I've been having an issue working with nDepth to perform log searches vs. working in the Rule builder.
When I create a Rule, the logic allows me to pull in logs from various different event sources, including mixing correlation rules with fields from Event Group > Any Alert with fields from Event > TCPTrafficAudit/etc. and there don't seem to be any issues. Rules trigger as you would expect.
However, when I take my rule logic and try to create a 1-to-1 nDepth search, the logic doesn't function the same, and the query either refuses to build, or returns no results. I have determined the cause to be mixing event sources. For instance, you cannot mix fields in "TCPPortScan" with fields from "MailServiceAccess" or "Any Event" in nDepth without getting completely unreliable results.
Is this a known issue? I would like to be able to test my correlation rule logic by doing a manual search of the rule logic in nDepth over the last day/week/etc. but this seems impossible in the current iteration of the product.
Has anybody else had this issue and found a workaround?