This detection rule identifies unauthorized DHCP servers operating on the network by analyzing logs from Cisco network devices that have DHCP Snooping enabled. It specifically looks for DHCP lease events that originate from untrusted ports, a key indicator of a rogue DHCP server. The presence of such servers can lead to critical security threats, including Man-in-the-Middle (MitM) attacks, where attackers can intercept network traffic or redirect users to malicious servers. This analytic utilizes Splunk’s search processing language (SPL) to aggregate data based on DHCP Snooping events and flags potential rogue servers. It requires proper configuration of DHCP Snooping on Cisco devices to effectively minimize false positives, which can arise from misconfigurations. Correctly implemented, this rule helps in maintaining network integrity by promptly detecting unauthorized DHCP activity.