The detection rule titled 'O365 Email Reported By Admin Found Malicious' aims to identify instances where an administrative user reports potentially malicious emails through the Microsoft Office 365 Security & Compliance portal. This analytic monitors submissions that receive a verdict of either 'Phish' or 'Malware' upon rescanning. The rule leverages data from the 'O365 Universal Audit Log' and employs a search string that captures relevant operations tied to admin submissions. It aggregates data based on the email subject, verdict, sender IP, senders, recipients, and time of detection. This aids in recognizing patterns of suspicious email activity and facilitates further investigation of reported threats. The implementation requires a specific add-on for Splunk to work correctly, and known false positives include administrators submitting training emails that simulate phishing attacks.