IBM Support

Tenable SecurityCenter scan integrations for QRadar do not return IPs or vulnerabilities from completed scans



Tenable SecurityCenter 5.4.x scans complete successfully, but QRadar does not collect any data from the scan result. The logs display a Log Correlation Engine (LCE) error: Retrieving user LCEs during Query validate failed.


Scans in QRadar complete per the user interface; however, both the hover text in the user interface and reported by the vis service in /var/log/qradar.log:
Status:  [Complete] Scan Complete - Processed[0]unique IP addresses
containing [0] ports and [0] vulnerabilities.


Permissions issue for the user running the scan. The users is not a standard role, instead is running the scan with credentials in QRadar for an administrative user. The error Retrieving user LCEs during Query validate failed is generated because the user is a “System Administrator”.  In SecurityCenter, administrators have different views and features to manage, organizations, groups, users, system settings, scanners, but do NOT have the ability to view vulnerability data.

Per Tenable 'User Roles' documentation:
Because administrators do not belong to an organization, they do not have access to the data collected by


This issue is known for Tenable SecurityCenter 5.4.x, but might be exhibited in other versions.

Diagnosing The Problem

[vis0.vis] [Tenable Security Center-104-worker] com.q1labs.vis.scanners.tenable.securitycenter.SecurityCenterRESTClient: [ERROR] [NOT:0000003000][IP ADDRESS/- -] [-/--]Error found in JSON response [Retrieving user LCEs during Query validate failed].
[vis0.vis] [Tenable Security Center-104-worker] com.q1labs.vis.scanners.tenable.securitycenter.SecurityCenterModule: [ERROR] [NOT:0000003000][IP ADDRESS/- -] [-/- -]IP query returned no results.
[vis0.vis] [Tenable Security Center-104-worker] com.q1labs.vis.scanners.tenable.securitycenter.SecurityCenterModule: [ERROR] [NOT:0000003000][X.X.201.75/- -] [-/- -]Vulnerability query returned no results.

Resolving The Problem

Administrators should ensure that they configure a scan to use a non-administrator account when attempting to poll for IP and vulnerability data from Tenable Security Center. For more information on editing user roles, see the Tenable SecurityCenter User Guide (PDF).

Document Location


[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Tenable Security Center;completed scan data","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
07 January 2021