This analytic detects the use of the Background Intelligent Transfer Service (BITS) in allowed outbound connections, analyzing logs from Cisco Secure Firewall Threat Defense devices. BITS is a legitimate Windows service used for downloading updates, but it can also be exploited by threat actors to stealthily download malicious payloads. The rule identifies connections initiated by BITS to non-standard or unexpected domains, filtering out known Microsoft Edge update URLs to focus on suspicious or unauthorized file transfers. If deemed malicious, these activities could indicate a command and control (C2) channel or malware download as part of an attack chain. The search includes various parameters to count occurrences and timestamp analysis, and it recommends using the Splunk Add-on for logging purposes while stressing the need for environment-specific configurations. Potential false positives exist due to BITS being a legitimate service used by enterprise applications, necessitating additional tuning.