We changed our name from IT Central Station: Here's why

IBM QRadar User Behavior Analytics OverviewUNIXBusinessApplication

IBM QRadar User Behavior Analytics is #8 ranked solution in top User Behavior Analytics - UEBA tools. PeerSpot users give IBM QRadar User Behavior Analytics an average rating of 6 out of 10. IBM QRadar User Behavior Analytics is most commonly compared to Splunk User Behavior Analytics: IBM QRadar User Behavior Analytics vs Splunk User Behavior Analytics. The top industry researching this solution are professionals from a comms service provider, accounting for 33% of all views.
What is IBM QRadar User Behavior Analytics?

The User Behavior Analytics for QRadar (UBA) app is a tool for detecting insider threats in your organization. It is built on top of the app framework to use existing data in your QRadar to generate new insights around users and risk. UBA adds two major functions to QRadar: risk profiling and unified user identities.

Risk profiling is done by assigning risk to different security use cases. Examples might include simple rules and checks such as bad websites, or more advanced stateful analytics that use machine learning. Risk is assigned to each one depending on the severity and reliability of the incident detected. UBA uses existing event and flow data in your QRadar system to generate these insights and profile risks of users.

IBM QRadar User Behavior Analytics was previously known as IBM QRadar UBA, QRadar UBA, QRadar User Behavior Analytics.

Buyer's Guide

Download the User Behavior Analytics - UEBA Buyer's Guide including reviews and more. Updated: January 2022

IBM QRadar User Behavior Analytics Video

IBM QRadar User Behavior Analytics Pricing Advice

What users are saying about IBM QRadar User Behavior Analytics pricing:
  • "The price of this product is high."
  • "It's free of charge."
  • "The price of this solution is a little bit expensive, so if it were cheaper then it would help."
  • IBM QRadar User Behavior Analytics Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Deputy General Manager - Network Security at a tech services company with 201-500 employees
    Real User
    Top 10
    Stable and solid security intelligence but lacks some functionalities
    Pros and Cons
    • "QRadar shows very effective correlations. If you combine all the logins plus user behavior and the current intelligence, it gives a very good correlation for business. I think it reduces the false positives in user activity monitoring because there is a lot of social information to correlate with other data."
    • "From a functionality point of view there are issues sometimes."

    What is our primary use case?

    We use IBM QRadar for monitoring user behavior in order to baseline the user activity. Then we print use cases around those behaviors to see if anything stands out. We can then see if something is going wrong in the enrollment from a user activity point of view.

    What is most valuable?

    In terms of valuable features, QRadar shows very effective correlations. If you combine all the logins plus user behavior and the current intelligence, it give a very good correlation for business. I think it reduces the false positives in user activity monitoring because we have a lot of social information to correlate with other data.

    What needs improvement?

    From a functionality point of view, there are issues sometimes. There is a component in QRadar where all these certifications need to be installed, like a UPN. Sometimes we experience functionality issues where the logging, indexing, and searching were not working. I have personally seen it misbehaving. Sometimes we need to restart it. In some cases when it was malfunctioning we needed to contact support to resolve the issue. I don't see any issues in the integration model with a UPN from a usability point of view, but with functionally you can experience a lot of issues.

    For how long have I used the solution?

    I have been working with IBM QRadar User Behavior Analytics for two years.

    What do I think about the stability of the solution?

    I have not seen any issues with the stability of the solution either.

    What do I think about the scalability of the solution?

    I have not seen any issues with the scalability of the solution

    How are customer service and technical support?

    The technical support is fine now. I was not happy with the support when we started with this solution in 2017. If you look at that first year, 2017 to 2018, they had lots of support issues. We logged the cases and they would only call us back depending on their resources. There were no options to call them on a landline or a hotline number. They needed improvement there. They should have had a dedicated support response. Over the last year I have seen an improvement. I used to wait for a week to get a call back from them, but now, when you have critical tickets they will respond in two or three hours, depending on the criticality of your support case. They have improved.

    How was the initial setup?

    The initial setup was neither straightforward nor too complex. It did take some effort to implement, but it was manageable. We did not see any issues implementing it. We actually completed it in three to six months. When we initially implemented it we used some fresh use cases and observed the performance but these were all completed in three to six months. The initial deployment took hardly one week.

    What's my experience with pricing, setup cost, and licensing?

    Regarding the price, it is a bit high for normal customers. It is better for enterprise-class customers where they get a licensing model for MSSP for enterprises.

    Which other solutions did I evaluate?

    We are a service provider company, so our recommendations depend on the customer's preference. The best we can do is propose the solution based on support, pricing, and their requirements.

    What other advice do I have?

    Our customers are satisfied with the product and they are not looking for anything else. I would recommend the product.

    On a scale of one to ten I would rate IBM QRadar User Behavior Analytics a seven.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: partner
    Principal Security Architect at a computer software company with 10,001+ employees
    Real User
    Top 10
    They have to build more quantitative monitoring, profiling, and make it more predictive
    Pros and Cons
    • "In terms of the most valuable features, the log collections and log processing mechanisms are good. They have good dashboards."
    • "They have to build more quantitative monitoring, profiling, and make it more predictive."

    What is our primary use case?

    Some of these products can be used in any vertical like healthcare, manufacturing, and vehicle. You can use these products in all types of verticals. But I found that there is a limitation in central verticals. These products do not do well in central verticals.

    What is most valuable?

    In terms of the most valuable features, the log collections and log processing mechanisms are good. They have good dashboards. They probably have the best cloud management log processing. They are going to announce user intended behavior and management features. Compliance monitoring is okay. All these things become a commodity.

    What needs improvement?

    They have to build more quantitative monitoring, profiling, and make it more predictive.

    For how long have I used the solution?

    I have been working with IBM QRadar for the last seven to eight years. 

    What do I think about the stability of the solution?

    QRadar is quite stable, but I am not sure about the volume. There is no clear volume. If I were to cross to an enterprise and the stability is not available then it would be a problem.

    What do I think about the scalability of the solution?

    Augmented solutions are very tough to scale because you already fulfilled how well you fulfill the software and then you will have to limit the scalability. That is a problem.

    Our clients are small, medium, and enterprise size. 

    How are customer service and technical support?

    Technical support is not that strong from IBM. It definitely does not compare to any standard support organization. It's not that great.

    How was the initial setup?

    The setup is comparatively easy, it's not that tough. But if you look at the current situation with COVID-19, people or organizations are not looking at how easy the cost of the innovation is. People want a plug and play option. 

    It's like if you go to the market you buy a car, you get the key, just sit in the car and drive it out. With traditional companies like IBM, you have to use all the hardware, you have to use all the software, and the setup can take one month, two months, three months depends on or the scope. Nowadays consumers are looking for a souped-up car. They expect the tool to be operational maximum within a week's time or 15 days. That is what is missing in the QRadar.

    The time it takes to deploy depends on the project scope. The order of planning can take a month to three months.

    You will need three people to set it up. It can get quite expensive in retrospect. I prefer to have a plug and play service

    What's my experience with pricing, setup cost, and licensing?

    There are more costs in addition to standard licensing; support, building.

    What other advice do I have?

    If you are only looking at IBM, make sure to evaluate the product thoroughly. Make sure to see the complete list they offer, like more of the competitive features. Explore the options available on the market.

    It doesn't really integrate well with other products. 

    I would rate it a three out of ten. It is missing key features. 

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Find out what your peers are saying about IBM, Splunk, Securonix Solutions and others in User Behavior Analytics - UEBA. Updated: January 2022.
    563,208 professionals have used our research since 2012.
    Misbah Fatima
    Application Security Architect at Bank Al Habib Limited
    Real User
    Top 10
    Stable and reliable but needs better integration with extensions
    Pros and Cons
    • "I really like the feature we have with the logs, that if there are any credit card numbers being used, like a PII, you can just use rejects and you can mask it. This is a really good feature in QRadar."
    • "There should be an extension where we can get the reports. This could be an extension to the dashboard with the Guardian or another product with limited technology, for example IPS. Now, we only have IBM. Basically, it needs more and more integration models."

    What is our primary use case?

    Our primary use case with IBM QRadar User Behavior Analytics is seeing if there are log-ins from the same ID's but from different locations, this is one use case. Or if MAC addresses keep changing, this is another use case. Lastly, if the risk level is high, like with different IP's. These are the three use cases we have.

    What is most valuable?

    I really like the feature we have with the logs, that if there are any credit card numbers  being used, like a PII, you can just use rejects and you can mask it. This is a really good feature in QRadar.

    What needs improvement?

    In terms of what could be improved, it would be easier if you didn't have to long escape for a bar sync. If you have to, the logs are not automatically barred, so you have to guide the whole atmosphere.

    Additionally, there should be integration with IBM Guardian. 

    Lastly, there should be an extension where we can get the reports. This could be an extension to the dashboard with the Guardian or another product with limited technology, for example IPS. Now, we only have IBM. Basically, it needs more and more integration models.

    For how long have I used the solution?

    I have been using IBM QRadar User Behavior Analytics for a month or two.

    What do I think about the stability of the solution?

    In terms of stability, in my current company, QRadar is working fine. But in my previous organization that was using QRadar, we experienced some QRadar failures. There were two or three times the data was wiped out instead of transferring to EGA and we had to restart QRadar from scratch and all the data was lost. It happened a lot. Maybe it was due to lack of management since it was a new company.

    How are customer service and technical support?

    We do have experience with support. We get support from the IBM people in Karachi, Pakistan.

    They're good.

    How was the initial setup?

    The initial setup was really easy, it was really straightforward. I got it done in one day.

    What other advice do I have?

    What advice would I give? I want the certification to be very honest. I typically like the hands-on with QRadar, they're quite different.

    On a scale of one to ten, I would rate IBM QRadar User Behavior Analytics a seven.

    I have used other solutions, like LogRhythm, for a few use cases like ransomware detection, etc.. and there were less false positives there. With the ransomware especially, it was very thin there. We actually have very few use cases and there were lots of false positives with QRradar. If I compare the AI function and the logarithms I think it needs some improvement. 

    It is a complex product compared to LogRhythm.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Muhammad Moqeet
    Senior Manager, Security Architecture & Operation, Corporate Security at Omantel
    Real User
    Top 5Leaderboard
    Good reporting and integration is easy, but searching is slow and the dashboard needs to be improved
    Pros and Cons
    • "Integration is very easy and the reporting is good."
    • "The dashboard is pathetic and it takes a long time to perform a search."

    What is our primary use case?

    This is a security monitoring product and the primary use case is to detect strange behavior by users. For example, if we have a user that has not used the service for a long time and then all of a sudden, somebody logs in one night. This is not normal and the system will detect it. This is just one example of many use cases.

    What is most valuable?

    Integration is very easy and the reporting is good.

    What needs improvement?

    This is a good product, although it does require some fine-tuning.

    The dashboard is pathetic and it takes a long time to perform a search.

    The graphics need to be improved.

    Providing good support is something that they need to work on.

    It would be helpful if IBM published more use cases.

    For how long have I used the solution?

    We have been using QRadar UBA since 2016.

    How are customer service and technical support?

    The issue that I have with technical support is related to their large pool of resources. If you are lucky then you get good support, but sometimes you get pathetic support. Suppose you open a ticket, there are times where it will be very good, but the quality is intermittent.

    Which solution did I use previously and why did I switch?

    I have experience working with Splunk and I find that the searching capabilities are better with it. Also, the processing time in Splunk is better. With QRadar UBA, when you have three, four, or five rules together, it takes more time to respond.

    How was the initial setup?

    The complexity and length of time required for the initial setup depend on the requirements. There are some out-of-the-box features that can be implemented right away, but some equipment is not supported directly, so you need to write a DSM (device support module).

    Implementing a DSM takes some time, although it will depend on the log source. If the log source is fully compatible then it will be very quick. However, if it is not compatible then you will need to do some scripting and other work.

    What's my experience with pricing, setup cost, and licensing?

    The price of this product is high.

    What other advice do I have?

    QRadar is not perfect. It's a good security monitoring product that can provide threat intelligence, but it cannot do it alone. You need to integrate with many other things, such as IBM Orchestrator. Also, you need to have X-Force. After these kinds of things are integrated, it works a little bit better.

    I would rate this solution a six out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: partner
    Dmytro Petrashchuk
    VP of Cybersecurity at IT Specialist LLC
    Real User
    Top 5
    Free of charge and fully integrated with QRadar SIEM
    Pros and Cons
    • "The feature that I find the most useful is that IBM QRadar User Behavior Analytics is free of charge. It's a fully free product that can be installed on top of IBM QRadar SIEM."
    • "The user interface and configurability of IBM QRadar User Behavior Analytics can be improved. It has a lot of pre-configured settings and not many things can be changed. It also needs more integrations. Currently, User Behavior Analytics is integrated only with IBM QRadar. It could have deeper integrations. It can also have more complicated scoring models. Currently, it has a very simple linear scoring model for users."

    What is our primary use case?

    User Behavior Analytics is a part of IBM QRadar. It's a kind of application that can be installed over IBM QRadar SIEM. The primary use case is to detect user behavior anomalies, and through these anomalies, detect and better understand different threats and attacks.

    What is most valuable?

    The feature that I find the most useful is that IBM QRadar User Behavior Analytics is free of charge. It's a fully free product that can be installed on top of IBM QRadar SIEM.

    What needs improvement?

    The user interface and configurability of IBM QRadar User Behavior Analytics can be improved. It has a lot of pre-configured settings and not many things can be changed.

    It also needs more integrations. Currently, User Behavior Analytics is integrated only with IBM QRadar. It could have deeper integrations. 

    It can also have more complicated scoring models. Currently, it has a very simple linear scoring model for users.

    For how long have I used the solution?

    I have been using this solution for about two years. We implement this solution as well as do demonstrations. We are also using it.

    What do I think about the stability of the solution?

    It's quite stable. 

    What do I think about the scalability of the solution?

    It could be quite scalable, but it is not so easy to use when you have a lot of users. Because of the user interface shortcomings, it's not so useful when you have thousands of users. 

    How are customer service and technical support?

    The second line of support is quite inexperienced in User Behavior Analytics, and they rarely are able to help. We had several serious issues with this product, which made it impossible to use for a customer. We had to spend a lot of time in finding the right person to help us in resolving the issues.

    How was the initial setup?

    The initial setup is really straightforward. IBM QRadar User Behavior Analytics is very easy to deploy. Usually, if someone has already installed QRadar SIEM, then deploying User Behavior Analytics takes two to three hours.

    What's my experience with pricing, setup cost, and licensing?

    It's free of charge.

    What other advice do I have?

    I like IBM QRadar User Behavior Analytics. I would rate it an eight of ten. It still needs a lot of improvement, but its main advantage is that it's fully integrated with a SIEM system, and it's free of charge.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: partner
    WiseCat
    Enterprise Architect, CISSP at a tech services company with 1,001-5,000 employees
    Real User
    Top 5Leaderboard
    A solution with a powerful and easy-to-use GUI and good technical support

    What is our primary use case?

    The first thing that we implemented for user behavior was to find out whether somebody is logging in at odd hours. It studies user behavior.

    What is most valuable?

    My favorite thing is that it comes with good usability. It has a powerful GUI where you can put together your use cases, and don't have to write your own scripts.

    What needs improvement?

    The price of this solution is a little bit expensive, so if it were cheaper then it would help. While the interface is easy to use, it could be a little more responsive. It can be a bit sluggish at times.

    For how long have I used the solution?

    I have been using IBM QRadar for about a year.

    What do I think about the stability of the solution?

    We have not experienced any issues with stability. …

    What is our primary use case?

    The first thing that we implemented for user behavior was to find out whether somebody is logging in at odd hours. It studies user behavior.

    What is most valuable?

    My favorite thing is that it comes with good usability.

    It has a powerful GUI where you can put together your use cases, and don't have to write your own scripts.

    What needs improvement?

    The price of this solution is a little bit expensive, so if it were cheaper then it would help.

    While the interface is easy to use, it could be a little more responsive. It can be a bit sluggish at times.

    For how long have I used the solution?

    I have been using IBM QRadar for about a year.

    What do I think about the stability of the solution?

    We have not experienced any issues with stability.

    What do I think about the scalability of the solution?

    Scalability has not been a problem, although our environment is not very big. Perhaps at a later stage and with a bigger environment, we might have issues.

    How are customer service and technical support?

    I have been in contact with technical support on one or two occasions. The experience was good and we are satisfied.

    Which solution did I use previously and why did I switch?

    I also have experience using Splunk.

    How was the initial setup?

    The initial setup is really straightforward. It's a bonus point of this solution.

    What other advice do I have?

    I would rate this solution an eight out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: partner
    ErayKaraoglu
    Network & Cyber Security Engineer at a manufacturing company with 1,001-5,000 employees
    Real User
    Top 10
    A stable solution that comes with many search options

    What is most valuable?

    It provides many options for searching. I can see devices from different vendors, like Cisco, in one interface, which is good for me.

    What needs improvement?

    We sometimes get an error about the hard drive. Approximately once in two months, we can't find the logs, and they go missing, which is a terrible issue. We are getting support for this issue from our support company.

    For how long have I used the solution?

    I have been using this solution for one and a half years. We have been using this solution in our company for about four years. We have around 800 to 900 users.

    What do I think about the stability of the solution?

    It is very stable, but the hard drive sometimes does not have logs.

    How are customer service and technical support?

    IBM is…

    What is most valuable?

    It provides many options for searching. I can see devices from different vendors, like Cisco, in one interface, which is good for me.

    What needs improvement?

    We sometimes get an error about the hard drive. Approximately once in two months, we can't find the logs, and they go missing, which is a terrible issue. We are getting support for this issue from our support company.

    For how long have I used the solution?

    I have been using this solution for one and a half years. We have been using this solution in our company for about four years. We have around 800 to 900 users.

    What do I think about the stability of the solution?

    It is very stable, but the hard drive sometimes does not have logs.

    How are customer service and technical support?

    IBM is always there to support us. We have no trouble with them.

    We have agreements with different companies for support. They are good. For some issues, they take more time, like a day or two days. 

    What about the implementation team?

    We have almost ten engineers for IT sites.

    What other advice do I have?

    I would rate IBM QRadar User Behavior Analytics an eight out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Solution Manager at ZZTL
    Reseller
    Top 20
    Has a good feature set and good stability

    What is most valuable?

    Most of the features are good. It is an excellent solution. 

    What needs improvement?

    Some of the features should be more cooperative but other than that, everything is okay.

    For how long have I used the solution?

    I have been using IBM QRadar User Behavior Analytics for a year. 

    What do I think about the stability of the solution?

    It is very stable. 

    What do I think about the scalability of the solution?

    It is also scalable. 

    How are customer service and technical support?

    Our team handles its own support. We are capable of doing our own technical support but we also have IBM to get their help as well.

    How was the initial setup?

    The initial setup is not straightforward but of medium complexity. It's not simple but not so complex. It usually…

    What is most valuable?

    Most of the features are good. It is an excellent solution. 

    What needs improvement?

    Some of the features should be more cooperative but other than that, everything is okay.

    For how long have I used the solution?

    I have been using IBM QRadar User Behavior Analytics for a year. 

    What do I think about the stability of the solution?

    It is very stable. 

    What do I think about the scalability of the solution?

    It is also scalable. 

    How are customer service and technical support?

    Our team handles its own support. We are capable of doing our own technical support but we also have IBM to get their help as well.

    How was the initial setup?

    The initial setup is not straightforward but of medium complexity. It's not simple but not so complex. It usually takes two to three weeks to deploy. 

    What's my experience with pricing, setup cost, and licensing?

    The price is very high. Some of our customers cannot afford it. 

    What other advice do I have?

    IMB should reduce the pricing, or reduce some of the features for a more economical solution for the customer.

    I would rate it an eight out of ten. They should reduce the pricing. 

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: reseller