You would like to know why Detect incidents are not shown immediately after events that should trigger a sequence. 

One requirement of the UBA processing method used by Detect is that the events that are used for analysis be processed in time-order.

Given the varying times at which events arrive for "API", this requires that the UBA wait for a certain time before trying to look at events, to let late-arriving events be considered ... i.e., when the UBA processes a particular “Upload” event that happened at 3:01pm, that event may not arrive into Elastica and therefore the UBA until 3:47pm -- if we were to try process that one event at 3:05pm, it would not be available and CloudSOC (CSOC) would miss it during UBA's analysis. So the UBA chooses some reasonable "window of grace" to allow incoming events to actually arrive before trying to process all events arriving at some particular window. So, there will always be an inherent, longer delay for processing "API" events.

Allow for sufficient time for the processing method used by Detect to analyze for detect incidents.