[Tuning] Elastic Defend and Email Alerts Correlation

this rule uses the logs-* generic index, which causes failures on clusters without an email related integration with `destination.user.name` populated.  for now limiting the rule to checkpoint email security and we can add more or users can customize it by adding more indexes.

Author: Samirbous

rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2025/11/19"
+integration = ["endpoint", "checkpoint_email"]
 maturity = "production"
-updated_date = "2025/11/19"
+updated_date = "2025/12/15"
 
 [rule]
 author = ["Elastic"]
@@ -22,14 +23,15 @@ tags = [
     "Rule Type: Higher-Order Rule",
     "Resources: Investigation Guide",
     "Data Source: Elastic Defend",
+    "Data Source: Check Point Harmony Email & Collaboration",
     "Domain: Email",
     "Domain: Endpoint"
 ]
 timestamp_override = "event.ingested"
 type = "esql"
 
 query = '''
-from logs-* metadata _id
+from logs-endpoint.alerts-*, logs-checkpoint_email.event-default-* metadata _id
 // Email or Elastic Defend alerts where user name is populated
 | where
   (event.category == "email" and event.kind == "alert" and destination.user.name is not null) or