The following example describes a scenario in which MDR analysts modify a policy.

1. A suspicious file carries out system enumeration, C2 beaconing, and attempts to obtain persistence on the system.
2. MDR analysts review the behavior and find that it was conducting host enumeration, process injection, registry modifications, and was attempting to beacon out to a known C2 infrastructure.
3. MDR analysts can create a cloned policy from an existing policy, and then modify the cloned policy to block the malicious file. MDR restricts process injection, registry modifications, and prevents beaconing activity.

   Example Policy Rules:
   **\temp\**\*5sjcdhl.xlsx → Injects code or modifies memory of another process → Terminate process
   **\temp\**\*5sjcdhl.xlsx → Invokes a command interpreter → Terminate process
   **\temp\**\*5sjcdhl.xlsx → Communicates over the network → Terminate process
   **\temp\**\*5sjcdhl.xlsx → Runs or is running → Terminate process

4. MDR analysts block the malicious file 5sjcdhl.xlsx from performing the listed actions on assets within that policy.