Interset UEBA lineage
Foundational UEBA product with deep behavioral analytics depth. Interset essentially defined the UEBA category before joining Micro Focus and OpenText.
OpenText • Security operations
OpenText Core Behavioral Signals
Core Behavioral Signals carries the Interset UEBA lineage with user and entity behavioral analytics scoring insider threat, account compromise, and anomalous access, with native correlation into Core Threat Detection and Response and Enterprise Security Manager.
A Merito Core Behavioral Signals engagement integrates Interset UEBA with the customer's identity store, plans the baseline learning period against actual periodic activity (quarter-end close, year-end HR cycles), and wires scoring into Core TDR or ESM so the SOC catches insider threat rather than chases anomalies.
- Best for
- SOC leaders adding UEBA to existing SIEM for insider threat and account compromise detection, Identity security architects integrating UEBA with NetIQ identity infrastructure, Threat hunting teams using behavioral scoring as a hunt input
- Hosting
- Hybrid
- Time to value
- Initial UEBA learning period of two to four weeks before scoring stabilizes. Tuned baselines and integrated SOC operations live in six to ten weeks. Enterprise rollout typically runs three to nine months.
- Security posture
- GDPR, HIPAA-aligned design, SAML SSO
- Last reviewed
- 2026-04-26
What it is
OpenText Core Behavioral Signals in the enterprise stack
Core Behavioral Signals carries the Interset UEBA lineage. Interset built one of the foundational user and entity behavioral analytics products before Micro Focus acquired it in 2019; OpenText now ships the engine as Core Behavioral Signals inside the Cybersecurity SecOps line. The product baselines normal user and entity behavior, scores deviations, and surfaces patterns consistent with insider threat, account compromise, anomalous data access, and lateral movement.
UEBA baselines are the load-bearing capability. The product builds behavioral baselines per user and per entity (machine accounts, service accounts, devices) over a learning period, then scores live activity against the baseline. Deviations get flagged with risk scores; the SOC investigates the high-scoring users and entities. Programs that adopt UEBA without a learning period or with too-aggressive thresholds generate noise that the SOC ignores; programs with disciplined baselining catch real insider threat and account compromise.
Cross-product correlation with the SecOps line is the platform claim. Behavioral scoring feeds into Core Threat Detection and Response (SaaS SIEM) and Enterprise Security Manager (on-prem SIEM) for SOC investigation, and pulls signal from Network Detection and Response and identity systems for richer baselines. Programs running Core Behavioral Signals standalone get UEBA scoring; programs running it inside the OpenText SecOps line get UEBA-augmented SOC operations.
What undermines UEBA adoption is poor identity hygiene. UEBA is only as good as the identity store feeding it. Programs with stale provisioning, shared service accounts, and unmanaged contractor access generate UEBA baselines that look chaotic regardless of actual threat. The right pattern is to fix identity hygiene first (NetIQ Identity Manager, Identity Governance, Privileged Access Manager) and then layer UEBA on top. Merito's engagement scopes both sides honestly.
Ideal use cases
- Insider-threat detection for regulated and high-sensitivity environments
- Account compromise detection through behavioral baselining
- Anomalous data access scoring on regulated stores
- UEBA signal correlated into Core TDR or Enterprise Security Manager SOC operations
- Identity-aware behavioral analytics integrated with NetIQ identity infrastructure
What it is best at
Where OpenText Core Behavioral Signals earns its seat
User and entity baselining
Per-user and per-entity behavioral baselines (machine accounts, service accounts, devices) for richer scoring than user-only UEBA.
Native correlation with OpenText SecOps line
Behavioral scoring feeds Core Threat Detection and Response, Enterprise Security Manager, and pulls signal from NDR and identity systems for richer baselines.
Identity-aware analytics
Native integration with NetIQ Identity Manager, Identity Governance, and Privileged Access Manager for identity-aware UEBA.
Hybrid deployment
SaaS, on-prem, and BYOC editions for programs running mixed cloud and on-prem SOC architectures.
Core capabilities
OpenText Core Behavioral Signals capabilities, grouped by outcome
Behavioral analytics
What Interset UEBA actually does on user and entity behavior.
User behavioral baselining
Per-user behavioral baselines built over a learning period. Live activity scored against baseline.
Entity behavioral baselining
Per-entity baselines for machine accounts, service accounts, and devices. Catches non-human anomalies user-only UEBA misses.
Risk scoring
Scored deviations with risk-level annotation for SOC triage.
Pattern detection
Insider threat, account compromise, anomalous data access, lateral movement, and other UEBA pattern detection.
Identity-aware analytics
UEBA grounded in identity store reality.
NetIQ identity integration
Native integration with NetIQ Identity Manager, Identity Governance, and Privileged Access Manager for identity-aware baselining.
Privileged-account analytics
Per-account behavioral analytics on privileged accounts where account compromise has the highest impact.
Service-account behavior
Behavioral baselines on service accounts and machine identities for unattended-process anomaly detection.
Integration and operations
UEBA inside the SOC operating model.
SIEM integration
Behavioral scoring feeds Core Threat Detection and Response and Enterprise Security Manager investigations.
NDR signal enrichment
NDR traffic patterns enrich entity baselines.
Threat-intel enrichment
OpenText Threat Intelligence and Adversary Signals provide context for UEBA scoring.
Compliance reporting
Insider-threat program reporting and audit-ready evidence for regulated mandates.
Where it fits in the stack
How OpenText Core Behavioral Signals connects to the rest of your landscape
OpenText SecOps and IAM (native)
Native- OpenText Core Threat Detection and ResponseUEBA scoring feeds SaaS SIEM investigations.
- OpenText Enterprise Security ManagerUEBA scoring feeds on-prem SIEM investigations.
- OpenText Network Detection and ResponseNDR traffic patterns enrich entity baselines.
- OpenText Identity Manager and Identity GovernanceIdentity-store integration for identity-aware UEBA.
- OpenText Privileged Access ManagerPrivileged-account behavioral analytics.
Identity and log sources (certified)
Certified- Active Directory, Azure AD/Entra ID, LDAPDirectory-source integration for user and entity baselining.
- Cloud audit logs (AWS, Azure, GCP)Cloud-native log ingestion for behavioral analytics.
- EDR (CrowdStrike, SentinelOne, Microsoft Defender)Endpoint signal correlation.
Custom integrations
Custom- Internal identity stores and proprietary applicationsCustom log ingestion and identity-store integration for non-standard environments.
- Custom SOAR and response workflowsUEBA-driven response playbooks and SOAR integration.
- Insider-threat program reportingCustomer-specific insider-threat program reporting and audit-ready evidence.
Deployment and implementation
How it rolls out
- Hosting
- Hybrid (North America, EMEA, APJ)
- Implementation complexity
- High
- Typical time to value
- Initial UEBA learning period of two to four weeks before scoring stabilizes. Tuned baselines and integrated SOC operations live in six to ten weeks. Enterprise rollout typically runs three to nine months.
- Prerequisites
- Identity store inventory and hygiene assessment
- Log source mapping for behavioral baselining
- Named SOC and identity security owner
- Learning-period and tuning policy
- Integration plan with Core TDR or Enterprise Security Manager
- What Merito usually handles
- Core Behavioral Signals runs as SaaS, on-prem, or BYOC. Merito handles identity-store integration, learning-period planning, baseline tuning, and SecOps line integration.
Licensing and packaging
How it is bought
- Model
- Subscription
- What to expect
- OpenText Core Behavioral Signals is licensed by user and entity count, log volume, and deployment shape. Pricing depends on baseline scope and SecOps line integration. License acquisition flows through Merito; the UEBA program scopes under a separate engagement.
- Editions and modules
Core Behavioral Signals SaaS
SaaS-deployed UEBA with cloud-native scaling.
Best for: Cloud-native SOCs running OpenText SecOps line in SaaS.
Core Behavioral Signals on-prem
On-prem UEBA paired with Enterprise Security Manager.
Best for: Regulated programs running ESM on-prem.
Core Behavioral Signals hybrid
Mixed cloud and on-prem UEBA.
Best for: Programs running mixed SOC architecture.
- Common expansion areas
- Add Core Threat Detection and Response or Enterprise Security Manager for SIEM integration
- Add Network Detection and Response for traffic-pattern enrichment
- Add NetIQ Identity Manager and Identity Governance for identity-aware UEBA
- Add Privileged Access Manager for privileged-account behavioral analytics
Merito services
How Merito helps you win with OpenText Core Behavioral Signals
Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.
01
Core Behavioral Signals Implementation
Identity-store integration, learning-period planning, baseline tuning, SecOps line integration.
Explore service02MAPS Assessment
SOC and insider-threat program scoping for Core Behavioral Signals alongside Exabeam, Securonix, and Splunk UBA.
Explore service03DevOps Consulting
UEBA-driven response automation and SOC workflow integration.
Explore service04Premium Support
Named engineer, priority SLAs, and release-time coverage for Core Behavioral Signals.
Explore service05Managed Services
Long-term run support including baseline tuning, identity-store integration maintenance, and SOC operating-model evolution.
Explore service06Training and Enablement
Role-based training for SOC analysts, detection engineers, and identity security architects.
Explore service07Staff Augmentation
Merito-placed SOC engineers and OpenText specialists embedded on long-running programs.
Explore serviceOpenText Core Behavioral Signals licensing
License the UEBA. Fix the identity hygiene first. Same engagement.
Core Behavioral Signals pricing arrives with identity-store integration, baseline tuning, learning-period planning, and SecOps line integration that turn UEBA into real insider-threat detection rather than a chaotic baseline driven by stale provisioning.
Merito point of view
UEBA is only as good as the identity store feeding it.
Merito has audited UEBA programs that ran chaotic baselines because the identity store was full of stale provisioning, shared service accounts, and unmanaged contractor access. The fix is identity hygiene, not better UEBA. Programs that fix identity through NetIQ Identity Manager, Identity Governance, and Privileged Access Manager first and then layer Core Behavioral Signals on top get UEBA that catches real insider threat. Programs that adopt UEBA without identity hygiene generate noise the SOC ignores.
Merito recommends Core Behavioral Signals specifically for programs running OpenText SecOps line and OpenText IAM, when insider-threat and account compromise are real program drivers, and when identity hygiene is in scope. For programs picking specialist UEBA depth, Exabeam and Securonix are competitive depending on the program shape. Merito surfaces those alternatives honestly during scoping.
The learning period is non-negotiable. UEBA baselines built over too short a window generate false-positive volumes during normal periodic activity (quarter-end financial close, year-end HR cycles, holiday-season retail patterns). Merito treats the two-to-four-week learning period as central work in the implementation rather than a checkbox.
What buyers usually underestimate
- Adopting UEBA without identity hygiene, generating chaotic baselines.
- Skipping the learning period and running UEBA against pristine baselines that miss periodic patterns.
- Treating UEBA scoring as autonomous rather than as input to SOC investigation.
- Adopting UEBA without integration into Core TDR or Enterprise Security Manager, isolating the signal.
- Running UEBA on user accounts only and missing entity (service-account, machine) anomalies.
Related from Merito
Continue exploring OpenText Core Behavioral Signals on Merito
Related solutions
Related services
Related products
- OpenText Core Threat Detection and ResponseSaaS SIEM that consumes UEBA scoring for SOC investigations.
- OpenText Enterprise Security ManagerOn-prem SIEM paired with UEBA for regulated SOC operations.
- OpenText Identity ManagerIdentity-store integration for identity-aware UEBA.
- OpenText Privileged Access ManagerPrivileged-account behavioral analytics.
- OpenText Cybersecurity (vendor portfolio)Full OpenText Cybersecurity catalog across AppSec, IAM, SecOps, Data Security, and DFIR.
Frequently Asked Questions
OpenText Core Behavioral Signals FAQs
Consultation request
Talk to Merito about OpenText Core Behavioral Signals
Share your identity infrastructure, current SOC, and insider-threat program posture. A Merito OpenText specialist follows up within one business day.
Interset lineage
Foundational UEBA depth
Interset essentially defined the UEBA category. Behavioral analytics on users and entities.
Identity-aware
NetIQ identity integration
Native integration with NetIQ Identity Manager and Privileged Access Manager for identity-aware UEBA.
Next step
Fix identity hygiene before layering UEBA on top.
A Merito Core Behavioral Signals engagement scopes identity hygiene alongside UEBA deployment. Programs that adopt UEBA without identity discipline generate noise the SOC ignores.