What is exactly happening with out of order entry logs? Does it have something to do with when the agent forwards logs to IDR? I see it most with in the Asset Authentication logs.
the out of order entry label is a default label that gets applied to logs which appear to come in out of time sequence. It’s a red herring in this case because there are multiple sources of data (Endpoint Agents) being streamed into a single log in log search, the likelihood of events coming in out of direct time sequence is high.
If your log were only receiving events from a single source (take a look at another log with just one source) then label would be useful and make more sense because the single stream of events would need to have logs coming in out of order, but with multiple sources streaming events simultaneously, and as we process the events from the agent in parallel, they will often come in labeled “out of order”.