When birds have the port scan detection module enabled, one of the alert types you may encounter is a "consolidated network port scan". These alerts can be super valuable, but are often misunderstood.

This alert indicates that two or more of your Canaries received a SYN packet on the same port from the same source within an hour of each other. This ideally catches stealthy scanners moving low and slow over a network range (targeting only a few ports to avoid detection by regular tools). It also detects network sweeps, where an attacker is looking for all the (say) SSH services on a network.

The detector works regardless of whether your birds are actually running services on those ports. In other words, you don't need a running Canary SSH service to detect a consolidated network port scan on port 22.

In the above example, a host ( attempted to connect to TELNET (port 23) on two different Canaries ( and The alert will be linked to one of the affected Canaries (all incidents are tied to a device) but clicking on "More Details" will always tell you which devices were being scanned.

An easy way to test this is to run nmap against a specific port, against the subnet where your Canaries are. nmap -p 23 <subnet>

You can also simply attempt to connect to the two devices within the time-window. If the default of 60 minutes doesn't work for you, just drop us a support ticket and we'll change it.