Kanvas
KANVAS is an IR (incident response) case management tool with an intuitive desktop interface, built using Python. It provides a unified workspace for investigators working with SOD (Spreadsheet of Doom) or similar spreadsheets, enabling key workflows to be completed without switching between multiple applications.
✨ Key Features
🎲 Case Management
- Built on the SOD (Spreadsheet of Doom): All data remains within the spreadsheet, making distribution and collaboration simple - even outside the application.
- Multi-User support: Files can reside on local machines or shared drives, enabling active collaboration among multiple investigators. File locking ensures that editing is properly managed and conflicts are avoided.
- One-Click Sanitize: Allows spreadsheet data - such as domains, URLs, IP addresses, etc. - to be sanitized with a single click, making it easy to share and store.
[!TIP] The
SODtemplate is slightly modified. Use the includedsod.xlsxfile from the package.
📊 Data Visualization
- 📌Attack Chain Visualization: Visualizes lateral movement for quick review of the adversary’s attack path. The re-draw options help display the diagram in multiple ways.
- 📌Incident Timeline: The incident timeline is presented in chronological order, helping investigators quickly understand the sequence and timing of the overall incident.
- 📌MITRE Flow Builder: Lets you visualize & share sequences of adversary actions. You can populate flows with attacker TTP, then link them to map the sequence of techniques seen during an incident..
- Export for Reporting: The lateral movement & timeline visualizations can be exported as image files or CSV, allowing direct use in presentations or investigation reports.
[!TIP] Ensure the following column names exist and match exactly if you're using your own spreadsheet.
SOD Spreadsheets/
├── Timeline/
│ ├── Timestamp_UTC_0
│ ├── EvidenceType
│ ├── Event System
│ ├── <->
│ ├── Remote System
│ ├── MITRE Tactic
│ ├── MITRE Techniques
│ └── Visualize
└── Systems/
├── HostName
├── IPAddress
└── SystemType👀 Threat Intelligence Lookups
- IP Reputation: IP reputation, geolocation, open ports, known vulnerabilities, and more using various API integrations.
- Domain / URL Insights: WHOIS data, DNS records, and more using various API integrations.
- File Hash Insights: Lookup binary file insights on various platforms based on hash values.
- CVE Insights: Information on known exploit usage based on CISA and other vulnerability intelligence sources.
- Email Insights: Information on whether the email address has appeared in any known data breaches.
- 📌Ransomware Victim: Verify if a customer or organization’s data has been published online following a ransomware attack.
[!TIP] Configure API keys such as VirusTotal, Shodan, and others—before using the lookup features.
🛡️ Security Framework Mapping
- MITRE ATT&CK Mapping: Provides up-to-date MITRE tactics and techniques for mapping adversary activities.
- 📌MITRE D3FEND Mapping: Helps map defense strategies based on the identified ATT&CK techniques. This is especially useful when responding to an incident from a defender’s perspective.
- V.E.R.I.S. Reporting: Provides an interface to track VERIS data, which can be shared post-incident with various government entities and contribute to the Verizon Data Breach Report.
📝 One-Click Report Generation
- 📌HTML report: The report is generated as a single, self-contained HTML file. All images are Base64-encoded and embedded directly within the document, so there’s no need to manage or share separate image files, just one HTML file is all you need.
- Report Contents: Incident Timeline, Lateral Movement, Diamond Model, Investigation summary, Security recommendation and many more.
[!TIP] The overall size of the HTML report may vary depending on the number of images included, particularly those used in the recommendation (.md) and the investigation summary (.md).
📑 Knowledge Management
- Bookmarks: Offers a curated list of security tool, an up-to-date list of Microsoft portal URLs, and the ability to create custom investigation-specific bookmarks.
- 📌Markdown Editor: Provides an interface to create and update Markdown documents—ideal for note-taking or loading investigative playbooks during investigations.
- Event ID Reference: Consolidates Windows Event IDs in one place, organized by categories like persistence, lateral movement, and more—making it easy to cross-reference during investigations.
- MS Entra ID Reference: Provides a searchable list of known and malicious Microsoft Entra ID AppIDs—useful for investigating Business Email Compromise (BEC) cases.
- Living Off the Land Binaries: Provides a searchable list of known Microsoft living-off-the-land (LOLBAS) binaries that threat actors have abused.
- Microsoft Azure Portals: Provides a searchable list of constantly changing Microsoft Azure / Entra URLs, useful when responding to Azure cloud incidents.
- DLL Hijacking: Provides a searchable list of DLL sideloading realated info based on Hijacklibs Project.
[!TIP] For easy access, keep all Markdown files in the
markdown_filesfolder.
🚀 Installation
-
Clone the Repository
git clone https://github.com/WithSecureLabs/Kanvas.git cd Kanvas -
Create Virtual Environment
# On Windows python3 -m venv venv venv\Scripts\activate # On MacOs / Linux python3 -m venv venv source venv/bin/activate -
Install Dependencies
pip3 install -r requirements.txt -
Run KANVAS
python3 kanvas.py
[!IMPORTANT] When using the tool for the first time, ensure that you download the latest updates by clicking on
Download Updates.
⚠️Notes
- The
incident timelinelogic only works if you’ve mapped the MITRE TTPs in the timeline sheet for each entry. - MITRE
Flow Builderuses QT WebBrowser (Chromium-based). It may sometimes have performance issues, especially on Windows.