diff --git a/config/eventkey_alias.txt b/config/eventkey_alias.txt
index 678c9ac1..5e409da8 100644
--- a/config/eventkey_alias.txt
+++ b/config/eventkey_alias.txt
@@ -42,4 +42,6 @@ SubjectLogonId,Event.EventData.SubjectLogonId
 Image,Event.EventData.Image
 ParentImage,Event.EventData.ParentImage
 MachineName,Event.EventData.MachineName
-QueryName,Event.EventData.QueryName
\ No newline at end of file
+QueryName,Event.EventData.QueryName
+JobTitle,Event.EventData.name
+Url,Event.EventData.url
diff --git a/rules/bitsjobs/1197_bitsjob.yaml b/rules/bitsjobs/1197_bitsjob.yaml
new file mode 100644
index 00000000..09e2a41f
--- /dev/null
+++ b/rules/bitsjobs/1197_bitsjob.yaml
@@ -0,0 +1,16 @@
+title: BitsJob
+description: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
+enabled: true
+author: Yea
+logsource: 
+    product: windows
+detection:
+    selection:
+        Channel: Microsoft-Windows-Bits-Client/Operational
+        EventID: 59
+falsepositives:
+    - unknown
+level: medium
+output: 'Started bits job created. JobTitle:%JobTitle% URL:%Url%'
+creation_date: 2021/7/15
+updated_date: 2021/7/15