When birds have the port scan detection module enabled, one of the alert types you may encounter is a "consolidated network port scan". These alerts can be super valuable, but are often misunderstood.

This alert indicates that two or more of your Canaries received a SYN packet on the same port from the same source within an hour of each other. This ideally catches stealthy scanners moving low and slow over a network range (targeting only a few ports to avoid detection by regular tools). It also detects network sweeps, where an attacker is looking for all the (say) SSH services on a network.

The detector works regardless of whether your birds are actually running services on those ports. In other words, you don't need a running Canary SSH service to detect a consolidated network port scan on port 22.

In the above example, a host (1.2.3.4) attempted to connect to TELNET (port 23) on two different Canaries (1.2.3.1 and 1.2.3.2). The alert will be linked to one of the affected Canaries (all incidents are tied to a device) but clicking on "More Details" will always tell you which devices were being scanned.

An easy way to test this is to run nmap against a specific port, against the subnet where your Canaries are. nmap -p 23 <subnet>

You can also simply attempt to connect to the two devices within the time-window. If the default of 60 minutes doesn't work for you, just drop us a support ticket and we'll change it.