diff --git a/docs/index.asciidoc b/docs/index.asciidoc index a4ffcfbb57..11e3a71596 100644 --- a/docs/index.asciidoc +++ b/docs/index.asciidoc @@ -1,3 +1,10 @@ +:doctype: book +:siem-soln: Elastic Security +:siem-app: Elastic Security app +:siem-ui: Elastic Security UI +:ml-dir: {stack-docs-root}/docs/en/stack/ml +:sn: ServiceNow + [[elastic-endpoint]] = Elastic Endpoint Security @@ -14,4 +21,9 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[] include::sensor-full-disk-access.asciidoc[] // Temporary fix of section levels -include::siem/index.asciidoc[leveloffset=+1] +include::siem/index.asciidoc[] + +include::siem-apis.asciidoc[] + +include::siem/reference/ref-index.asciidoc[] + diff --git a/docs/siem/siem-apis.asciidoc b/docs/siem-apis.asciidoc similarity index 87% rename from docs/siem/siem-apis.asciidoc rename to docs/siem-apis.asciidoc index 8a3b0df792..a3d0ccf12e 100644 --- a/docs/siem/siem-apis.asciidoc +++ b/docs/siem-apis.asciidoc @@ -1,10 +1,11 @@ [role="xpack"] -[[siem-apis]] -= SIEM APIs +[[security-apis]] += Elastic Security APIs You can use these APIs to interface with {siem-soln} features: * <>: Manage detection rules and signals +* <>: Import and export timelines * <>: Open and manage cases Additionally, the {kib} <> is partially @@ -70,8 +71,10 @@ path component to its URL. {kibana-ref}/development-basepath.html[Considerations for basePath] describes how to work with and disable the random path component. -include::detections/api/det-api-index.asciidoc[] +include::siem/detections/api/det-api-index.asciidoc[] -include::cases/api/cases-api/cases-api-index.asciidoc[] +include::siem/timeline/api/timeline-api-index.asciidoc[] -include::cases/api/actions-api/cases-actions-api-index.asciidoc[] \ No newline at end of file +include::siem/cases/api/cases-api/cases-api-index.asciidoc[] + +include::siem/cases/api/actions-api/cases-actions-api-index.asciidoc[] diff --git a/docs/siem/detections/api/rules-api-export.asciidoc b/docs/siem/detections/api/rules-api-export.asciidoc index 18bd42ff5c..9400a11ef2 100644 --- a/docs/siem/detections/api/rules-api-export.asciidoc +++ b/docs/siem/detections/api/rules-api-export.asciidoc @@ -22,7 +22,8 @@ exported rules is returned.|No, defaults to `false`. `export.ndjson` |============================================== -TIP: When using cURL to export rules to a file, use the `-O` and `-J` options to save the rules to the file name specified in the URL. +TIP: When using cURL to export rules to a file, use the `-O` and `-J` options +to save the rules to the file name specified in the URL. ==== Request body diff --git a/docs/siem/detections/machine-learning/machine-learning.asciidoc b/docs/siem/detections/machine-learning/machine-learning.asciidoc index 24f1e6de3c..964ef7168b 100644 --- a/docs/siem/detections/machine-learning/machine-learning.asciidoc +++ b/docs/siem/detections/machine-learning/machine-learning.asciidoc @@ -75,4 +75,4 @@ the ECS fields listed in each job description. NOTE: Some jobs use fields that are not ECS-compliant. These jobs are only available when you use {beats} to ship data. -include::{stack-docs-root}/docs/en/stack/ml/anomaly-detection/ootb-ml-jobs.asciidoc[tag=siem-jobs] +include::{ml-dir}/anomaly-detection/ootb-ml-jobs.asciidoc[tag=siem-jobs] diff --git a/docs/siem/index.asciidoc b/docs/siem/index.asciidoc index 3b565c86da..0a1c2ad786 100644 --- a/docs/siem/index.asciidoc +++ b/docs/siem/index.asciidoc @@ -1,9 +1,9 @@ -:doctype: book -:siem-soln: SIEM -:siem-app: SIEM app -:siem-ui: SIEM UI -:ml-dir: {stack-docs-root}/docs/en/stack/ml -:sn: ServiceNow +// :doctype: book +// :siem-soln: Elastic Security +// :siem-app: Elastic Security app +// :siem-ui: Elastic Security UI +// :ml-dir: {stack-docs-root}/docs/en/stack/ml +// :sn: ServiceNow // Removed for merging with unified security docs // = SIEM Guide @@ -24,6 +24,6 @@ include::detections/detections-index.asciidoc[] include::cases/cases-index.asciidoc[] -include::siem-apis.asciidoc[] +// include::siem-apis.asciidoc[] -include::field-ref.asciidoc[] +// include::reference/ref-index.asciidoc[] diff --git a/docs/siem/field-ref.asciidoc b/docs/siem/reference/field-ref.asciidoc similarity index 97% rename from docs/siem/field-ref.asciidoc rename to docs/siem/reference/field-ref.asciidoc index e611163fa2..67b0dbdee8 100644 --- a/docs/siem/field-ref.asciidoc +++ b/docs/siem/reference/field-ref.asciidoc @@ -1,8 +1,8 @@ [[siem-field-reference]] -[chapter, role="xpack"] -= SIEM field reference guide +[role="xpack"] +== Elastic Security ECS field reference -This section lists ECS fields the {siem-app} uses to display data. +This section lists ECS fields Elastic Security uses to display data. IMPORTANT: It is recommended to use {beats} to ship your data. Beat modules (for example, {filebeat-ref}/filebeat-modules.html[{filebeat} modules]) diff --git a/docs/siem/reference/images/timeline-object-ui.png b/docs/siem/reference/images/timeline-object-ui.png new file mode 100644 index 0000000000..41c74b5483 Binary files /dev/null and b/docs/siem/reference/images/timeline-object-ui.png differ diff --git a/docs/siem/reference/ref-index.asciidoc b/docs/siem/reference/ref-index.asciidoc new file mode 100644 index 0000000000..600debc20c --- /dev/null +++ b/docs/siem/reference/ref-index.asciidoc @@ -0,0 +1,5 @@ +include::ref-intro.asciidoc[] + +include::field-ref.asciidoc[] + +include::timeline-schema.asciidoc[] \ No newline at end of file diff --git a/docs/siem/reference/ref-intro.asciidoc b/docs/siem/reference/ref-intro.asciidoc new file mode 100644 index 0000000000..5f4d340736 --- /dev/null +++ b/docs/siem/reference/ref-intro.asciidoc @@ -0,0 +1,9 @@ +[[security-ref-intro]] +[role="xpack"] += Elastic Security fields and object schemas + +This reference section provides details on the ECS fields Elastic Security uses +to display data in the UI and Elastic Security JSON object schemas: + +* <> +* <> diff --git a/docs/siem/reference/timeline-schema.asciidoc b/docs/siem/reference/timeline-schema.asciidoc new file mode 100644 index 0000000000..de2dd3443a --- /dev/null +++ b/docs/siem/reference/timeline-schema.asciidoc @@ -0,0 +1,4 @@ +[[timeline-object-schema]] +[role="xpack"] +== Timeline schema + diff --git a/docs/siem/timeline/api/timeline-api-export.asciidoc b/docs/siem/timeline/api/timeline-api-export.asciidoc new file mode 100644 index 0000000000..6cc57a9c41 --- /dev/null +++ b/docs/siem/timeline/api/timeline-api-export.asciidoc @@ -0,0 +1,56 @@ +[[timeline-api-export]] +=== Export timelines + +Exports timelines to an ndjson file. + +==== Request URL + +`POST :/api/timeline/_export` + + +===== URL query parameters + +[width="100%",options="header"] +|============================================== +|Name |Type |Description |Required + +|`exclude_export_details` |Boolean |Does not affect the returned file.|Yes +|`file_name` |String |File name for saving the exported rules. |Yes +|============================================== + +TIP: When using cURL to export timelines to a file, use the `-O` and `-J` +options to save the timelines to the file name specified in the URL. + +==== Request body + +A JSON `ids` array containing the `savedObjectId` fields of the rules you want to export: + +[width="100%",options="header"] +|============================================== +|Name |Type |Description |Required + +|`ids` |String[] |Array of `savedObjectId` fields. |Yes +|============================================== + + +===== Example request + +Exports two timeline and saves them to the `timelines_export.ndjson` file: + +[source,console] +-------------------------------------------------- +POST api/timeline/_export?exclude_export_details=false&file_name=timelines_export.ndjson +{ + "ids": [ + "34ca11c0-9503-11ea-9f74-e7e108796192", + "21cf9a00-9048-11ea-9f74-e7e108796192" + ] +} +-------------------------------------------------- +// KIBANA + + +==== Response code + +`200`:: + Indicates a successful call. \ No newline at end of file diff --git a/docs/siem/timeline/api/timeline-api-import.asciidoc b/docs/siem/timeline/api/timeline-api-import.asciidoc new file mode 100644 index 0000000000..c7b8618d16 --- /dev/null +++ b/docs/siem/timeline/api/timeline-api-import.asciidoc @@ -0,0 +1,40 @@ +[[timeline-api-import]] +=== Import timelines + +Imports timelines from an ndjson file. + +==== Request URL + +`POST :/api/timeline/_import` + +The request must include: + +* The `Content-Type: multipart/form-data` HTTP header. +* A link to the ndjson file containing the timelines. + +For example, using cURL: + +[source,console] +-------------------------------------------------- +curl -X POST "/api/timeline/_import" +-u : -H 'kbn-xsrf: true' +-H 'Content-Type: multipart/form-data' +--form "file=@" <1> +-------------------------------------------------- +<1> The relative link to the ndjson file containing the timelines. + +===== Example request + +Imports the rules in the `timelines_export.ndjson` file: + +[source,console] +-------------------------------------------------- +curl -X POST "api/detection_engine/rules/_import" +-H 'kbn-xsrf: true' -H 'Content-Type: multipart/form-data' +--form "file=@timelines_export.ndjson" +-------------------------------------------------- + +==== Response code + +`200`:: + Indicates a successful call. \ No newline at end of file diff --git a/docs/siem/timeline/api/timeline-api-index.asciidoc b/docs/siem/timeline/api/timeline-api-index.asciidoc new file mode 100644 index 0000000000..a311366760 --- /dev/null +++ b/docs/siem/timeline/api/timeline-api-index.asciidoc @@ -0,0 +1,5 @@ +include::timeline-api-overview.asciidoc[] + +include::timeline-api-export.asciidoc[] + +include::timeline-api-import.asciidoc[] diff --git a/docs/siem/timeline/api/timeline-api-overview.asciidoc b/docs/siem/timeline/api/timeline-api-overview.asciidoc new file mode 100644 index 0000000000..9fc366e12a --- /dev/null +++ b/docs/siem/timeline/api/timeline-api-overview.asciidoc @@ -0,0 +1,8 @@ +[[timeline-api-overview]] +[role="xpack"] +== Timeline API + +beta[] + +You can create timelines and timeline templates via the API, as well export +existing timelines and import new timelines from an ndjson file. \ No newline at end of file