This metric checks whether SQL Server services are running under any of the default accounts, such as localsystem.
Using a default account for SQL Server services can be a security risk for two reasons. Firstly, it can give the service a higher level of permissions than it needs. Secondly, isolation is compromised by several services running under the same account. It means that, if one of the services is compromised, all the others running under the same account are vulnerable too.
The associated alert will be raised if you’ve used a default user account instead of a domain account.Default user service account,