Detects attempts to probe a OpenCanary honeypot using an NMAP XMAS scan by analyzing OpenCanary port scan log entries (logtype 5004). When a portscan event matching an NMAP XMAS pattern is observed, the rule triggers a high-severity alert indicating reconnaissance activity leveraging the Xmas scan (TCP flags FIN+PSH+URG). This rule is labeled experimental and is designed for OpenCanary deployments to quickly identify stealthy network-scanning attempts targeting the honeypot. References point to OpenCanary configuration/docs and logger implementation for reproduction.