Item: IBM Security QRadar SIEM
Rating: 10
Author: Saulo Prado

Use Cases and Deployment Scope

I use the IBM QRadar SIEM since 2014 and I have had a good experience since then. We have a large number of security assets and QRadar SIEM helps us collect and correlate alerts, events, flows and incidents from multiple vendors. I am part of a SOC team at a financial institution with more than 90k employees, thousands of security devices, thousands of endpoints and without the help of QRadar SIEM it would be impossible to analyze threats, attacks and exploitations.

Pros and Cons

correlation events
search events timing
friendly managed rules
capability integration vendors
service support

Improvement in the process of consuming virtual machine resources
improvement in the process of analyzing errors and warnings generated by the system

Return on Investment

reduction in incident response time
Visibility of normalized data, reducing manual work time for parsing
Reduction in the security risk of the environment as a whole

Ease of Integration

QRadar SIEM has a wide app store that helps integrate hundreds of vendors and adds a lot of value to the incident response process. An interesting example is the use case we are implementing for attacks on Windows endpoints using sysmon logs. I downloaded the "Mitre Windows App" by siencesoft and it brought me dozens of ready-made rules among other features.

Support Rating

In 10 years of using QRadar SIEM, I have never had any problems with delays in handling any case. They always respect the level of criticality we place on cases. We had numerous cases in which the criticality and severity was maximum and they responded within the expected time agreed in the SLA.

Alternatives Considered

Microsoft Sentinel

The QRadar licensing process is based on EPS (Events Per Second) and there are no limitations on event collection, regardless of the origin of the logs. This becomes an advantage as the price is agreed between the parties before purchase, so you have knowledge of what you can use from the SIEM infrastructure. In Microsfot Sentinel, licensing is by type of log ingestion, making the event management process more complex for paying for the solution, in addition to making it more expensive and unpredictable.

Key Insights

Do you think IBM Security QRadar SIEM delivers good value for the price?

Not sure

Are you happy with IBM Security QRadar SIEM's feature set?

Yes

Did IBM Security QRadar SIEM live up to sales and marketing promises?

Yes

Did implementation of IBM Security QRadar SIEM go as expected?

Yes

Would you buy IBM Security QRadar SIEM again?

Yes

Other Software Used

Trellix Endpoint Detection and Response (EDR), Microsoft Sentinel, F5 Big-IP Advanced Web Application Firewall

Likelihood to Recommend

QRadar SIEM is a robust solution for collecting and correlating security events. I have had fantastic experience with use cases of attacks in Windows environments using sysmon logs and rules that contain the Miter techniques for each attack. Wincollect is the IBM agent that performs log collection in Windows environments and it does so with great performance. Perhaps QRadar SIEM is not suitable for creating a data lake and only for the purpose of storing logs, especially logs that do not have ready parsing

Analysis and experience with QRadar SIEM

Software Version

Modules Used

Overall Satisfaction with IBM Security QRadar SIEM