View on GitHub
437

Kanvas for Incident Response

KANVAS is a DF/IR case management tool inspired by the infamous Spreadsheet of Doom (SOD). Built with PySide6 (PyQt), it runs entirely on your machine, no web server, no setup, no infrastructure. Just download, launch and get to work.

Works with SOD (Spreadsheet of Doom) and similar spreadsheet formats
Supported Platforms

One-click report generation using Kanvas

Timeline, Lateral Movement, Diamond Model, Investigation summary, etc.

Incident Timeline

Automatically build timelines from Excel, segmented by days.

Lateral Movement

Visualize threat atatcker connections and movement paths .

MITRE D3FEND Mapping

Correlate detections with D3FEND matrix for mitigation.

MITRE Flow Builder

Visualize and share sequences of adversary actions.

External Lookups

Threat intel,VirusTotal, Shoden, vulnerability checks, etc.

Quick references

Knowledge base for LOLBAS, Event IDs, DDL sideloading, etc

User Interface
Features

UI & Key Workspace Features

Some of the key features and workflows are shown below. To view full details, please visit the GitHub page.

Incident Timeline

Building timelines from Excel manually? Nah, I’d rather wrestle a raccoon. At least that’s over faster.

  • Making it all automatic, not manual.
  • Only picking the interesting parts from the sheet (not everything).
  • Segmenting the timeline based on days (like Day 1, Day 2, etc.).
  • Quickly export to PNG or CSV for Reporting / Presentation.
Incident Timeline
Lateral Movement

Lateral movement

Trying to explain what’s going on without a visual? It's like describing a movie scene using just smoke signals. A timeline chart just makes life so much easier.

  • Automatically whip up the visualization.
  • Pick icons that match your system type.
  • Export the visualization in a snap.

MITRE D3FEND Mapping

Correlate MITRE ATT&CK detections with the D3FEND Matrix to mitigate threats identified during an investigation.

  • Containment: Quickly isolate tactics to check how well you’re containing threats based on attacker actions.
  • Post-Incident Improvement: Use D3FEND to review how the response went and get better for next time.
MITRE D3FEND Mapping
MITRE Flow Builder

MITRE Flow Builder

Flow Builder lets you visualize and share sequences of adversary actions. You can populate flows with attacker actions and context, then link them to map the sequence of techniques seen during an incident.

  • Add info about adversary TTP's & then draw connections to show the sequence of techniques used in an incident.
  • Help to embed interactive, pan-and-zoom flows in webpages, which makes sharing CTI stuff way easier.
  • Help to copy a selection as an image and paste it into Word or PowerPoint to quickly build reports and slides.
V.E.R.I.S. Summary

V.E.R.I.S. Summary

VERIS is basically a way to keep track of cybersecurity incidents in a simple, consistent way. It helps teams share info about what happened, how it happened, and the damage done so everyone can learn and improve security.

  • Standardized data collection for breach and security incidents.
  • Supports clear breach reporting with structured categories.
  • Helps to collaborate with other external entities, such as Verizon data breach reporting.

Markdown Files

Markdown files are simple text files where you write using easy formatting. They’re great for quickly making notes or writing how-to playbooks.

  • Helps to take notes during the investigation, internally or with customers.
  • Supports creating / loading “how-to investigate” type of documents during the investigation.
Markdown Files
External Lookups

External Lookups

The external lookup helps the investigator quickly search various threat intel feeds while responding to an incident.

  • IP / Domain / Email / File Reputation: Info on IP location, open ports, vulnerabilities, WHOIS, DNS data and Binary file details.
  • Entra ID Reference: Searchable list of malicious Microsoft Entra AppIDs for BEC cases.
  • Ransomware Victim: Checks if data is leaked after ransomware attacks.
  • CVE Insights: Known exploits from vulnerability databases.

Bookmarks

This helps to bookmark known sources, which will be useful during the investigation.

  • List the updated, well-maintained open-source free projects useful for DF/IR.
  • Create personal bookmarks instead of adding them to the usual web browser.
Bookmarks
Quick References

Quick references

It's hard to keep everything in your muscle memory during an investigation. This module helps you reference things quickly with shortcuts.

  • Event ID Reference: Windows Event IDs grouped for quick investigation.
  • Living Off the Land Binaries: If you find something suspicious, drop it in to see how threat actors have abused it in the wild.
  • Azure portals are constantly changing, which makes it hard to track—but understanding this is handy when responding to Azure cloud incidents.

STIX 2.0 Export

You’ve got all the IOCs in the SOD spreadsheet. What if we could export them in a way that’s easier to share.

  • The STIX export lets you export IOCs in STIX 2.1 JSON format.
  • Drop that straight into threat intelligence platforms like OpenCTI or MISP.
STIX 2.0 Export