[Security Solution][Detections] Investigate updating _id to be static rule_id when migrating rules to rule registry

[spong]

With #5026, Rules will now be exportable via the SO Management UI. Since Detection Rules store their static id's within alert tags as __internal_rule_id:[ID_HERE], that means importing/exporting rules from different sessions/spaces/clusters/etc could potentially introduce duplicates since the SO imported determines uniqueness per space per _id.

We're currently looking to filter out Detection Rules from the SO Management UI in favor of using the security UI, however there's a core dependency preventing this (#99680). This issue is for investigating if it's feasible to replace the Rule SO's _id with the value in alert tags as __internal_rule_id:[ID_HERE] when performing the SO migrations from a single siem.signals rule type to dedicated security rule types.

Consideration:

• Is this even possible with SO migrations?
• What other assets would need to be updated that reference the existing _id
• ....

If the above ends up being a breaking change, we should determine feasibility for 8.x migration.

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[ymao1]

Did some research related to this issue in conjunction with the upcoming change to make alert saved objects share-capable. Relevent comments start here.

Interested to get feedback on this research

[ymao1]

Instead of adding a migration to change the SO ID to be the static rule_id, it seems like another option could be to migrate to set the originId of an SO to the static rule_id. Setting this should prevent creating multiple copies of an object with the same originId on import. More details in this comment

ETA: Sorry, after re-reading Joe's comment, it seems like this would have to be done in conjunction with a change to the alerting rules client to use import under the hood for create, which we are still investigating.