diff --git a/tools/config/arcsight.yml b/tools/config/arcsight.yml
index d66a227f8..f40ca3781 100644
--- a/tools/config/arcsight.yml
+++ b/tools/config/arcsight.yml
@@ -46,6 +46,11 @@ logsources:
     service: powershell
     conditions:
       deviceVendor: Microsoft
+  windows-dhcp:
+    product: windows
+    service: dhcp
+    conditions: 
+      deviceVendor: Microsoft
   windows-system:
     product: windows
     service: system
diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml
index a408123c8..10b477ba6 100644
--- a/tools/config/elk-windows.yml
+++ b/tools/config/elk-windows.yml
@@ -27,4 +27,9 @@ logsources:
     service: driver-framework
     conditions:
       source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
+  windows-dhcp:
+    product: windows
+    service: dhcp
+    conditions: 
+      source: 'Microsoft-Windows-DHCP-Server/Operational'
 defaultindex: logstash-*
diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml
index d220a94a5..c485831a1 100644
--- a/tools/config/elk-winlogbeat.yml
+++ b/tools/config/elk-winlogbeat.yml
@@ -27,6 +27,11 @@ logsources:
     service: driver-framework
     conditions:
       source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
+  windows-dhcp:
+    product: windows
+    service: dhcp
+    conditions: 
+      source: 'Microsoft-Windows-DHCP-Server/Operational'
 defaultindex: winlogbeat-*
 # Extract all field names qith yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: event_data.\1/g'
diff --git a/tools/config/helk.yml b/tools/config/helk.yml
index 60423a454..6a52294c8 100644
--- a/tools/config/helk.yml
+++ b/tools/config/helk.yml
@@ -27,6 +27,7 @@ logsources:
     product: windows
     service: powershell-classic
     index: logs-endpoint-winevent-powershell-*
+
 defaultindex: logs-*
 fieldmappings:
     AccessMask: object_access_mask_requested
diff --git a/tools/config/logpoint-windows-all.yml b/tools/config/logpoint-windows-all.yml
index ec6bb3cac..60965fc60 100644
--- a/tools/config/logpoint-windows-all.yml
+++ b/tools/config/logpoint-windows-all.yml
@@ -19,6 +19,12 @@ logsources:
     service: driver-framework
     conditions:
       source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
+  windows-dhcp:
+    product: windows
+    service: dhcp
+    conditions: 
+      source: 'Microsoft-Windows-DHCP-Server/Operational'
+
 fieldmappings:
     EventID: event_id
     FailureCode: result_code
diff --git a/tools/config/netwitness.yml b/tools/config/netwitness.yml
index fe86921b4..beffc181e 100644
--- a/tools/config/netwitness.yml
+++ b/tools/config/netwitness.yml
@@ -30,6 +30,12 @@ logsources:
     service: powershell
     conditions:
       device.type: winevent_nic
+  windows-dhcp:
+    product: windows
+    service: dhcp
+    conditions: 
+      device.type: winevent_nic
+      event.source: microsoft-windows-dhcp-server
   windows-sec:
     product: windows
     service: security
diff --git a/tools/config/powershell-windows-all.yml b/tools/config/powershell-windows-all.yml
index 8464ade07..beec09237 100644
--- a/tools/config/powershell-windows-all.yml
+++ b/tools/config/powershell-windows-all.yml
@@ -60,3 +60,8 @@ logsources:
     service: ntlm
     conditions:
       LogName: 'Microsoft-Windows-NTLM/Operational'
+  windows-dhcp:
+    product: windows
+    service: dhcp
+    conditions: 
+      LogName: 'Microsoft-Windows-DHCP-Server/Operational'
diff --git a/tools/config/spark.yml b/tools/config/spark.yml
index 4c11e10ed..943f29fa6 100644
--- a/tools/config/spark.yml
+++ b/tools/config/spark.yml
@@ -34,6 +34,11 @@ logsources:
     service: wmi
     sources: 
       - 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational'
+  windows-dhcp:
+    product: windows
+    service: dhcp
+    sources: 
+      - 'Microsoft-Windows-DHCP-Server'
   apache:
     category: webserver
     sources:
diff --git a/tools/config/splunk-windows-all.yml b/tools/config/splunk-windows-all.yml
index dad385ae2..15f768e1d 100644
--- a/tools/config/splunk-windows-all.yml
+++ b/tools/config/splunk-windows-all.yml
@@ -60,5 +60,10 @@ logsources:
     service: ntlm
     conditions:
       source: 'Microsoft-Windows-NTLM/Operational'
+  windows-dhcp:
+    product: windows
+    service: dhcp
+    conditions: 
+      source: 'Microsoft-Windows-DHCP-Server/Operational'
 fieldmappings:
     EventID: EventCode
diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml
index a09c10a7b..d1467b984 100644
--- a/tools/config/sumologic.yml
+++ b/tools/config/sumologic.yml
@@ -44,6 +44,12 @@ logsources:
     conditions:
       EventChannel: System
     index: WINDOWS
+  windows-dhcp:
+    product: windows
+    service: dhcp
+    conditions: 
+      EventChannel: Microsoft-Windows-DHCP-Server
+    index: WINDOWS
   apache:
     product: apache
     service: apache