IBM Security™ QRadar® SIEM features
Fully integrated NDR
Get higher fidelity, detailed and actionable alerts from threats. SIEM anchors the analytics to an event or log data while NDR monitors network flows.
Transform your security practice from “in the dark” to proactive detection and response with a broad range of tightly integrated add-on offerings.
Automatic parsing and normalizing of logs
Quickly onboard custom log sources for analysis, detect and create new log sources based on incoming event data.
1,500 out-of-the-box use cases aligned to MITRE ATT&CK
Identify and correlate activities throughout the kill chain, obtain end-to-end visibility into a single alert and get global day-1 faster detection.
Intuitive, automatic query builder
Leverage built-in smart property detection and AQL query builds, quickly search and pinpoint valuable data without having to write rules and code.
User behavior analytics
Gain greater visibility into insider threats, uncover anomalous behavior, quickly identify risky users and generate meaningful insights.
Threat intelligence and support for STIX/TAXII
Pull in additional threat intelligence feeds and deploy the data to create custom rules for correlation, searching and reporting.
Breadth of services
Quantify and prioritize your risks, detect and respond to threats and unify your organization with industry-leading assessments and strategies.
How it works
Visibility, detection, investigation and response
Enable real-time threat detection through greater visibility across your environments,
improved use case management, user behavior analytics and threat intelligence.
Visibility across environments
Problem: Lack of visibility across IT environments that span on-premises, cloud and SaaS applications.
Solution: Gain high-fidelity alerts from QRadar SIEM 450+ log sources, integrations and network flows across on-premises, cloud-based and external IP-sourced attacks.
Use case management
Problem: Understand if use cases in your SIEM holistically cover an attack chain.
Solution: See a summary of use cases in your SIEM by MITRE ATT&CK tactic and technique. Add or update use cases based on tuning recommendations unique to your environment. Review which rules are finding alerts in your environment.
Problem: How to automatically detect the latest threats in your environment without spending hours researching the latest threats.
Solution: Find threats by leveraging the latest malicious IP addresses, URLs and malware file hashes from X-Force Threat Intelligence and other threat intelligence sources.
IBM QRadar SIEM meets these compliance regulations
QRadar SIEM helps your organization show evidence of compliance and declaration of conformity with applicable regulatory statues and internal audits for the environments that QRadar SIEM is monitoring. QRadar SIEM adheres to rigorous security, availability, and privacy frameworks, and complies with a range of industry-standard certifications and governance including:
- Common Criteria
- FIPS140-2 (Level 1)
- STIG / Hardening
- ISO 27001
- Section 508 VPAT reports
IBM QRadar SIEM can help you meet your compliance requirements
IBM recognizes the critical importance of compliance and up-to-date certifications for clients relying on our product capabilities to secure their data and comply with regulatory requirements.
QRadar SIEM provides default-setting compliance packages for General Data Protection Regulation (GDPR), the Federal Information Security Management Act (FISMA), Sarbanes-Oxley (SOX), HIPAA, ISO 27001**, Payment Card Industry Data Security Standard (PCI DSS) and more. All are available in the IBM Security App Exchange and are included free of charge with a QRadar SIEM license. QRadar SIEM integrates with our IBM Security QRadar SOAR solution to provide a proactive, fast, and intelligent response to data privacy breaches. IBM Security QRadar SOAR supports over 180 privacy regulations worldwide, so your security teams can integrate privacy reporting tasks into their overall incident response playbooks, and collaborate with privacy and legal teams to address regulatory requirements.
- FISMA (link resides outside IBM)
- HIPAA (link resides outside IBM)
- ISO 27001**
- PCI DSS
- NIST RMF 800-53 (link resides outside IBM)
- Gramm-Leach-Bliley Act (GLBA) (link resides outside IBM)
Frequently asked questions
Are there prerequisites to installing User Behavior Analytics (UBA)?
Yes. If running on a QRadar SIEM console, the UBA app requires a minimum of 64 GB or up to 128 GB of memory. Additionally, consider the deployment of a QRadar SIEM app host to access the full benefits of running the UBA app with the machine learning app enabled.
How do I get my organization's data into UBA?
UBA integrates directly into QRadar SIEM, leveraging the existing user interface and database. All enterprise-wide security data remains in one central location and analysts can tune rules, generate reports and connect data as part of their SIEM experience.
Does UBA integrate with my other tools?
Since UBA shares the same underlying database as QRadar SIEM and NDR, any data source that is ingested by QRadar SIEM can be surfaced and leveraged in UBA.
What is the UBA architecture?
UBA is packaged as a collection of 3 apps—an LDAP app that helps ingest and coalesce users' identity information, a UBA app that helps visualize data and analytics, and a machine learning app that provides a library of machine learning algorithms used to create behavioral models of users' activities.
What is anomaly detection?
Anomaly detection is a technique used to identify unusual patterns that do not conform to normal behavior and differ significantly from most of the data. UBA builds a baseline of normal behavior from a user’s and similar users’ (peers) events and then uses that baseline to detect anomalous behavior.
What is a risk score?
A risk score is the numeric measure of the potential harmfulness of a user's activity. Each anomalous behavior that is detected by UBA impacts an individual user's risk score.
How long does it take for the machine learning models to train?
Upon installation, machine learning algorithms ingest the previous 4 weeks of data from the QRadar database and can take up to 1 week to build the baseline models of normal user behavior.
Can UBA be deployed in QRadar SaaS (QRadar on cloud)?
The UBA app can be deployed in QRadar SaaS, software or cloud deployments.
How much does the UBA app cost?
The UBA app is offered to QRadar clients at no additional cost.
Where can I go for help with UBA?
IBM Support has dedicated resources who can help with high priority issues. The UBA app includes a help and support section for using the LDAP, UBA and machine learning analytics apps.
How does IBM protect user information in UBA?
As with all QRadar applications and modules, the data is encrypted at rest.