Here's a screenshot comparing a quick rule I threw together to demonstrate mixing fields from different event sources in rule creation, and that it isn't possible to create a 1-to-1 nDepth search since the nDepth search creation tool will not allow you to drag disparate event fields into the same group:
The rule on the left generates incidents, so I know that it is finding logs that match the criteria. However, the nDepth search on the right returns 0 results over the same time frame.
I'm basically looking for a way to test new correlation rules that I am creating against historical log data to see what logs trigger the correlation rule. I had hoped I would be able to feed the rule logic into the nDepth search to go back over the last day/week/etc. but I am running into this problem. I have to resort to creating a rule and just waiting to see what incidents will trigger in the future. Is there a way to accomplish what I'm trying to do?