They are both event-based detections where the diference is the output. One writes in the notables index and shows up in the analyst queue and the other writes to the risk index and does not show p in the analyst queue . Both leverage existing lookups (e.g. assets and identities lookups). Both can assign risk to assets or identities.
The reasoning behind this is, if you have something that when you detect it the analyst should do something or investigate it right away you most likely set it as a finding. On the other hand if that something isn't a big issue unless it's detected along side with other behavior then you can set it as an intermediate finding.
As an example:
If you have detected some host communication with a known C2 IP, you really want someone to act on it. This kind of detections where you have a high confidence and its high severity, these should be findings.
If you have detected someone accessing some sensitive files after-hours you probably don't need to have an analyst look into it right away, but you can still register that as an intermediate finding and give it some risk. The same logic can be applied to detecting a "usb device connected to a host" or "large volume of files download". Individually they might not be high severity and not worth to have an analyst look in to it right away, but when detected together you might be looking into data exfiltration. All the accumulated risk from these intermediate findings can push the total risk above your risk score threshold and trigger a finding based detection like the ones you can find out of the box in ES (e.g. "Finding Group - Entity Exceeded Threshold with Multiple Findings" or "Findings Risk Threshold Exceeded for Entity Over 24 Hour Period").
------------
Hope I was able to help you. If so, some karma would be appreciated.
