A packet-filtering network appliance such as a threat intelligence gateway (TIG) protects TCP/IP networks from Internet threats by enforcing certain policies on in-transit packets that are crossing network boundaries. The policies are composed of packet filtering rules derived from cyber threat intelligence (CTI). Logs of rule-matching packets and their associated flows are sent to cyberanalysis applications located at security operations centers (SOCs) and operated by cyberanalysts. Some cyber threats/attacks, or incidents, are composed of many different flows occurring at a very high rate, which generates a flood of logs that may overwhelm computer, storage, network, and cyberanalysis resources, thereby compromising cyber defenses. The present disclosure describes incident logging, in which a single incident log efficiently incorporates the logs of the many flows that comprise the incident, thereby potentially reducing resource consumption while improving the informational/cyberanalytical value of the incident log for cyberanalysis when compared to the component flow logs. Incident logging vs. flow logging can be automatically and adaptively switched on or off depending on the combination of resource consumption and informational/cyberanalytical value.