removed references to CAR analytics

implementations/bzar/bzar_dce-rpc.bro

@@ -18,9 +18,6 @@ export
 	# 
 	# Relevant ATT&CK Technique(s):
 	#    T1003 Credential Dumping
-	#
-	# Relevant Cyber Analytic(s):
-	#    CAR-2014-05-001 RPC Activity
 
 	const rpc_credential_access : set[string] =
 	{
@@ -38,9 +35,6 @@ export
 	# Relevant ATT&CK Technique(s):
 	#    T1070 Indicator Removal on Host
 	#
-	# Relevant Cyber Analytic(s):
-	#    CAR-2014-05-001 RPC Activity
-	#    CAR-2016-04-002 User Activity from Clearing Event Logs
 
 	const rpc_defense_evasion : set[string] =
 	{
@@ -78,11 +72,6 @@ export
 	#    T1087 Account Discovery
 	#    T1124 System Time Discovery
 	#    T1135 Network Share Discovery
-	#
-	# Relevant Cyber Analytic(s):
-	#    CAR-2013-04-002 Quick Execution Series of Suspicious Commands
-	#    CAR-2014-05-001 RPC Activity
-	#    CAR-2016-03-001 Host Discovery Commands
 
 	const rpc_discovery : set[string] =
 	{
@@ -185,13 +174,6 @@ export
 	#    T1047 Windows Management Instrumentation
 	#    T1053 Scheduled Tasks
 	#
-	# Relevant Cyber Analytic(s):
-	#    CAR-2014-03-005 Remotely Launched Executables via Services
-	#    CAR-2014-05-001 RPC Activity
-	#    CAR-2014-11-007 Remote Windows Management Instrumentation (WMI) over RPC
-	#    CAR-2014-12-001 Remotely Launched Executables via WMI
-	#    CAR-2015-04-001 Remotely Scheduled Tasks via AT
-	#    CAR-2015-04-002 Remotely Scheduled Tasks via Schtasks
 
 	const rpc_execution : set[string] = 
 	{
@@ -222,8 +204,6 @@ export
 	#    T1004 Winlogon Helper DLL
 	#    T1013 Port Monitors
 	#
-	# Relevant Cyber Analytic(s):
-	#    CAR-2014-05-001 RPC Activity
 
 	const rpc_persistence : set[string] = 
 	{

implementations/bzar/bzar_smb.bro

@@ -20,11 +20,6 @@ export
 	#    T1077 Windows Admin Shares [File Shares Only]
 	#    T1105 Remote File Copy
 	#
-	# Relevant Cyber Analytic(s):
-	#    CAR-2013-01-003: SMB Events Monitoring
-	#    CAR-2013-04-002: Quick Execution Series of Suspicious Commands
-	#    CAR-2013-05-003: SMB Write Request
-	#    CAR-2013-05-005: SMB Copy and Execution
 
 	const smb_admin_file_shares : set[string] = 
 	{

implementations/bzar/main.bro

@@ -87,17 +87,6 @@ event bro_init()
 	#       would confirm the file was actually written to the 
 	#       remote destination.  Unfortuantely, Bro/Zeek does 
 	#       not have an event for that SMB message-type yet.
-	# 
-	# Relevant Cyber Analytic(s):
-	#    CAR-2013-01-003 SMB Events Monitoring
-	#    CAR-2013-05-003 SMB Write Request
-	#    CAR-2013-05-005 SMB Copy and Execution
-	#    CAR-2014-05-001 RPC Activity
-	#    CAR-2015-04-001 Remotely Scheduled Tasks via AT
-	#    CAR-2015-04-002 Remotely Scheduled Tasks via Schtasks
-	#    CAR-2014-03-005 Remotely Launched Executables via Services
-	#    CAR-2014-11-007 Remote Windows Management Instrumentation (WMI) over RPC
-	#    CAR-2014-12-001 Remotely Launched Executables via WMI
 	#
 	# Globals (defined in main.bro above):
 	#    bzar1_epoch
@@ -152,10 +141,6 @@ event bro_init()
 	# Relevant Indicator(s) Detected by Bro/Zeek:
 	#    (a) smb1_tree_connect_andx_request::c$smb_state$path contains ADMIN$ or C$
 	#    (b) smb2_tree_connect_request::c$smb_state$path contains ADMIN$ or C$
-	# 
-	# Relevant Cyber Analytic(s):
-	#    CAR-2013-01-003 SMB Events Monitoring
-	#    CAR-2013-04-002 Quick execution of a series of suspicious commands
 	#
 	# Globals (defined in main.bro above):
 	#    bzar2_epoch
@@ -208,11 +193,6 @@ event bro_init()
 	# Relevant Indicator(s) Detected by Bro/Zeek:
 	#    (a) dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation contains 
 	#        any of the following: (see BZAR::rpc_dicsovery set).
-	# 
-	# Relevant Cyber Analytic(s):
-	#    CAR-2013-04-002 Quick execution of a series of suspicious commands
-	#    CAR-2014-05-001 RPC Activity
-	#    CAR-2016-03-001 Host Discovery Commands
 	#
 	# Globals (defined in main.bro above):
 	#    bzar3_epoch