This section describes how to integrate a Carbon Black EDR server with the Microsoft Enhanced Mitigation Experience Toolkit (EMET). EMET is designed to detect and protect against common attack techniques and actions.
Beginning with Windows 10 version 1709 (Fall Creators Update), also known as Redstone 3, Microsoft replaced EMET with Windows Defender Exploit Guard. Microsoft also announced that EMET reached end of life on July 31, 2018.
Integrating EMET into the Carbon Black EDR environment gives you a single place to go investigate attacks detected and stopped by EMET, while taking advantage of the additional visibility provided by Carbon Black EDR.
When EMET events become part of the Carbon Black EDR database, you can search for them, use them to trigger alerts, and perform process analysis to understand the relationships between an EMET event and other events on one or more endpoints in your organization, including the timeline of those relationships. In addition, EMET events can become part of the syslog output from the Carbon Black EDR server.
- This documentation uses the term “EMET event” to indicate the case where EMET detects an exploit attempt. It uses the term “EMET configuration” to indicate the protections enabled by EMET for that process.
- EMET features and terminology are not detailed in this document. If you need more information about EMET, see the documentation provided by Microsoft.
- Proper functioning of this integration assumes EMET is installed and configured per Microsoft recommendations. EMET 5.x versions should be compatible.
- Reporting of EMET events to Carbon Black EDR requires that the Windows Event Log be selected as one of the Reporting options in the EMET interface on the host.
By default, EMET-enabled sensors report EMET events and configuration to the Carbon Black EDR server. The integration does not require interaction with another server. For any reporting sensor, this information appears in several places in the Carbon Black EDR console:
- On the Search Processes page , you can search for processes for which an EMET mitigation occurred and/or processes whose sensor has EMET protection enabled. See “Process Search and Analysis” in the VMware Carbon Black EDR User Guide.
- On the Process Analysis page, EMET events are displayed and labeled in the table of events. EMET settings that are specific to the current process on the reporting sensor are included. See “Process Search and Analysis” in the VMware Carbon Black EDR User Guide.
- On the Sensor Details page, the general EMET configuration (if any) is shown. See “Managing Sensors” in the VMware Carbon Black EDR User Guide.
To further enhance the EMET integration, you can enable the EMET Protection Feed on the Threat Intelligence Feeds page (see “Threat Intelligence Feeds” in the VMware Carbon Black EDR User Guide). This does not actually enable/disable delivery of events from sensors, but it does enable you to do the following:
- Create alerts based on EMET events and manage them on the Triage Alerts page.
- Specify delivery of an email alert when an EMET event occurs.
- Include EMET events in the syslog output from your Carbon Black EDR server.