IBM Security QRadar Suite Software: SIEM & SOAR

Most of the use cases are based on MITRE ATT&CK, such as phishing email, DDoS attack, privilege escalation, all MITRE ATT&CKs with scanning the environments, using suspicious activity internal to our network. We have thousands of use cases covering different domains at network levels.

We have use cases covering security controls and firewalls. We also have use cases that cover Active Directory, server events, and Citrix. Because we are working in a telecom company, we are covering 5G and 4G logs.

The aggregations are valuable when creating use cases with aggregations, which is beneficial for us.

For automation, we are using multi-platform solutions. We have FortiSOAR  and IBM Resilient  for IBM Security QRadar  orchestration. We integrate with both IBM Security QRadar  and ArcSight, as we are working with customers who use both systems.

IBM Security QRadar has some areas for improvement. We have missed some DSM components. We need to customize logs where there is no DSM or connector for certain products.

We can integrate but we have missed the DSM, which is the connector to pass logs coming from different applications. For example, with a university customer, we tried onboarding Canvas service. IBM Security QRadar does not support Canvas, so we had to create custom scripts and workarounds to pull logs from Canvas.

We have been using the solution for around five years.

The deployment is straightforward and easy for both installation types: standalone console, all-in-one, or in distribution modes.

Currently, it is very stable.

For EPS license, if you increase or exceed the EPS license, you cannot receive events and IBM Security QRadar comes with this server. This issue existed previously when exceeding the limit for EPS license.

The customer service experience is mixed. For critical issues, they provide L1 support rather than expert support initially. The L1 support follows standard steps before escalating to the development team or expertise team. In critical situations, this process can be problematic. Support needs to understand the issue first, then escalate it to the engineering team. The engineering team then sends an appointment meeting about the issue. This process can result in outages lasting three to four hours.

Neutral

I have been in the cybersecurity field since 2012. I have experience with many cybersecurity products including IBM Security QRadar, Splunk, SOAR , IBM Resilient  SOAR , Phantom , and various security controls and products.

ROI calculation is more applicable when using SOAR rather than SIM. In SIM, you don't have functions or enrichment to check if an IP is malicious or different reputations or websites. With SOAR, you can calculate ROI. For example, when an analyst receives alerts on IBM Security QRadar Offense, they would typically take 10 to 15 minutes to check an IP in VirusTotal , AbuseIPDB, TotalVirus, and other sources. With SOAR, the workflow takes one minute or less to complete the analysis.

When comparing with Splunk, IBM Security QRadar's cost is reasonable. Splunk is more expensive than IBM Security QRadar.

We have machine learning for User Behavior Analytics  (UBA ), but IBM Security QRadar does not have AI connectors or integration with ChatGPT . Some SOARs are working with AI, such as FortiSOAR , which has chatbot and AI integration with ChatGPT  to create playbooks, assist analysts in exporting reports, and provide recommendations for alert responses.

This implementation process receives a rating of six. In UAE, we have strict restrictions regarding compliance, particularly NIST compliance. Most companies should have local LLM, not public. Most SIM solutions or SOAR don't have the capability to build or need custom connectors for using AI with internal LLM, rather than cloud-based solutions ChatGPT or Gemini. Overall, I would rate IBM Security QRadar an eight out of ten.

Neutral

I use it daily because it's shared as a log alert, and we have a security operations center. Every now and then, and almost every day, there are some alerts. I utilize it every day, twenty-four by seven, as you can see.

Actually, the dashboard is very good. The dashboard is easy to use and easy to understand what's going on and what the alerts mean. It's very user-friendly, I would say. So far, it's very good. Recently, I faced an incident, a cyber incident, and it was detected in real time. It correlates well with other solutions. I have EDR, vulnerability, and IPS, and it shows useful findings for root cause analysis.

There are many types of AI, and this AI is very limited in SQL and features. There may be potential for improvement. So far, it seems very limited. It shows some good features in the correlation part, but I think there is room for improvement. For instance, when creating rules, it can suggest more rules, reducing the effort needed. If AI-related support can suggest rules and integrate with existing security devices like MD, IPS, this SIM can create more relevant rules. Sometimes logs I receive don't mean anything, and I need technical stakeholders to share or forward logs, but these are sometimes inadequate. Keywords can help identify insufficient logs. I often lack time to verify logs. Sharing false positive results could be reduced to help my team.

I have been working with the product for the last four months.

The product has been stable so far. I didn’t face any issues after deployment. I haven't encountered any software deployment issues, although I have only used it for four or five months. I might face issues after a year, two years, or with a major release or software update.

I am satisfied with the scalability. It depends on my budget. How much I spend on licensing size is up to me.

I received very good support, possibly due to a good relationship with IBM. I don't know about other companies, but I am happy with the support.

Positive

Previously, I had another SIM before IBM brought it up, but I couldn't correlate with different solutions. Now it saves me at least one hour, sometimes up to three hours. I used Micro Focus, which I think was acquired by another company, possibly OpenText. The ownership changed. I am very satisfied with Qradar compared to OpenText. It's superior. I am not sure which one is best, but so far it is. My people had good training and needed to invest time to get good results.

The initial setup was very difficult. I needed help from the local partner and expert users. Without expert users, it's challenging to deploy.

Assistance from the support system is always needed.

It's still very early, but I have saved significant damage. Investing this amount was very much worth it for my organization.

The cost depends. The price I negotiated varies by region and relationship with the OEM. Cost is not shared due to another procurement team handling negotiations, but it was reasonable as far as I know.

My advice is to understand your infrastructure first. Assess the size before sending any protocol requests or RFPs to adjust licensing costs. You may procure licenses less or more than needed, impacting finances. Analyzing your infrastructure is crucial, considering the logs and security issues you will set. Trained personnel are necessary. Without them, usage is challenging. Overall, the product rating is eight out of ten.

I have experience with Centimeters solutions, one of which is Microsoft Sentinel. I often confuse the names, but I mean Sentinel. I also have experience with QRadar. In the past, I worked with Elasticsearch. I have generally configured some integrations, for example, between QRadar and other production environments for sending custom logs, though not all of them. I have been doing this for about two to three years. Usually, devices do not send CF in syslog or CS format logs, so we often troubleshoot on a Vural collector. Sometimes a device does not send the packet to a local collector, and we troubleshoot from the local collector's side. My colleagues and I generally use this management for production. I have integrated some network and security devices to send logs. In Turkey, there are regulations by the government that require collecting Internet traffic from VDS users. We need encryption on each log on QRadar. I focus on setting up this configuration. Our customers use Cisco StealthWatch, formerly known as NDR solutions, and we integrated these logs with QRadar and StealthWatch because we prefer not using all of them on NDR solutions. We send specific logs from StealthWatch. This integration is basic, not advanced, though there are some easy API integrations for communication between devices.

I think there is room for improvement with correlations in QRadar, especially in terms of customer logs. We receive logs from different types of devices and need a way to correlate them effectively. This would help identify critical or high-priority alarms in QRadar. Perhaps we are missing parameters in QRadar and need to double-check to enhance functionality.

I have used the solution for approximately two to three years.

We sometimes experience downtime, but it depends on the version. There is some variability.

Our partners in Turkey support QRadar integration because our team does not manage all aspects. We usually rely on local partners for support. They assist with advanced issues, such as hardware or other problems, that are not part of standard operations.

Positive

All technologies are advancing towards AI integration. It is essential to integrate AI capabilities into devices to keep pace with future technologies and integrations. We should configure AI technologies in these products, though we currently lack experience and information. My overall rating for this solution is nine out of ten.

I am using QRadar, like standard centimeters, for security monitoring for information systems.

I use standard rules and special user-defined or correlation rules. I also use behavioral analysis for users. Additionally, there is limited integration with other systems. IBM is seeking information about IBM QRadar because a part of QRadar, especially in the cloud, has been sold to Palo Alto.

Improving the integration with IBM Server for MetaMask for correlation rules would be beneficial. Currently, I use Sentinel in Azure, and I would prefer creating one rule to roll it out to both Sentinel and QRadar. However, this is not possible because QRadar lacks this capability.

I have been using QRadar for five or six years.

I think QRadar is stable and currently satisfies my needs. However, there is uncertainty about the future because if IBM sold part of QRadar to Palo Alto, it would be a concerning signal.

Scalability is fine. It is one of the three well-known CMs.

I am unsure because the problem escalates through level one to level three, and then the process starts over with Novo again. This is problematic for technical support.

I am not personally using it. These boxes are in use within my company.

In the middle of evaluating, I am looking for some information about comparison boxes or licenses, products, and so on. I am interested in this issue, but I will not purchase it personally. We have a plan for internal projects for this. Product rating: five out of ten.