Analysis and experience with QRadar SIEM
Updated September 10, 2024

Analysis and experience with QRadar SIEM

Saulo Prado | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User

Software Version

QRadar Advisor with Watson (legacy branding)

Modules Used

  • SIEM
  • SOAR

Overall Satisfaction with IBM Security QRadar SIEM

I use the IBM QRadar SIEM since 2014 and I have had a good experience since then. We have a large number of security assets and QRadar SIEM helps us collect and correlate alerts, events, flows and incidents from multiple vendors. I am part of a SOC team at a financial institution with more than 90k employees, thousands of security devices, thousands of endpoints and without the help of QRadar SIEM it would be impossible to analyze threats, attacks and exploitations.

Pros

  • correlation events
  • search events timing
  • friendly managed rules
  • capability integration vendors
  • service support

Cons

  • Improvement in the process of consuming virtual machine resources
  • improvement in the process of analyzing errors and warnings generated by the system
  • reduction in incident response time
  • Visibility of normalized data, reducing manual work time for parsing
  • Reduction in the security risk of the environment as a whole
QRadar SIEM has a wide app store that helps integrate hundreds of vendors and adds a lot of value to the incident response process. An interesting example is the use case we are implementing for attacks on Windows endpoints using sysmon logs. I downloaded the "Mitre Windows App" by siencesoft and it brought me dozens of ready-made rules among other features.
In 10 years of using QRadar SIEM, I have never had any problems with delays in handling any case. They always respect the level of criticality we place on cases. We had numerous cases in which the criticality and severity was maximum and they responded within the expected time agreed in the SLA.
The QRadar licensing process is based on EPS (Events Per Second) and there are no limitations on event collection, regardless of the origin of the logs. This becomes an advantage as the price is agreed between the parties before purchase, so you have knowledge of what you can use from the SIEM infrastructure. In Microsfot Sentinel, licensing is by type of log ingestion, making the event management process more complex for paying for the solution, in addition to making it more expensive and unpredictable.

Do you think IBM Security QRadar SIEM delivers good value for the price?

Not sure

Are you happy with IBM Security QRadar SIEM's feature set?

Yes

Did IBM Security QRadar SIEM live up to sales and marketing promises?

Yes

Did implementation of IBM Security QRadar SIEM go as expected?

Yes

Would you buy IBM Security QRadar SIEM again?

Yes

Trellix Endpoint Detection and Response (EDR), Microsoft Sentinel, F5 Big-IP Advanced Web Application Firewall
QRadar SIEM is a robust solution for collecting and correlating security events. I have had fantastic experience with use cases of attacks in Windows environments using sysmon logs and rules that contain the Miter techniques for each attack. Wincollect is the IBM agent that performs log collection in Windows environments and it does so with great performance. Perhaps QRadar SIEM is not suitable for creating a data lake and only for the purpose of storing logs, especially logs that do not have ready parsing

IBM Security QRadar SIEM Feature Ratings

Security Information and Event Management (SIEM)
9.0
Correlation
10
Integration with Identity and Access Management Tools
8
Custom dashboards and workspaces
9
Behavioral analytics and baselining
9
Rules-based and algorithmic detection thresholds
10
Reporting and compliance management
8

Using IBM Security QRadar SIEM

Qradar SIEM is essential for providing visibility and timely detection of threats within the company's environment. Analysts can make decisions more assertively by gaining broad visibility of the information collected in the environment. The correlation between the various data sources is what enriches the information for the analyst.
7 - There is a team of 7 people who have specific skills and knowledge in responding to security incidents. This team also takes care of the administration and management of the SIEM in the production environment.
  • Drop IP from abuse explorers an integration with WAF
  • Mitre Attack Rules Windows events
  • Threat Rules from XDR events
  • SIEM integration SOAR
  • SIEM on CLOUD

Comments

More Reviews of IBM Security QRadar SIEM

  1. Home
  2. Security Information and Event Management (SIEM) Software
  3. IBM Security QRadar SIEM Reviews
  4. User Review of IBM Security QRadar SIEM