Alert vs. Threat Case

How does Intercept X determine which events it classifies as alerts vs. which events get made into a threat case?