We are extracting MITRE TTPS from SPLUNK ES from notable events or correlation searches and mapped in Splunk profiles. And showing in Security incident response form under MITRE ATTCK card related tabs using BR.
Now we want to show the difference of used and unused MITRE TTPS like
Show techniques not yet triggered or mapped.
Unused TTPs = All MITRE TTPs - Used TTPs
These unused TTPS should be displayed on ServiceNow MITRE dashboard.
