Cyber incident reporting guidelines: Key information sharing requirements – ITSM.00.140
Summary
This Cyber Centre publication (effective 29 January 2026) sets out what information Canadian organisations should share during a cyber incident so the Centre can take action. It defines two main categories: contextual information (timelines, scope, attacker vector, mitigations, user activity) and technical artifacts (malicious IPs, domains, URLs, file hashes, malware samples, security logs, forensic images). Table 1 in the guidance lists required actionable artifacts and explains the Centre’s internal analytics and expected outcomes. The guidance also covers pre-incident sharing (alert rules, SIEM/EDR configs), recommended sharing practices in Annex B (threat intelligence, IoCs, vulnerabilities, incident reports), anonymous sharing options and automated exchange via STIX/TAXII. The Cyber Centre states it will not disclose raw victim-identifying data externally and operates under legal protections (CSE Act, Privacy Act).
Key Points
- Publication effective 29 January 2026: clarifies what the Canadian Centre for Cyber Security expects when you report incidents.
- Two primary information types: contextual information (timelines, scope, attacker vectors, mitigations) and technical artifacts (IPs, domains, URLs, file hashes, logs, forensic images).
- Table 1 maps each artifact to the Centre’s internal analysis steps and the outcomes they aim to produce (confirmation, enrichment, sharing with sector partners).
- Pre-incident sharing is encouraged — provide alert rules, SIEM/EDR configurations and sample logs to reduce false positives and improve detection.
- Annex B recommends sharing threat intelligence, IoCs, vulnerability and patch information, incident reports, and using STIX/TAXII or anonymous mechanisms where needed.
- The Cyber Centre will not share raw identifying victim data externally and may use NDAs with critical infrastructure partners; sharing assumes IoCs provided are not owned by the reporting organisation.
Content summary
The guidance is intended for organisations, their executives, legal and operational teams, and managed security service providers. It asks organisations to pre-approve what they will share and to circulate the guidance internally and with partners. Contextual information should include concise incident summaries, attacker access method, scope and impact, timelines, observed network traffic and mitigations taken. Technical artifacts requested range from suspicious IPs, domains, URLs and file hashes to full security logs and forensic images. The Centre describes how it cross-references and analyses these artifacts to confirm maliciousness, reveal TTPs and provide actionable indicators back to the reporting organisation and the critical infrastructure community.
Annex A urges early (pre-confirmation) sharing of alert rules and logs to tune detection and reduce noise. Annex B sets out best practices for sharing threat intelligence, IoCs, vulnerability information, incident reports, anonymous sharing methods, automated exchange formats (STIX/TAXII) and collaborative analysis.
Context and relevance
This guidance is important for Canadian organisations (particularly those supporting critical infrastructure), SOC teams, MSSPs and legal/comms functions. It standardises what to share during incidents so the Cyber Centre can investigate faster and share validated indicators back to the sector. The document aligns with broader industry trends toward automated, structured threat exchange and collaborative defence — adopting these practices speeds response, improves detection across the community and helps protect dependent services and citizens.
Why should I read this
Read this — it’s the practical checklist for what to send to Canada’s Cyber Centre when things go pear-shaped. If you’re responsible for security, incident response or critical systems, it saves you fumbling during an incident and helps get useful, actionable support fast. Plus, it tells you what to prep now so detection and sector-wide defence work better later.