This detection rule identifies the use of BITS (Background Intelligent Transfer Service) to download files from direct IP addresses, which may indicate malicious activity such as unauthorized data exfiltration or command-and-control operations. The rule is triggered by monitoring Events with EventID 16403 when a BITS transfer attempts to access resources identified by specific URLs, particularly those not belonging to known local network ranges. Filters are in place to exclude traffic originating from private/internal IP addresses as well as certain known benign sources. This enhances the detection accuracy by focusing on suspicious behavior rather than normal operations. Effective monitoring of BITS jobs can provide insights into unusual file download activities that often go unnoticed in traditional logging mechanisms. The rule is applicable in Windows environments where BITS is commonly used, and it responds with high severity, indicating potential threats demanding immediate investigation.