Kanvas is an incident response (IR) case management tool designed to streamline investigations by providing a unified desktop interface. It targets security analysts and incident responders, offering a centralized workspace that integrates data management, visualization, and threat intelligence, thereby reducing the need to switch between multiple applications and enhancing collaborative workflows.

How It Works

The core of Kanvas is built around a modified "Spreadsheet of Doom" (SOD) format, which serves as the central data repository. This approach simplifies data distribution and collaboration, even for users outside the application, and supports multi-user access with file locking to prevent conflicts. Key workflows are enhanced through integrated data visualizations, including attack chain mapping for lateral movement, chronological incident timelines, and a MITRE Flow Builder for visualizing adversary TTP sequences. Threat intelligence lookups are also integrated, allowing for quick analysis of IPs, domains, file hashes, and vulnerabilities.

Quick Start & Requirements

To install, clone the repository (git clone https://github.com/WithSecureLabs/Kanvas.git), navigate into the directory, create and activate a Python virtual environment, and install dependencies using pip3 install -r requirements.txt. Run the application with python3 kanvas.py. First-time users should click "Download Updates." Prerequisites include Python 3 and configured API keys for various threat intelligence services (e.g., VirusTotal, Shodan).

Highlighted Details

• Case Management: Utilizes a modified "Spreadsheet of Doom" (SOD) for data storage, enabling straightforward distribution and multi-user collaboration with file locking.
• Data Visualization: Features Attack Chain Visualization, Incident Timeline, and MITRE Flow Builder for mapping adversary actions and incident progression.
• Threat Intelligence: Integrates lookups for IP reputation, domain/URL insights, file hash analysis, CVE data, email breach status, and ransomware victim verification.
• Security Frameworks: Supports mapping to MITRE ATT&CK and MITRE D3FEND, with VERIS reporting capabilities.
• Knowledge Management: Includes a bookmark manager, Markdown editor, LLM assistance integration, and searchable references for Windows Event IDs, Entra ID AppIDs, LOLBAS, and Microsoft Azure portals.

Maintenance & Community

Notable contributions are acknowledged from Julien Mousqueton, Merill Fernando, and Adam Fowler for specific features. No explicit community links (like Discord or Slack) or roadmap details are provided in the README.

Licensing & Compatibility

The specific open-source license is not explicitly stated in the provided README content.

Limitations & Caveats

The incident timeline functionality requires MITRE TTPs to be mapped within the timeline sheet for each entry. The MITRE Flow Builder relies on QT WebBrowser (Chromium-based) and may exhibit performance issues, particularly on Windows systems.