Which lookup table does the Default Account Activity Detected correlation search use to flag known default accounts?

The Default Account Activity Detected correlation search uses the Identities lookup table to flag known default accounts. This is because the Identities table is specifically designed to hold information about user accounts, including those that are considered to be default or baseline accounts that may be pre-configured by various systems or software. By referencing this lookup table, the correlation search can effectively identify and analyze any activity associated with these default accounts, which is crucial for maintaining security and monitoring potential unauthorized access. Properly managing and monitoring default accounts is important, as they are often targeted by attackers looking to exploit known configurations.