Which lookup table does the Default Account Activity Detected correlation search use to flag known default accounts?
Which lookup table does the Default Account Activity Detected correlation search use to flag known default accounts?
The Default Account Activity Detected correlation search uses the lookup table Administrative Identities to flag known default accounts. This matches the intent of identifying default accounts within a system, which often includes administrative accounts that frequently have default settings.
Should be A. Reference: https://community.splunk.com/t5/Splunk-Enterprise-Security/Default-Account-Usage-Correlation-Search-All-user-as-default/m-p/333887 Also, you can run | inputlookup administrative_identities.csv to see the content.
The wording of this question is bad. Known default accounts could be assumed to be for Administrative or for VIPs. However, C is the likely answer for the question due to the identities lookup you can set the user to be flagged as a default account. A and D implies you are monitoring VIPs or elevated users, which the question is not asking.
The Default Account Activity Detected correlation search in Splunk Enterprise Security uses the "Privileged Accounts" lookup table to flag known default accounts. This table contains information about accounts with elevated privileges, including default accounts that could pose a security risk if used maliciously.