Troubleshooting
Problem
Tenable SecurityCenter 5.4.x scans complete successfully, but QRadar does not collect any data from the scan result. The logs display a Log Correlation Engine (LCE) error: Retrieving user LCEs during Query validate failed.
Symptom
Scans in QRadar complete per the user interface; however, both the hover text in the user interface and reported by the vis service in /var/log/qradar.log:
Status: [Complete] Scan Complete - Processed[0]unique IP addresses
containing [0] ports and [0] vulnerabilities.
containing [0] ports and [0] vulnerabilities.
Cause
Permissions issue for the user running the scan. The users is not a standard role, instead is running the scan with credentials in QRadar for an administrative user. The error Retrieving user LCEs during Query validate failed is generated because the user is a “System Administrator”. In SecurityCenter, administrators have different views and features to manage, organizations, groups, users, system settings, scanners, but do NOT have the ability to view vulnerability data.
Per Tenable 'User Roles' documentation:
Per Tenable 'User Roles' documentation:
Because administrators do not belong to an organization, they do not have access to the data collected by Tenable.sc.
Environment
This issue is known for Tenable SecurityCenter 5.4.x, but might be exhibited in other versions.
Diagnosing The Problem
[vis0.vis] [Tenable Security Center-104-worker] com.q1labs.vis.scanners.tenable.securitycenter.SecurityCenterRESTClient: [ERROR] [NOT:0000003000][IP ADDRESS/- -] [-/--]Error found in JSON response [Retrieving user LCEs during Query validate failed].
[vis0.vis] [Tenable Security Center-104-worker] com.q1labs.vis.scanners.tenable.securitycenter.SecurityCenterModule: [ERROR] [NOT:0000003000][IP ADDRESS/- -] [-/- -]IP query returned no results.
[vis0.vis] [Tenable Security Center-104-worker] com.q1labs.vis.scanners.tenable.securitycenter.SecurityCenterModule: [ERROR] [NOT:0000003000][X.X.201.75/- -] [-/- -]Vulnerability query returned no results.
[vis0.vis] [Tenable Security Center-104-worker] com.q1labs.vis.scanners.tenable.securitycenter.SecurityCenterModule: [ERROR] [NOT:0000003000][IP ADDRESS/- -] [-/- -]IP query returned no results.
[vis0.vis] [Tenable Security Center-104-worker] com.q1labs.vis.scanners.tenable.securitycenter.SecurityCenterModule: [ERROR] [NOT:0000003000][X.X.201.75/- -] [-/- -]Vulnerability query returned no results.
Resolving The Problem
Administrators should ensure that they configure a scan to use a non-administrator account when attempting to poll for IP and vulnerability data from Tenable Security Center. For more information on editing user roles, see the Tenable SecurityCenter User Guide (PDF).
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Tenable Security Center;completed scan data","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
07 January 2021
UID
ibm10883862