OpenCanary - NMAP NULL Scan detects when an OpenCanary honeypot is targeted by a TCP NULL scan (a common Nmap probing technique where no TCP flags are set). The rule leverages OpenCanary's log entry with logtype 5003 to identify suspicious connection attempts that indicate reconnaissance or service discovery. This pattern corresponds to network-scanning behavior (ATT&CK T1046) and suggests an asset is being scanned by an external host. The rule is marked high severity and experimental, reflecting its focus on early attacker reconnaissance. False positives are considered unlikely, but could occur during legitimate security assessments or unusual misconfigurations. Responders should correlate with other telemetry, block or rate-limit the offending IPs, review connected services, and harden exposed endpoints or adjust the opencanary configuration to reduce exposure while maintaining deception coverage.