Page on types of Threat Insight events in cloud here.

A nice blog post on Infoblox's TI detection here.

In the cloud portal, the Exfiltration custom list will show a description that says why a domain was flagged as exfiltration. This may include

Number:

• Number of queries in a session
• Number of unique queries in a session
• Number of unique answers in a session

QNames:

• Mean length of qnames
• Distinct characters found in qnames
• Relatively normalcy of the qnames
• Number of words found in qnames relative to its length

Entropy:

• Entropy of answers
• Entropy of answers

Other:

• The name servers used for the domain is not reputable

Syslog of Hit (src = client that made the query to NIOS)

src=10.10.20.20 spt=53198 view=_default qtype=A msg="rpz QNAME CNAME rewrite ws-zw9yt1viqsxqrc8ilpp06my7qoinq3kxphttfio969l15lqsvw.example.com [A] via ws-zw9yt1viqsxqrc8ilpp06my7qoinq3kxphttfio969l15lqsvw.example.com.threatinsightfeed.local" CAT=RPZ

A major differentiator between Threat Insight and Threat Insight in the Cloud is that Threat Insight in the Cloud, although slower due to the time spent transporting data to the cloud, blocking of malicious DNS traffic is more advanced and has a greater processing capability to deal with a wider range of threats. For example, it can protect against DGA and Fast Flux activity and deal with “lower and slower” exfiltration attempts, while Threat Insight on-premise is faster it can’t protect against Data Exfiltration, DNS Messenger, Fast Flux, DGA.