Back to All Scenarios
PASSEDsecurity / firewall_misconfiguration
Windows Firewall Rule Allowing All Inbound
A misconfigured Windows Firewall rule is allowing all inbound traffic on all ports. The rule was created by an installer and overrides the default block.
Pattern
EXCHANGE_EVENT
Expected: FIREWALL_MISCONFIGURATION
Severity
HIGH
Confidence
68%
Remediation
Auto-Heal
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | FIREWALL_MISCONFIGURATION | EXCHANGE_EVENT | |
| Severity Assessment | CRITICAL | HIGH | |
| Incident Correlation | N/A | None | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Auto-Heal — Corax resolves autonomously |
Scenario Conditions
Windows Server 2022. New rule 'AppInstaller-AllowAll' with action Allow, direction Inbound, any protocol, any port, any remote address. Created 2 hours ago.
Injected Error Messages (1)
Windows Firewall misconfiguration — rule 'AppInstaller-AllowAll' allowing ALL inbound traffic on all ports, created 2 hours ago by SYSTEM, overrides default block, server fully exposed
Neural Engine Root Cause Analysis
Microsoft Exchange event detected — mail flow may be disrupted with messages queuing, a mailbox database has failed to mount or has failed over within the DAG, or OWA/ECP is inaccessible. Exchange issues directly impact email communication for all affected users and can indicate underlying storage, network, or Active Directory problems.
Remediation Plan
1. Check mail queue status with 'Get-Queue' in Exchange Management Shell for backed-up messages.
2. For database mount failures, run 'Get-MailboxDatabaseCopyStatus' to check DAG copy health and replay queue length.
3. Verify Exchange services are running with 'Test-ServiceHealth' on all Exchange servers.
4. For OWA issues, check IIS application pool status and run 'Test-OwaConnectivity'.
5. Review Application and System event logs on Exchange servers for correlated errors.
Improvements Applied
- Pattern classified as EXCHANGE_EVENT (expected FIREWALL_MISCONFIGURATION)
- Severity: HIGH (expected CRITICAL)
Tested: 2026-04-02Monitors: 1 | Incidents: 1Test ID: cmnhnoo5z0015lig7o2zs8w6n