KANVAS is an IR (incident response) case management tool with an intuitive desktop interface, built using Python. It provides a unified workspace for investigators working with SOD (Spreadsheet of Doom) or similar spreadsheets, enabling key workflows to be completed without switching between multiple applications.
- Built on the SOD (Spreadsheet of Doom): All data remains within the spreadsheet, making distribution and collaboration simple—even outside the application.
- Multi-User support: Files can reside on local machines or shared drives, enabling active collaboration among multiple investigators. File locking ensures that editing is properly managed and conflicts are avoided.
- One-Click Sanitize: Allows spreadsheet data—such as domains, URLs, IP addresses, etc.—to be sanitized with a single click, making it easy to share and store.
Tip
The SOD template is slightly modified. Use the included sod.xlsx file from the package.
- 📌Attack Chain Visualization: Visualizes lateral movement for quick review of the adversary’s attack path. The re-draw options help display the diagram in multiple ways.
- 📌Incident Timeline: The incident timeline is presented in chronological order, helping investigators quickly understand the sequence and timing of the overall incident.
- Export for Reporting: The lateral movement and timeline visualizations can be exported as image files or CSV, allowing direct use in presentations or investigation reports.
Tip
Ensure the following column names exist and match exactly if you're using your own spreadsheet.
SOD Spreadsheets/
├── Timeline/
│ ├── Timestamp_UTC_0
│ ├── EvidenceType
│ ├── Event System
│ ├── <->
│ ├── Remote System
│ ├── MITRE Tactic
│ ├── MITRE Techniques
│ └── Visualize
└── Systems/
├── HostName
├── IPAddress
└── SystemType
- IP Reputation: IP reputation, geolocation, open ports, known vulnerabilities, and more using various API integrations.
- Domain / URL Insights: WHOIS data, DNS records, and more using various API integrations.
- File Hash Insights: Lookup binary file insights on various platforms based on hash values.
- CVE Insights: Information on known exploit usage based on CISA and other vulnerability intelligence sources.
- 📌Ransomware Victim: Verify if a customer or organization’s data has been published online following a ransomware attack.
Tip
Configure API keys such as VirusTotal, Shodan, and others—before using the lookup features.
- MITRE ATT&CK Mapping: Provides up-to-date MITRE tactics and techniques for mapping adversary activities.
- 📌MITRE D3FEND Mapping: Helps map defense strategies based on the identified ATT&CK techniques. This is especially useful when responding to an incident from a defender’s perspective.
- V.E.R.I.S. Reporting: Provides an interface to track VERIS data, which can be shared post-incident with various government entities and contribute to the Verizon Data Breach Report.
- 📌Bookmarks: Offers a curated list of security tool, an up-to-date list of Microsoft portal URLs, and the ability to create custom investigation-specific bookmarks.
- Event ID Reference: Consolidates Windows Event IDs in one place, organized by categories like persistence, lateral movement, and more—making it easy to cross-reference during investigations.
- Entra ID Reference: Provides a searchable list of known and malicious Microsoft Entra ID AppIDs—useful for investigating Business Email Compromise (BEC) cases.
- 📌Markdown Editor: Provides an interface to create and update Markdown documents—ideal for note-taking or loading investigative playbooks during investigations.
Tip
For easy access, keep all Markdown files in the markdown_files folder.
-
Clone the Repository
git clone https://github.com/WithSecureLabs/Kanvas.git cd Kanvas -
Create Virtual Environment
python3 -m venv venv venv\Scripts\activate
-
Install Dependencies
pip3 install -r requirements.txt
-
Run KANVAS
python3 kanvas.py
Important
When using the tool for the first time, ensure that you download the latest updates by clicking on Download Updates.
- Publicly disclosed ransomware victim data by Julien Mousqueton
- Microsoft First Party App Names & Graph Permissions by Merill Fernando
- Curated list of Microsoft portals by (Adam Fowler)