https://live.paloaltonetworks.com/t5/advanced-threat-prevention/connection-to-self-events-data-microsoft-com-onecollector-1-0-is/m-p/464056#M1490 <P>Thank you so so much. This answer was very very useful to me.</P><P class="lia-align-right"><A href="https://friday-nightfunkin.com" target="_self"><FONT size="1 2 3 4 5 6 7" color="#FFFFFF">friday night funkin</FONT></A></P> Tue, 08 Feb 2022 03:25:43 GMT mikalozano 2022-02-08T03:25:43Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/connection-to-self-events-data-microsoft-com-onecollector-1-0-is/m-p/458167#M1460 <P data-unlink="true">Hi, anybody knows why connection to&nbsp;<STRONG>self.events.data.microsoft.com/OneCollector/1.0/</STRONG>&nbsp;&nbsp;is being flagged as log4j by Palo Alto firewall?&nbsp;</P><P>&nbsp;</P><P>Threat:&nbsp;Apache Log4j Remote Code Execution Vulnerability(92004)</P><P>Threat ID:&nbsp;92004</P><P>Threat Category: code-execution</P><P>&nbsp;</P><P>I believe this is telemetry from Microsoft products, probably MS Office. Appreciate if anybody can help to explain.</P><P>&nbsp;</P><P>Thank you.&nbsp;</P><P>&nbsp;</P> Wed, 12 Jan 2022 05:28:53 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/connection-to-self-events-data-microsoft-com-onecollector-1-0-is/m-p/458167#M1460 Zakuan 2022-01-12T05:28:53Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/connection-to-self-events-data-microsoft-com-onecollector-1-0-is/m-p/458717#M1462 <P>Hi&nbsp;</P><P>&nbsp;</P><P>The Palo will just be recognising a certain pattern of traffic leaving the device to an untrusted network, this traffic obviously matches that and it is flagging, according to Alienvault here&nbsp;<A href="https://otx.alienvault.com/indicator/hostname/self.events.data.microsoft.com" target="_blank" rel="noopener">https://otx.alienvault.com/indicator/hostname/self.events.data.microsoft.com</A>&nbsp;you are correct and this is a benign site, if this is causing you issues with logging or indeed connectivity, you could bypass that url as a trusted entity.</P><P>However I should also say that although it is whitelisted, you should check further to confirm that the hosts the traffic is coming from are expected, not Linux servers for instance, and then only tune it out for those hosts if you are completely sure that is the best thing to do, Alienvault also shows that some malicious files have been seen on that URL and this is fairly normal for telemetry URL's as hacker will always try and get stuff across "trusted" or default connectivity.</P><P>As always don't whitelist anything like this unless you are sure, I am not aware of your environment and so would never say to do it on my say so!</P> Fri, 14 Jan 2022 09:08:55 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/connection-to-self-events-data-microsoft-com-onecollector-1-0-is/m-p/458717#M1462 laurence64 2022-01-14T09:08:55Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/connection-to-self-events-data-microsoft-com-onecollector-1-0-is/m-p/464056#M1490 <P>Thank you so so much. This answer was very very useful to me.</P><P class="lia-align-right"><A href="https://friday-nightfunkin.com" target="_self"><FONT size="1 2 3 4 5 6 7" color="#FFFFFF">friday night funkin</FONT></A></P> Tue, 08 Feb 2022 03:25:43 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/connection-to-self-events-data-microsoft-com-onecollector-1-0-is/m-p/464056#M1490 mikalozano 2022-02-08T03:25:43Z