This analytic rule detects the initiation of traffic mirroring sessions on Cisco network devices, which can be exploited by adversaries for data exfiltration. The detection leverages specific log entries that indicate the establishment of such sessions, including mnemonics and facilities like "ETH_SPAN_SESSION_UP" and "PKTCAP_START." When attackers mirror network traffic, they can capture sensitive information and monitor communications, posing risks to the network's integrity and confidentiality. This rule utilizes a SPL query for searching Cisco network logs, specifically filtering for logs with a facility level of at least "5 - notification." It is crucial that network devices log appropriately and that the Cisco Networks Add-on for Splunk is utilized for proper log parsing. Network administrators should be aware that legitimate traffic captures might lead to false positives in the detection process.