The most valuable input when triaging a potentially suspicious rule is from the rule owner themselves. If the rule owner recognises the rule, chances are it wasn't created maliciously. If the rule owner doesn't recognise the rule, you should immediately be suspicious.
You can use the ChatOps automation to automatically ask a rule owner if they recognise a potentially suspicious rule when it is first seen by the Push platform. Since the Push platform will message users shortly after rule creation, the rule should be fresh in their mind if they created it.
Users will be shown the key details of the rule and asked if they recognise it, don't recognise it, or are not sure, as shown below:
User responses are immediately reflected in the Push platform so by the time you login to triage the rule, you have the most useful input ready and waiting.
You can also choose to have the Push platform automatically disable the rule on Microsoft 365 if the user doesn't recognise it, or is not sure, allowing you to minimise impact without any intervention from you, and buying you time whilst you investigate.