[Security Solution][Detection Engine] ES|QL rule type generates less alerts than expected with MV_EXPAND

[marshallmain]

The MV_EXPAND command is in preview and was added to ES|QL for 8.11 (https://www.elastic.co/guide/en/elasticsearch/reference/8.15/esql-commands.html#esql-mv_expand). This command takes a multi-valued column and produces a separate row in the results for each value. As a consequence, the results can have multiple rows with the same _id and _index values but the DE rule logic will only create an alert for one of these rows due to deduplication. We should investigate what the correct handling is in this scenario.

[elasticmachine]

Pinging @elastic/security-detection-engine (Team:Detection Engine)

[vitaliidm]

Possible way to do this is to extend what properties we include in alert id.

Currently, for non-agg queries we include id, index, version, ruleId, spaceId

By using utilities from @kbn/esql-ast package, I believe we would be able extract mv_expand field and retrieve its value from processed result row. Then we can include it key-value object into id generator. In this case, this would allow to generate unique alert id per each "expanded" value.
One corner case, we should keep in mind, user might drop or rename "expanded" field. In this case we might resort to remove all identical values from result rows and use the rest values in id generation.