IBM Security™ QRadar® SIEM features

Fully integrated NDR

Get higher fidelity, detailed and actionable alerts from threats. SIEM anchors the analytics to an event or log data while NDR monitors network flows.

700+ integrations

Transform your security practice from “in the dark” to proactive detection and response with a broad range of tightly integrated add-on offerings.

Automatic parsing and normalizing of logs

Quickly onboard custom log sources for analysis, detect and create new log sources based on incoming event data.

1,500 out-of-the-box use cases aligned to MITRE ATT&CK

Identify and correlate activities throughout the kill chain, obtain end-to-end visibility into a single alert and get global day-1 faster detection.

Intuitive, automatic query builder

Leverage built-in smart property detection and AQL query builds, quickly search and pinpoint valuable data without having to write rules and code.

User behavior analytics

Gain greater visibility into insider threats, uncover anomalous behavior, quickly identify risky users and generate meaningful insights.

Threat intelligence and support for STIX/TAXII

Pull in additional threat intelligence feeds and deploy the data to create custom rules for correlation, searching and reporting.

Breadth of services

Quantify and prioritize your risks, detect and respond to threats and unify your organization with industry-leading assessments and strategies.

How it works

Visibility, detection, investigation and response

Enable real-time threat detection through greater visibility across your environments,
improved use case management, user behavior analytics and threat intelligence.


IBM QRadar SIEM meets these compliance regulations

QRadar SIEM helps your organization show evidence of compliance and declaration of conformity with applicable regulatory statues and internal audits for the environments that QRadar SIEM is monitoring.  QRadar SIEM adheres to rigorous security, availability, and privacy frameworks, and complies with a range of industry-standard certifications and governance including:

  • Common Criteria
  • FIPS140-2 (Level 1)
  • STIG / Hardening
  • ISO 27001
  • Section 508 VPAT reports


IBM QRadar SIEM can help you meet your compliance requirements

IBM recognizes the critical importance of compliance and up-to-date certifications for clients relying on our product capabilities to secure their data and comply with regulatory requirements.

QRadar SIEM provides default-setting compliance packages for General Data Protection Regulation (GDPR), the Federal Information Security Management Act (FISMA), Sarbanes-Oxley (SOX), HIPAA, ISO 27001**, Payment Card Industry Data Security Standard (PCI DSS) and more. All are available in the IBM Security App Exchange and are included free of charge with a QRadar SIEM license. QRadar SIEM integrates with our IBM Security QRadar SOAR solution to provide a proactive, fast, and intelligent response to data privacy breaches. IBM Security QRadar SOAR supports over 180 privacy regulations worldwide, so your security teams can integrate privacy reporting tasks into their overall incident response playbooks, and collaborate with privacy and legal teams to address regulatory requirements.

These include:

Frequently asked questions

Are there prerequisites to installing User Behavior Analytics (UBA)?

Yes. If running on a QRadar SIEM console, the UBA app requires a minimum of 64 GB or up to 128 GB of memory. Additionally, consider the deployment of a QRadar SIEM app host to access the full benefits of running the UBA app with the machine learning app enabled.

How do I get my organization's data into UBA?

UBA integrates directly into QRadar SIEM, leveraging the existing user interface and database. All enterprise-wide security data remains in one central location and analysts can tune rules, generate reports and connect data as part of their SIEM experience.

Does UBA integrate with my other tools?

Since UBA shares the same underlying database as QRadar SIEM and NDR, any data source that is ingested by QRadar SIEM can be surfaced and leveraged in UBA.

What is the UBA architecture?

UBA is packaged as a collection of 3 apps—an LDAP app that helps ingest and coalesce users' identity information, a UBA app that helps visualize data and analytics, and a machine learning app that provides a library of machine learning algorithms used to create behavioral models of users' activities.

What is anomaly detection?

Anomaly detection is a technique used to identify unusual patterns that do not conform to normal behavior and differ significantly from most of the data. UBA builds a baseline of normal behavior from a user’s and similar users’ (peers) events and then uses that baseline to detect anomalous behavior.

What is a risk score?

A risk score is the numeric measure of the potential harmfulness of a user's activity. Each anomalous behavior that is detected by UBA impacts an individual user's risk score.

How long does it take for the machine learning models to train?

Upon installation, machine learning algorithms ingest the previous 4 weeks of data from the QRadar database and can take up to 1 week to build the baseline models of normal user behavior.

Can UBA be deployed in QRadar SaaS (QRadar on cloud)?

The UBA app can be deployed in QRadar SaaS, software or cloud deployments.

How much does the UBA app cost?

The UBA app is offered to QRadar clients at no additional cost.

Where can I go for help with UBA?

IBM Support has dedicated resources who can help with high priority issues. The UBA app includes a help and support section for using the LDAP, UBA and machine learning analytics apps.

How does IBM protect user information in UBA?

As with all QRadar applications and modules, the data is encrypted at rest.


* Please contact your sales representative for GDPR and CCPA as these requirements differ for each customer.

** ISO 27001 Operational certification available for QROC (SaaS).   Software deployments are reliant on customer operational practices.