danielv · Security Architect · ✭✭✭✭✭

Here's a screenshot comparing a quick rule I threw together to demonstrate mixing fields from different event sources in rule creation, and that it isn't possible to create a 1-to-1 nDepth search since the nDepth search creation tool will not allow you to drag disparate event fields into the same group: The rule on the…

Just tried this. Custom event groups can be used in correlations... however, when going into the advanced thresholds settings, you cannot select Source IP from within your custom event group to restrict events with the "same" modifier. So, using the custom event groups only gets me halfway there.