Page on types of Threat Insight events in cloud here.

A nice blog post on Infoblox's TI detection here.

In the cloud portal, the Exfiltration custom list will show a description that says why a domain was flagged as exfiltration. This may include

Number:

• Number of queries in a session
• Number of unique queries in a session
• Number of unique answers in a session

QNames:

• Mean length of qnames
• Distinct characters found in qnames
• Relatively normalcy of the qnames
• Number of words found in qnames relative to its length

Entropy:

• Entropy of answers
• Entropy of answers

Other:

• The name servers used for the domain is not reputable