Hello Yuanliu,    I am extremely sorry for the delayed response. Thank you so much for your answer. I was on a medical emergency. Apologies for the delay. I went through your answer and I have mentioned the following based on what I understand. If that's incorrect, please advise me.    Please find the following references or pointers as references for the questions you have asked: 1. The lookup table: '8112_domain_whitelist.csv' contains one column with the domains that needs to be whitelisted. 2. sourcetype="ironport:summary". The below mentioned are some of the field values that we get in this sourcetype host source UBA Email Ironport:Summary generator sourcetype action direction eventtype file_name info_max_time info_min_time info_search_time internal_message_id message_size_mb recipient sender src_user src_user_domain Time 3. sourcetype="MSExchange:2013:MessageTracking" this gives success or failure. Meaning if an email is received to the end user (recipient) 4. How frequently are they updated respectively? --> I don't know the answer to this question, I am sorry. Is there a way I could get this answer? I will also ask the SIEM engineers if you advise. 5. Is one extremely large compared with another? --> In terms of number of fields, the sourcetype="MSExchange:2013:MessageTracking" contains less fields and information than the sourcetype="ironport:summary" 6. Expansion of the macro `ut_parse_extended()` lookup ut_parse_extended_lookup url as senderdomain list as list | spath input=ut_subdomain_parts | fields - ut_subdomain_parts 7. Expansion of the macro | `security_content_ctime(end_time)` convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(end_time) 8. Expansion of the macro | `security_content_ctime(start_time)` | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(start_time) 9. Is there a way I could improve performance as well as improve readability Appreciate your help and support.  ... View more