Hi,
I am trying to "reverse engineer" a rule that someone has previously written to show if accounts have been added into the domain admin or built in user groups. I can see it works and if I write itself myself with individual event ID's (632, 633, 636, 637) I know each work.
What they have done though is written it as one rule though -
"Matches regular expression" and the value is donw as -
^(632)(633)(636)(637)$
I just wondered is it documented what the ^ ( ) and $ are actually doing. It works I just want to know why..
thanks