OpenCanary - NMAP XMAS Scan

Jan 24, 2026 · attack.discovery attack.t1046 ·

Detects instances where an OpenCanary node has been targeted by a NMAP XMAS Scan

Sigma rule (View on GitHub)

 1title: OpenCanary - NMAP XMAS Scan
 2id: d7553d7b-f485-479c-b192-cdac6edd83a4
 3status: experimental
 4description: Detects instances where an OpenCanary node has been targeted by a NMAP XMAS Scan
 5references:
 6    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
 7    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
 8author: Marco Pedrinazzi (@pedrinazziM)
 9date: 2026-01-06
10tags:
11    - attack.discovery
12    - attack.t1046
13logsource:
14    category: application
15    product: opencanary
16detection:
17    selection:
18        logtype: 5004
19    condition: selection
20falsepositives:
21    - Unlikely
22level: high

References

Configuration — OpenCanary 0.9 documentation

Configuration Since we have many services, and each service has a few options, we have listed them all for you. Services Configuration We have gone ahead and listed all the services by their config...

Read More
opencanary/opencanary/logger.py at a0896adfcaf0328cfd5829fe10d2878c7445138e · thinkst/opencanary

Modular and decentralised honeypot. Contribute to thinkst/opencanary development by creating an account on GitHub.

Read More

OpenCanary - NMAP XMAS Scan

Sigma rule (View on GitHub)

References

Configuration — OpenCanary 0.9 documentation

opencanary/opencanary/logger.py at a0896adfcaf0328cfd5829fe10d2878c7445138e · thinkst/opencanary

Related rules