The nDepth search, starting from a filter is great, you can take a known issue and see if it occurred in a particular time. The problem is when you're in nDepth, and are digging into an issue, and once you find it, you wish you can make a filter or rule for it.
For example:
in nDepth, start searching for cisco devices, the look for logons, then identify the administrators. Now roll this back to a filter or a rule to be notified when an admin logs on to the devices.