Security QRadar is one of the high points they have. They integrate with almost anybody, anywhere. There's an integrator tool for almost anything. Everybody talks with IBM Security QRadar because they were the SIEM name of the game, at least in this country. So the integration part is one of their key advantages.
Long ago, IBM Security QRadar enabled us to have some analytics pre-thought for us. When we started with our SOC, we used some log collectors and other tools, and IBM Security QRadar gave us the advantage of having some analytics pre-considered for us. However, that was long ago. It has become just a log and events collector and our main repository of security events.
As far as reliability, security, and how it operates, I think it's because they hit first on the market, and then they built upon that, our name alongside the IBM name. Those are the reasons. It's quite awkward to use the platform; it's not intuitive, the learning curve is quite deep, and I really don't understand why it was so pervasive. However, if you have to sell managed security services to some people that use a SIEM, more than half the time you end up with an IBM Security QRadar platform on the other side. The other half you end up with WSO2, at least in Latin America.
I haven't tried IBM Security QRadar's AI and machine learning capabilities for threat detection and response fully enough to evaluate them yet.
We've been building our SOAR capabilities with other tools, and we haven't used IBM Security QRadar's Analytics Engine for automating SOC tasks.
We are not using it as we used to, and I think that advantage is fading out, particularly after the selling of the product to Palo Alto. We are considering some roadmaps to get out of IBM Security QRadar right now; that's the truth.
We have been using IBM Security QRadar since pre-pandemic; I think maybe 10 to 12 years right now.
I find IBM support to be nice. However, as a former IBMer, I may have had some advantages in getting support because I had some contacts. The support information is correct; you get to the information and access the technical documents you need because the information is there, and they used to care about their product. I don't know how it's going to be once the program is fully under Palo Alto's management.
For the support team, I would rate IBM support an eight, a solid eight. With the support we used to have within IBM, it was good.
Positive
Setting up IBM Security QRadar is difficult; it has a deep learning curve for the analysts, and there are several hurdles to handle to get IBM Security QRadar running on your infrastructures. On the other hand, once you connect the dots, they keep sending the information, and you can continue getting those events.
The pricing, setup cost, or licensing with IBM Security QRadar was costly. It was costly mainly for the things we used to use it for. The customers used to pay the price, but it was one of the problems to onboard some people with IBM Security QRadar. It was costly mainly because of the value you can get right now compared to other solutions.
We are thinking about moving outside of IBM Security QRadar ecosystem due to cost and the belief that some functionalities of new SIEM platforms are surpassing IBM Security QRadar. We think they are not keeping pace with SIEM, which makes it harder for them to differentiate their product or compete against others that are cheaper and easier to deploy.
If you had asked me this question five or seven years ago, I would have given it a solid 10, maybe a nine, but today I believe they are losing track of that. The overall rating for IBM Security QRadar is seven out of ten.
We were partners when they were under IBM. We've been in an IBM program of MSSP for Latin America, so we were partners of IBM Security QRadar when it was within IBM. However, with the selling to Palo Alto this year, we lost that partnership and are now just customers of a reseller.
We operate the platform for our customers. We don't have IBM Security QRadar for our own use.
For incident investigating, IBM Security QRadar is used for logs and management. We get all the traffic from there, which gets logged in our system, and then we investigate it.
There are many things I appreciate about IBM Security QRadar. I haven't used any other SIEM before IBM Security QRadar, so for me, it is perfect. Sometimes it takes time to load queries, but other than that, it performs excellently.
I would assess IBM Security QRadar's AI and machine learning capabilities as very helpful for threat detection and response. You have to fine-tune it sometimes with your own investigation, as sometimes they give false alerts about our system.
You have to put your own exceptions inside it, and then they won't give you another ticket about those false incidents.
Sometimes it takes time to load queries, but other than that, it performs excellently.
Personally, I have been using IBM Security QRadar for four months, but my company has been using it for three years.
I would rate their support an 8.5 with IBM. The support is really good; for instance, if a critical ticket is submitted, you will get paged right away as it gets logged, and their analyst will look into it, letting you know as soon as possible so you can work on it. If there is something bad going on or something faulty with IBM Security QRadar, when you reach out to them, they reply in 10 to 20 minutes.
Positive
I haven't used any other SIEM before IBM Security QRadar.
I deal with products such as IBM or Elastic solutions. I have experience with IBM Security QRadar, but not with Elastic; however, we are trying to get into Elastic.
We use many different cloud providers as our main cloud provider. AWS is one of those. We did not purchase the IBM Security QRadar product through AWS Marketplace; that's handled by our IT team.
I work in a dealership industry, specifically in home hardware. It is easy to use; I wasn't familiar with it, but after getting one-on-one training with my senior, I was able to use it very efficiently and learned it quickly.
We use IBM Security QRadar's Risk Manager, but I don't use it directly as it's related to my senior. I investigate it, but those procedures are based on my senior's decisions. I have not used IBM Security QRadar's analytics engine for automating SOC tasks.
The integration of third-party technologies with IBM Security QRadar's open architecture is good; it integrates with other solutions efficiently. I have used it with many different platforms such as SentinelOne and ExtraHop, and it integrates effectively.
My company are customers with IBM. The overall rating for IBM Security QRadar is 9 out of 10.
Most of the use cases are based on MITRE ATT&CK, such as phishing email, DDoS attack, privilege escalation, all MITRE ATT&CKs with scanning the environments, using suspicious activity internal to our network. We have thousands of use cases covering different domains at network levels.
We have use cases covering security controls and firewalls. We also have use cases that cover Active Directory, server events, and Citrix. Because we are working in a telecom company, we are covering 5G and 4G logs.
The aggregations are valuable when creating use cases with aggregations, which is beneficial for us.
For automation, we are using multi-platform solutions. We have FortiSOAR and IBM Resilient for IBM Security QRadar orchestration. We integrate with both IBM Security QRadar and ArcSight, as we are working with customers who use both systems.
IBM Security QRadar has some areas for improvement. We have missed some DSM components. We need to customize logs where there is no DSM or connector for certain products.
We can integrate but we have missed the DSM, which is the connector to pass logs coming from different applications. For example, with a university customer, we tried onboarding Canvas service. IBM Security QRadar does not support Canvas, so we had to create custom scripts and workarounds to pull logs from Canvas.
We have been using the solution for around five years.
The deployment is straightforward and easy for both installation types: standalone console, all-in-one, or in distribution modes.
Currently, it is very stable.
For EPS license, if you increase or exceed the EPS license, you cannot receive events and IBM Security QRadar comes with this server. This issue existed previously when exceeding the limit for EPS license.
The customer service experience is mixed. For critical issues, they provide L1 support rather than expert support initially. The L1 support follows standard steps before escalating to the development team or expertise team. In critical situations, this process can be problematic. Support needs to understand the issue first, then escalate it to the engineering team. The engineering team then sends an appointment meeting about the issue. This process can result in outages lasting three to four hours.
Neutral
I have been in the cybersecurity field since 2012. I have experience with many cybersecurity products including IBM Security QRadar, Splunk, SOAR, IBM Resilient SOAR, Phantom, and various security controls and products.
ROI calculation is more applicable when using SOAR rather than SIM. In SIM, you don't have functions or enrichment to check if an IP is malicious or different reputations or websites. With SOAR, you can calculate ROI. For example, when an analyst receives alerts on IBM Security QRadar Offense, they would typically take 10 to 15 minutes to check an IP in VirusTotal, AbuseIPDB, TotalVirus, and other sources. With SOAR, the workflow takes one minute or less to complete the analysis.
When comparing with Splunk, IBM Security QRadar's cost is reasonable. Splunk is more expensive than IBM Security QRadar.
We have machine learning for User Behavior Analytics (UBA), but IBM Security QRadar does not have AI connectors or integration with ChatGPT. Some SOARs are working with AI, such as FortiSOAR, which has chatbot and AI integration with ChatGPT to create playbooks, assist analysts in exporting reports, and provide recommendations for alert responses.
This implementation process receives a rating of six. In UAE, we have strict restrictions regarding compliance, particularly NIST compliance. Most companies should have local LLM, not public. Most SIM solutions or SOAR don't have the capability to build or need custom connectors for using AI with internal LLM, rather than cloud-based solutions ChatGPT or Gemini. Overall, I would rate IBM Security QRadar an eight out of ten.
Neutral
I use it daily because it's shared as a log alert, and we have a security operations center. Every now and then, and almost every day, there are some alerts. I utilize it every day, twenty-four by seven, as you can see.
Actually, the dashboard is very good. The dashboard is easy to use and easy to understand what's going on and what the alerts mean. It's very user-friendly, I would say. So far, it's very good. Recently, I faced an incident, a cyber incident, and it was detected in real time. It correlates well with other solutions. I have EDR, vulnerability, and IPS, and it shows useful findings for root cause analysis.
There are many types of AI, and this AI is very limited in SQL and features. There may be potential for improvement. So far, it seems very limited. It shows some good features in the correlation part, but I think there is room for improvement. For instance, when creating rules, it can suggest more rules, reducing the effort needed. If AI-related support can suggest rules and integrate with existing security devices like MD, IPS, this SIM can create more relevant rules. Sometimes logs I receive don't mean anything, and I need technical stakeholders to share or forward logs, but these are sometimes inadequate. Keywords can help identify insufficient logs. I often lack time to verify logs. Sharing false positive results could be reduced to help my team.
I have been working with the product for the last four months.
The product has been stable so far. I didn’t face any issues after deployment. I haven't encountered any software deployment issues, although I have only used it for four or five months. I might face issues after a year, two years, or with a major release or software update.
I am satisfied with the scalability. It depends on my budget. How much I spend on licensing size is up to me.
I received very good support, possibly due to a good relationship with IBM. I don't know about other companies, but I am happy with the support.
Positive
Previously, I had another SIM before IBM brought it up, but I couldn't correlate with different solutions. Now it saves me at least one hour, sometimes up to three hours. I used Micro Focus, which I think was acquired by another company, possibly OpenText. The ownership changed. I am very satisfied with Qradar compared to OpenText. It's superior. I am not sure which one is best, but so far it is. My people had good training and needed to invest time to get good results.
The initial setup was very difficult. I needed help from the local partner and expert users. Without expert users, it's challenging to deploy.
Assistance from the support system is always needed.
It's still very early, but I have saved significant damage. Investing this amount was very much worth it for my organization.
The cost depends. The price I negotiated varies by region and relationship with the OEM. Cost is not shared due to another procurement team handling negotiations, but it was reasonable as far as I know.
My advice is to understand your infrastructure first. Assess the size before sending any protocol requests or RFPs to adjust licensing costs. You may procure licenses less or more than needed, impacting finances. Analyzing your infrastructure is crucial, considering the logs and security issues you will set. Trained personnel are necessary. Without them, usage is challenging. Overall, the product rating is eight out of ten.
I have experience with Centimeters solutions, one of which is Microsoft Sentinel. I often confuse the names, but I mean Sentinel. I also have experience with QRadar. In the past, I worked with Elasticsearch. I have generally configured some integrations, for example, between QRadar and other production environments for sending custom logs, though not all of them. I have been doing this for about two to three years. Usually, devices do not send CF in syslog or CS format logs, so we often troubleshoot on a Vural collector. Sometimes a device does not send the packet to a local collector, and we troubleshoot from the local collector's side. My colleagues and I generally use this management for production. I have integrated some network and security devices to send logs. In Turkey, there are regulations by the government that require collecting Internet traffic from VDS users. We need encryption on each log on QRadar. I focus on setting up this configuration. Our customers use Cisco StealthWatch, formerly known as NDR solutions, and we integrated these logs with QRadar and StealthWatch because we prefer not using all of them on NDR solutions. We send specific logs from StealthWatch. This integration is basic, not advanced, though there are some easy API integrations for communication between devices.
I think there is room for improvement with correlations in QRadar, especially in terms of customer logs. We receive logs from different types of devices and need a way to correlate them effectively. This would help identify critical or high-priority alarms in QRadar. Perhaps we are missing parameters in QRadar and need to double-check to enhance functionality.
I have used the solution for approximately two to three years.
We sometimes experience downtime, but it depends on the version. There is some variability.
Our partners in Turkey support QRadar integration because our team does not manage all aspects. We usually rely on local partners for support. They assist with advanced issues, such as hardware or other problems, that are not part of standard operations.
Positive
All technologies are advancing towards AI integration. It is essential to integrate AI capabilities into devices to keep pace with future technologies and integrations. We should configure AI technologies in these products, though we currently lack experience and information. My overall rating for this solution is nine out of ten.
I am using QRadar, like standard centimeters, for security monitoring for information systems.
I use standard rules and special user-defined or correlation rules. I also use behavioral analysis for users. Additionally, there is limited integration with other systems. IBM is seeking information about IBM QRadar because a part of QRadar, especially in the cloud, has been sold to Palo Alto.
Improving the integration with IBM Server for MetaMask for correlation rules would be beneficial. Currently, I use Sentinel in Azure, and I would prefer creating one rule to roll it out to both Sentinel and QRadar. However, this is not possible because QRadar lacks this capability.
I have been using QRadar for five or six years.
I think QRadar is stable and currently satisfies my needs. However, there is uncertainty about the future because if IBM sold part of QRadar to Palo Alto, it would be a concerning signal.
Scalability is fine. It is one of the three well-known CMs.
I am unsure because the problem escalates through level one to level three, and then the process starts over with Novo again. This is problematic for technical support.
Negative
I am not personally using it. These boxes are in use within my company.
In the middle of evaluating, I am looking for some information about comparison boxes or licenses, products, and so on. I am interested in this issue, but I will not purchase it personally. We have a plan for internal projects for this. Product rating: five out of ten.