Is it possible to query using User Tags (Disabled, Removed, Watch List)? Looking to create a detection covering the scenario of a user with any of these user tags (assumption would be they’re no longer with the org) tries to authenticate to a device or service in scope of InsightVM.
I’ve dug through the documentation and log schema and can’t seem to find anything that fits this.
Appreciate any guidance here 
As I know, this is not possible, I opened a support case in the past and I think it was moved to IDEA. But never know about that again.
Could be actually great.
Otherwise, Disabled or Removed cannot be managed, but you could create you own WatchList in a VARIABLE, and define detection rules using the variable that contains an “array” of accounts
Hey folks! I’m a member of the product team here at R7, and have some positive news on this. One of the new things that we are working on is adding some of these fields to be detected on in order to power our migration of UBA rules over to the Detection Rule Library. Once there, you would be able to create Custom Detection Rules using the same syntax as our out of the box rules. In the fullness of time we have thought about how variables can play a role here, and are looking into what we might be able to pre-populate
Great, thanks for that info Jordan! Can’t wait to try this out once it goes live.
Great News Jordan!!
Thanks Jordan.
Today, can variables be added dynamically and not only statically? For example can we build a query while adding a certain “value” to a list/variable then create a detection rule for that?
Also, can you add/remove to variables via the API?