OpenCanary - Host Port Scan (SYN Scan) is an experimental rule that detects SYN-based port scans targeting an OpenCanary honeypot. It monitors the OpenCanary port-scan log entries (logtype 5001) and raises a high-severity alert when such an event is observed, indicating potential reconnaissance against the host. The detection is implemented as a straightforward selection on logtype 5001 with a single condition (trigger when present). The rule maps to MITRE ATT&CK technique T1046 (Network Service Scanning) and is intended to surface unauthorized scanning activity directed at the honeypot. False positives are marked as unlikely, reflecting the honeypot telemetry context where most port-scan events are malicious. References link to OpenCanary configuration details and the OpenCanary logger source. The log source is application-level (OpenCanary), and the data source corresponds to OpenCanary’s application logs that capture port-scan events on the host. Operations should correlate with source IPs and consider escalation or blocking of repeated probes.