In the process of investigating the "Creation of forwarding/redirect rule" alerts, since MS does not provide the granularity to adjust the policy to trigger ONLY on external email IDs, we have no other way but to look at each alert`s evidence/details to make sure and update. 

I noticed I cannot pull the "evidence" related to these alerts via advanced hunting (different categories of alerts are giving different levels of response) or the graph feature. As in, the forwarded email ID value is the one of interest here. Advanced query is giving me lot of info but not the most important detail in this case. Is this possible via API calls to the alerts ? Or even adv hunting, may be I am not using the correct query?