update metadata for API create

docs/detections/api/rules/rules-api-create.asciidoc

@@ -1066,7 +1066,7 @@ POST api/detection_engine/rules
 {
   "type": "esql",
   "language": "esql",
-  "query": "from auditbeat-8.10.2 [metadata _id, _version, _index] | where process.parent.name == \"EXCEL.EXE\"",
+  "query": "from auditbeat-8.10.2 METADATA _id, _version, _index | where process.parent.name == \"EXCEL.EXE\"",
   "name": "Find Excel events",
   "description": "Find Excel events",
   "tags": [],
@@ -1527,7 +1527,7 @@ Example response for an {esql} rule:
   "setup": "",
   "type": "esql",
   "language": "esql",
-  "query": "from auditbeat-8.10.2 [metadata _id] | where process.parent.name == \"EXCEL.EXE\""
+  "query": "from auditbeat-8.10.2 METADATA _id | where process.parent.name == \"EXCEL.EXE\""
 }
 --------------------------------------------------
 <1> dev:[] These fields are under development and their usage may change: `related_integrations` and `required_fields`.