bfuzzy
commented
6 years ago Probably huge. I don't have all the info on this yet. I am working on getting something setup to reliably test performance if all the rules are enabled. I do not recommend enabling all the rules in the set, but using it as a starting point for detection coverage.
What is a performance impact of having so many audit.rules?