This experimental rule detects when an OpenCanary honeypot is targeted by an Nmap OS fingerprint scan. It relies on OpenCanary logs (logtype 5002) emitted during OS discovery events and flags the activity as a network reconnaissance attempt against the honeypot. The rule is aligned with ATT&CK T1046 (Network Service Scanning) and is categorized as high severity. False positives are unlikely, but legitimate internal scans or misconfigured log formatting could potentially trigger similar entries; correlation with other indicators (source IP, scan rate, and additional reconnaissance artifacts) is recommended. The rule is designed for OpenCanary deployments and should be maintained with alignment to opencanary logging semantics.