Beyond the Spreadsheet of Doom: Master Your Incident Response with KANVAS

KANVAS is an IR (incident response) case management tool with an intuitive desktop interface, built using Python. It provides a unified workspace for investigators working with SOD (Spreadsheet of Doom) or similar spreadsheets, enabling key workflows to be completed without switching between multiple applications.

Key Features

• Built on the SOD (Spreadsheet of Doom): All data remains within the spreadsheet, making distribution and collaboration simple – even outside the application.
• Multi-User support: Files can reside on local machines or shared drives, enabling active collaboration among multiple investigators. File locking ensures that editing is properly managed and conflicts are avoided.
• One-Click Sanitize: Allows spreadsheet data – such as domains, URLs, IP addresses, etc. – to be sanitized with a single click, making it easy to share and store.

• Attack Chain Visualization: Visualizes lateral movement for quick review of the adversary’s attack path. The re-draw options help display the diagram in multiple ways.
• Incident Timeline: The incident timeline is presented in chronological order, helping investigators quickly understand the sequence and timing of the overall incident.
• MITRE Flow Builder: Lets you visualize & share sequences of adversary actions. You can populate flows with attacker TTP, then link them to map the sequence of techniques seen during an incident..
• Export for Reporting: The lateral movement & timeline visualizations can be exported as image files or CSV, allowing direct use in presentations or investigation reports.

• IP Reputation: IP reputation, geolocation, open ports, known vulnerabilities, and more using various API integrations.
• Domain / URL Insights: WHOIS data, DNS records, and more using various API integrations.
• File Hash Insights: Lookup binary file insights on various platforms based on hash values.
• CVE Insights: Information on known exploit usage based on CISA and other vulnerability intelligence sources.
• Email Insights: Information on whether the email address has appeared in any known data breaches.
• Ransomware Victim: Verify if a customer or organization’s data has been published online following a ransomware attack.

• MITRE ATT&CK Mapping: Provides up-to-date MITRE tactics and techniques for mapping adversary activities.
• MITRE D3FEND Mapping: Helps map defense strategies based on the identified ATT&CK techniques. This is especially useful when responding to an incident from a defender’s perspective.
• V.E.R.I.S. Reporting: Provides an interface to track VERIS data, which can be shared post-incident with various government entities and contribute to the Verizon Data Breach Report.

• HTML report: The report is generated as a single, self-contained HTML file. All images are Base64-encoded and embedded directly within the document, so there’s no need to manage or share separate image files, just one HTML file is all you need.
• Report Contents: Incident Timeline, Lateral Movement, Diamond Model, Investigation summary, Security recommendation and many more.

• Bookmarks: Offers a curated list of security tool, an up-to-date list of Microsoft portal URLs, and the ability to create custom investigation-specific bookmarks.
• Markdown Editor: Provides an interface to create and update Markdown documents—ideal for note-taking or loading investigative playbooks during investigations.
• Event ID Reference: Consolidates Windows Event IDs in one place, organized by categories like persistence, lateral movement, and more—making it easy to cross-reference during investigations.
• MS Entra ID Reference: Provides a searchable list of known and malicious Microsoft Entra ID AppIDs—useful for investigating Business Email Compromise (BEC) cases.
• Living Off the Land Binaries: Provides a searchable list of known Microsoft living-off-the-land (LOLBAS) binaries that threat actors have abused.
• Microsoft Azure Portals: Provides a searchable list of constantly changing Microsoft Azure / Entra URLs, useful when responding to Azure cloud incidents.
• DLL Hijacking: Provides a searchable list of DLL sideloading realated info based on Hijacklibs Project.

Install & Use

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy