Hey Simon, thanks for that!

There are some time-sensitive detections that will directly rely on log time order/sequence. If you assume logs might arrive out of order your logic may not ever trigger either.

You can always rely on index time only, but still, if you embed or stuff your log time logic inside that index time session, you may miss parts of the log time based chain of events.

It sounds complicated and it sometimes, is.

So before making it hyper complicated to maintain with many time tricks, it's easier to accept some logs will be missed without compromising the logic to detect a solid, context-rich alert.

Since you cannot control how for instance, a cloud vendor should ship those logs, I might opt for waiting as much as I can before running against a (shifted) scanned window, when chances are the delayed logs should have already arrived.

In that case, I'm fine accepting some tolerable delay and shift that scanned window backwards.

Hope that's clear. Cheers!