I think this is interesting, and I'll have to ask my devs if they know of a limit, but...I think it all comes down to how you're achieving it.
For example, let's say that you want a rule to capture anything BUT certain events from a certain IP. You might make a rule like this:
Now, this is a terrible rule, because it uses "Any Alert" and your LEM will certainly be unhappy with it. A better plan would be to make a custom Event Group that had all the things you care about:
So I've "nested" a lot of conditions into one correlation instead of having multiple correlations. I can apply this same logic to rules using User Defined Groups, Connector Profiles and Directory Service Groups. So instead of this:
(And I have no idea what those event IDs actually are, they're made up for this example...)
I could make a UDG like this:
And then use that in the rule instead:
And then I can combine them for utter madness!
If you want an example of nesting groups and conditions to the nth degree, there is a template in LEM I like to show people called "Worm Activity with Response," and it looks like this:
It's only a couple layers deep, but it's looking for 3 different thresholds (1 event of some type with 5 events of another with 10 of a third) and it's comparing and contrasting 3 different events with each other at the same time.
Update: I asked a dev, and the answer is basically, "The more correlations you want to add, the more memory the rules engine needs. How much memory do you want to throw at the LEM?"
Using groups as described will reduce the resource requirements, so it's worth it to try being clever with rule design.