[Internal][Security Solution][Detection Engine]: auto inject metadata _id in rule ES|QL query

[vitaliidm]

Description

Automatically inject METADATA _id into ES|QL detection rule queries during execution, removing the requirement for users to manually include it. This improves UX especially for AI-generated queries (Agent Builder) that produce valid ES|QL but lack the rule-specific METADATA _id clause needed for alert deduplication.

Keeps _id column validation in the frontend, but as a non-blocking warning instead of a blocking error.The user is not blocked from saving the rule — instead, the existing "save with errors" confirmation modal appears.
This matches the existing pattern used for EQL/ES|QL missing data source.

Resources

PR: elastic/kibana#254703
Issue: elastic/kibana#248194

Which documentation set does this change impact?

Elastic On-Prem and Cloud (all)

Feature differences

N/A

What release is this request related to?

9.4

Serverless release

Week after 16th of March 2026

Collaboration model

The documentation team

Point of contact.

Main contact: @vitaliidm

Stakeholders: @yctercero