Page on types of Threat Insight events in cloud here.

A nice blog post on Infoblox's TI detection here.

In the cloud portal, the Exfiltration custom list will show a description that says why a domain was flagged as exfiltration. This may include

Number:

• Number of queries in a session
• Number of unique queries in a session
• Number of unique answers in a session

QNames:

• Mean length of qnames
• Distinct characters found in qnames
• Relatively normalcy of the qnames
• Number of words found in qnames relative to its length

Entropy:

• Entropy of answers
• Entropy of answers

Other:

• The name servers used for the domain is not reputable

Syslog of Hit (src = client that made the query to NIOS)

src=10.10.20.20 spt=53198 view=_default qtype=A msg="rpz QNAME CNAME rewrite ws-zw9yt1viqsxqrc8ilpp06my7qoinq3kxphttfio969l15lqsvw.example.com [A] via ws-zw9yt1viqsxqrc8ilpp06my7qoinq3kxphttfio969l15lqsvw.example.com.threatinsightfeed.local" CAT=RPZ