All operations function on event fields, which can be referred to by their names or by their IDs within the rule expression. For a full list of event field names and their IDs, in the Sentinel Main interface, click Tips on the top right corner of the Sentinel Main interface.
The event field name or its ID must also be combined with a prefix to designate whether the event field is part of the current event (e) or a past event that is stored in memory. For the Window operator, the stored events are prefixed with (w).
Examples:
e.dip (Destination IP for the current event) w.dip (Destination IP for any stored event)
IMPORTANT:If you rename an event field by using the Event Configuration utility in the Sentinel Control Center, use the new name when writing rules. In all cases, rules are stored internally with the fixed IDs and the names are translated dynamically when viewed.