Exchange Auto forwarded message report filter?

Hello, We currently utilise the Auto forwarded message report Auto forwarded message report feature on Exchange (Reports > Mailflow > Auto forward message report). We are alerted into Defender for any new auto-forward rules set up in our estate which are forwarding to external domains. The function however, comes across as quite crude. For example, the alerts do not contain the actual user(s) who have triggered the alert - they essentially only state that a new user has been detected. Our current process of checking who the perpetrator is, is by exporting the list of users who have triggered it in the last 7 days, and manually comparing that with a list of 'approved users' we have stored on our SP to highlight the new unique values. There is an option to filter the results you get from the last 7 days, and you can 'create new filter'. We've tried this by manually crafting the filter to 'ignore' our approved users, however it's not very dynamic so isn't worth using (I also can't find any documentation on how to fully utilise this [even to the point of deleting old filters] anywhere so any tips are appreciated). I'm looking for a better way for this to be managed. Ideally we would like the auto-forward feature to check against a pre-determined list of approved users, before alerting us to potential new forwarders. If the new perpetrator could be included in the alert details, then bonus! However, any ideas on how we can better utilise this function would be great. Thanks!