---
title: "Modeling File Behavior | ThreatConnect"
slug: "modeling-file-behavior"
description: "This article discusses how to view a File Indicator's behavior model, defines the various behavior types, and describes how to create File Indicator behavior associations."
tags: ["Connecting Data"]
updated: 2023-04-19T13:20:15Z
published: 2023-04-19T13:20:15Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Modeling File Behavior

## Overview

File Indicators can model a special Indicator-to-Indicator association, which is based on their behavior once opened. These associations can be used to model the fact that malware may contain and create additional files or communicate with network devices. This behavior can be modeled on a File Indicator’s [**Details** screen](https://knowledge.threatconnect.com/docs/the-details-screen).

## Before You Start

| Minimum Role(s) | - Organization role of Read Only User (to view modeled file behavior) - Organization role of Standard User (to model file behavior) |
| --- | --- |
| Prerequisites | A [File Indicator](https://knowledge.threatconnect.com/docs/the-threatconnect-data-model) |

## Viewing a File Indicator’s Behavior Model

1. [Navigate to the legacy **Details**screen](https://knowledge.threatconnect.com/docs/the-details-screen-legacy#viewing-the-legacy-details-screen) for a File Indicator.
2. Click the **Behavior** tab. The **Behavior**screen will be displayed (Figure 1).

![Graphical user interface, application Description automatically generated](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%201_Modeling%20File%20Behavior_7.1.0.png)

## Modeling Behavior

File behavior is represented as a tree, with each branch consisting of one of seven Indicator types:

- **File Archive**: This File Indicator contains other File Indicators.
- **File Drop**: This File Indicator creates another File Indicator.
- **File Traffic**: This File Indicator communicates with a Host, Address, or URL Indicator.
- **File DNS Query**: This File Indicator attempts to retrieve the DNS record for a Host Indicator.
- **File Mutex**: This File Indicator creates a Mutex Indicator.
- **File Registry Key**: This File Indicator creates a Registry Key Indicator.
- **File User Agent**: This File Indicator creates a User Agent Indicator.

## Creating an Association

1. Click **Add****![Icon Description automatically generated](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Add%20icon_Modeling%20File%20Behavior.png)**to the left of a branch name (Figure 1). A **New…**button will be displayed to the right of the selected branch (Figure 2).

![Graphical user interface, application Description automatically generated](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%202_Modeling%20File%20Behavior_7.1.0.png)
2. Click the **New…**button. The **Select an Indicator**window will be displayed (Figure 3).

![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%203_Modeling%20File%20Behavior_7.1.0.png)
  - Select one or more Indicators to associate to the primary File Indicator. If desired, use the **Type**selector and **Filter**box to filter Indicators by type and summary, respectively.
  - Click the **SAVE** button.

The new association will be displayed (Figure 4). Note that File behavior can be nested; that is, a dropped File Indicator can subsequently have its own behavior, which will be reflected in the model.

![Graphical user interface, application Description automatically generated](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%204_Modeling%20File%20Behavior_7.1.0.png)

---

*ThreatConnect® is a registered trademark of ThreatConnect, Inc.*

20028-01 v.08.D

## Related

- [Associations](/associations.md)