This rule detects reconnaissance activity targeting an OpenCanary node via an Nmap FIN scan. FIN scans transmit TCP segments with the FIN flag to probe whether ports are open, closed, or filtered. If OpenCanary logs a FIN-scan event, typically under logtype 5005, the rule flags the activity as a high-severity port-scan attempt. The selection checks logtype 5005 and the condition is simply the presence of that event, aligning with attack.discovery and the T1046 (Network Service Scanning) technique. The false positives are labeled as unlikely, reflecting that FIN-based scans are a common reconnaissance tactic but may be legitimate in some authorized testing contexts. The rule is marked experimental and focuses on OpenCanary application logs to identify unsolicited network probing against the honeypot. To validate, correlate with broader network logs (firewall/IDS) and confirm that the source is not legitimate management or vulnerability assessment activity. Mitigation steps include blocking or throttling repeated sources, reviewing exposure of the OpenCanary service, and tightening access controls or network segmentation around the honeypot while continuing to monitor for further reconnaissance indicators.