Recent events coming in from the EDR sensor have old timestamps. 

• Carbon Black EDR Console: All Versions
• Carbon Black EDR Sensors: All Versions

Timestamps are collected from the operating system the endpoint is installed on. Here are some possible causes

• Time on the endpoint itself incorrect. 
• BIOS battery is dead. On startup the timestamp is incorrect, but later get's corrected as it hits a NTP server. 
• Primary/Golden image was taken down with events still stored. As clones are created, they send those events upon connecting to the EDR server. 
• Sensor has been unable to connect up for a long time. The sensor will hold onto the oldest data and drop new data after the disk quota is hit. 
• High event backlog. 

• Alerts are based on the server added timestamp. The watchlist search job completion timestamp is stored in postgres, on the next run it will start the search for any event added to the server since that last run until the job completes. It is not based on the timestamp the event happened on the machine.