All operations function on event fields, which can be referred to by their labels or by their short tags within the correlation rule language. For a full list of labels and short tags, see Section 1.2, List of Fields and Representations. The label or metatag must also be combined with a prefix to designate whether the event field is part of the incoming event or a past event that is stored in memory.
Examples:
e.DestinationIP (Destination IP for the current event) e.dip (Destination IP for the current event) w.dip (Destination IP for any stored event)
WARNING:If you rename the label of a metatag, do not use the original label name when creating a correlation rule.