How does Intercept X determine which events it classifies as alerts vs. which events get made into a threat case?
Alerts get generated whenever an administrative interaction is required. For a list of what events generate a threat case, this can be found in the KB below:
There might be times where a threat case might not be generated. In those cases you can use the SDR Exporter tool to export out the snapshot and bring it into Central.
Information on how to read the exported JSON can be found in this KB: