It is possible to configure more than 100 values into express or groups. Regex is used to match or ignore the pattern configured.
The Evaluation process follows the method:
for rule in rules:
if not g in groups
return
for i in ignores:
if i.match(event_data):
return
for p in patterns:
if p.match(event_data):
return
To improve the performance of the evaluation process:
If the indexing is not near real-time the regexes are not expecting any performance impact in an active connection.
From the above code if most used patterns are recorded at the beginning of the list the evaluation will faster than
in the random recording pattern list. (tips to optimize the evaluation)
The group matching is checking the element in the given group list so it is relative a fast function so there will be not a much impact factor.
The most performance impacted task is creating the event_datas from the recorded audit.
Please evaluate this manually to understand the rules impact, this is because the recorded audit will be different for all customers records.