The criteria in the "not exists" are specifying the types of IPSecTrafficAudits that the rule "remembers" - basically you need to tell the rule how to cancel your other event out, otherwise ANY IPSecTrafficAudit will cancel your rule out which isn't what you want. It's not really linear, it's more like a "grouping" of information about that IPSecTrafficAudit that refines your rule criteria.
Line 4 is similar - this tells the rule engine that in order for the IPSecTrafficAudit to cancel out your other event, it needs to match on the SourceMachine. Otherwise, you'll find ANY tunnel coming back up will cancel out ANY tunnel going down, which means you won't be able to track a specific tunnel.