This analytic rule is designed to identify unauthorized replication Remote Procedure Call (RPC) activities originating from non-domain controller devices within an Active Directory environment. It specifically searches for RPC operations such as `DrsReplicaAdd` and `DRSGetNCChanges`, key indicators of rogue domain controller activities. By employing Zeek wire data, it filters out legitimate domain controllers from the detection logic, ensuring that only anomalous actions are flagged. The presence of these RPC calls can suggest attempts to introduce a rogue domain controller, which poses a substantial risk by potentially allowing attackers to manipulate Active Directory data, escalate privileges, and establish persistence within the network. The rule also includes an RBA (Risk-Based Alert) message format that outlines detected activities, particularly highlighting the source and destination of the RPC calls involved.