Kanvas for Incident Response

A DF/IR case management tool that provides a unified workspace for investigators enabling key workflows to be completed without switching between multiple applications.

Download from GitHub

Works with SOD (Spreadsheet of Doom) and similar spreadsheet formats..

Customer Service Dashboard
Features

UI & Key Workspace Features

Some of the key features and workflows are shown below. To view full details, please visit the GitHub page.

Incident Timeline

Building timelines from Excel manually? Nah, I’d rather wrestle a raccoon. At least that’s over faster.

  • Making it all automatic, not manual.
  • Only picking the interesting parts from the sheet (not everything).
  • Segmenting the timeline based on days (like Day 1, Day 2, etc.).
  • Quicky export to PNG or CSV for Reporting / Presenatation.
Team Inbox Dashboard
Lateral Movement

Lateral movement

Trying to explain what’s going on without a visual? It's like describing a movie scene using just smoke signals. A timeline chart just makes life so much easier.

  • Automatically whip up the visualization
  • Pick icons that match your system type
  • Export the visualization in a snap

MITRE D3FEND Mapping

Correlate MITRE ATT&CK detections with the D3FEND Matrix to mitigate threats identified during an investigation

  • Containment: Quickly isolate tactics to check how well you’re containing threats based on attacker actions.
  • Post-Incident Improvement: Use D3FEND to review how the response went and get better for next time.
Network Mapping Dashboard
Threat Intelligence Platform

V.E.R.I.S. Summary

VERIS is basically a way to keep track of cybersecurity incidents in a simple, consistent way. It helps teams share info about what happened, how it happened, and the damage done so everyone can learn and improve security.

  • Standardized data collection for breach and security incidents
  • Supports clear breach reporting with structured categories
  • Helps to collaborate with other external entities, such as Verizon data breach reporting

Markdown Files

Markdown files are simple text files where you write using easy formatting. They’re great for quickly making notes or writing how-to playbooks.

  • Helps to take notes during the investigation, internally or with customers
  • Supports creating / loading “how-to investigate” type of documents during the investigation
Network Mapping Dashboard
Threat Intelligence Platform

External Lookups

The external lookup helps the investigator quickly search various threat intel feeds while responding to an incident.

  • IP / Domain / File Reputation: Info on IP location, open ports, vulnerabilities, WHOIS, DNS data and Binary file details
  • Entra ID Reference: Searchable list of malicious Microsoft Entra AppIDs for BEC cases.
  • Ransomware Victim: Checks if data is leaked after ransomware attacks.
  • CVE Insights: Known exploits from vulnerability databases.
  • Event ID Reference: Windows Event IDs grouped for quick investigation.

Bookmarks

This helps to bookmark known sources, which will be useful during the investigation.

  • List the updated, well-maintained open-source free projects useful for DF/IR.
  • Azure portals are constantly changing, which makes it hard to track—but understanding this is handy when responding to Azure cloud incidents.
  • Create personal bookmarks instead of adding them to the usual web browser.
Network Mapping Dashboard