Item: IBM Security QRadar SIEM
Rating: 8
Author: Verified User

Use Cases and Deployment Scope

We have used IBM Security QRadar SIEM to provide security to our costumers (B2B) and also for our own corporate security. IBM Securty QRadar SIEM itself is an amazing tool, but we do face frequent issues with it. We have on premises and SaaS environments, on SaaS we suffer with frequent issues, sometimes leading to unavailability. Those issues impacts our operation and our end costumer's. Those issues often are not related to consequences of our actions, we are victims of those issues. For example, we had some unavailability resulted due to outrages on SAO1 data-center. The biggest advantage of an SaaS is to not worry about performance and availability, but we do need to worry about those. We also face some difficulties when managing rules for multi-tenant environment, because we can not set different parameters per domain in a single rule. For example, we can not set threshold of 5 events for domain A and 10 events for domain B, forcing us to replicate the rules in this kind of scenario. We have 10 tenants in the same environment, resulting in a high number of rules. Although the mentioned issues, IBM Security QRadar is an amazing SIEM, and I still love working with it.

Pros and Cons

Correlation rules
Events Parsing
Reports
Integrated apps
Customizations (Rules, reports, parsed fields, DSM...)

Multi-Tenancy
SaaS performance and availability
More data on automatic reports
More DSMs (Some new technologies misses DSM, such as Senhasegura for example)
Dashboards improvement (through QRadar itself or Pulse)
More API customization options

Return on Investment

Sorry, I do not have access to financial information.
Sorry, I do not have access to financial information.
Sorry, I do not have access to financial information.

Ease of Integration

For integrations with DSM, it works very well. When we need to use generic ones or create a new one that envolves API, it is challenging.

Support Rating

Technical support team is really helpful and preservative. When we ask for root cause of the issues, sometimes we have difficulties to receive this information, although this detail, the overall support from IBM is great.

Key Insights

Do you think IBM Security QRadar SIEM delivers good value for the price?

Not sure

Are you happy with IBM Security QRadar SIEM's feature set?

Yes

Did IBM Security QRadar SIEM live up to sales and marketing promises?

I wasn't involved with the selection/purchase process

Did implementation of IBM Security QRadar SIEM go as expected?

Yes

Would you buy IBM Security QRadar SIEM again?

Yes

Likelihood to Recommend

QRadar is very well suited on environments where there are not multiple tenants or domains, we do have success on this kind of scenario.

IBM Security QRadar SIEM is less appropriate for environments with multiple tenants, specially when each tenant represent a different End Costumer (such as for MSSP companies), those environments require a high amount of rules and building blocks replications, since each tenant will have its own "BB definitions", servers, rules exception, etc. Also, some information, such as EPS count or EPS dropped are generated by QRadar's own log sources, which takes place on default domain, therefore users associated with different domain can not have access to those logs, even when the information is related to other domain's environment. For example, even if Event Collector 1 is associated to Domain A, the log informing its dropped EPS is generated by System notification, log source that must be associated to Default domain.

QRadar review.

Software Version

Modules Used

Overall Satisfaction with IBM Security QRadar SIEM