Searching the ICDx archive shows some events from the Symantec Endpoint Protection Manager (SEPM) collector with a Collected Time and Event Time far apart from each other:
On initial configuration and startup, the SEPM collector will collect all available events from the SEPM database if configured to do so. Following initial data collection, only new events since the last collector checkpoint will be collected.
Release : 1.4
Component : SEPM collector
If events with a significant gap between Event Time and Collected Time appear in the ICDx data archive, these events were returned by the SEPM database at the time logged in the Collected Time field.
It the SEPM database continues to return old events to the ICDx collector, please export the events in question to a json file via the "down arrow" icon and open a support case for the ICDx product.