The User Threat Quotient (UTQ) report provides security intelligence to an administrator, and gives them information on the risky users who are posing security threats on the organization’s network.
Sophos XG Firewall (SF) calculates the UTQ score of each user based on the following two criteria:
UTQ help administrators to:
Given below are the terms and icons used in UTQ, along with their meanings:
UTQ can be viewed in different date ranges:
UTQ displays up to 100 risky users for the last 7 days by default, along with their Relative Threat Score and Relative Risk Ranking.
The following sections are covered:
Applies to the following Sophos products and versions Sophos Firewall
This article explains how to view UTQ reports for a particular user.
The UTQ is calculated at the end of the day (at 11:59:59 PM). Meaning, to view the UTQ report for the current day, you need to wait until the day is over.
You must be logged in to the Admin Console as an administrator with Read-Write permissions for the relevant feature(s).
You can view the UTQ score and reports for a particular user by following the instructions below.
Go to Reports > Dashboards. In the Show field, click on the drop-down menu and then select User Threat Quotient (UTQ). The Dashboard is displayed in the form of a bubble graph and a table. The bubble graph is plotted between Relative Risk Ranking and Relative Threat Score; the bubble represents a user and the bubble size represents the Relative Threat posed by the user. Mouse over the bubble to display details like the Username, the Relative Threat Score and the Relative Risk Ranking of a user.
The bubble graph area is divided into three sections where:
Note: When the number of users for the selected date range is less than 20, all the users are displayed as Blue bubbles and the sections mentioned above are not displayed.
The table contains the following information:
In this example, the UTQ reports for the user with the highest threat score, Beta Draconis, is being viewed.
To view these reports for a particular user, navigate to Reports > Dashboards. In the Show field, click on the drop-down menu and then select User Threat Quotient (UTQ). Click on the bubble of a particular user or click on a user under the User column at the bottom of the page in order to view the report.
You can view the reports for the selected user, Advanced Threats, Detailed View ATP, Security Heartbeat ATP, High Risk Web Categories/ Domains, and Blocked High Risk Web Categories/Domains by accessing the relevant widgets from the screen shown above.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.