[Docs]Updates ToC - API and Reference Sections

docs/index.asciidoc

@@ -1,3 +1,10 @@
+:doctype:      book
+:siem-soln:    Elastic Security
+:siem-app:     Elastic Security app
+:siem-ui:      Elastic Security UI
+:ml-dir:       {stack-docs-root}/docs/en/stack/ml
+:sn: ServiceNow
+
 [[elastic-endpoint]]
 = Elastic Endpoint Security
 
@@ -14,4 +21,9 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
 include::sensor-full-disk-access.asciidoc[]
 
 // Temporary fix of section levels
-include::siem/index.asciidoc[leveloffset=+1]
+include::siem/index.asciidoc[]
+
+include::siem-apis.asciidoc[]
+
+include::siem/reference/ref-index.asciidoc[]
+

docs/siem/siem-apis.asciidoc → docs/siem-apis.asciidoc

@@ -1,10 +1,11 @@
 [role="xpack"]
-[[siem-apis]]
-= SIEM APIs
+[[security-apis]]
+= Elastic Security APIs
 
 You can use these APIs to interface with {siem-soln} features:
 
 * <<rule-api-overview>>: Manage detection rules and signals
+* <<timeline-api-overview>>: Import and export timelines
 * <<cases-api-overview>>: Open and manage cases
 
 Additionally, the {kib} <<actions-api-overview, Actions API>> is partially
@@ -70,8 +71,10 @@ path component to its URL.
 {kibana-ref}/development-basepath.html[Considerations for basePath] describes 
 how to work with and disable the random path component.
 
-include::detections/api/det-api-index.asciidoc[]
+include::siem/detections/api/det-api-index.asciidoc[]
 
-include::cases/api/cases-api/cases-api-index.asciidoc[]
+include::siem/timeline/api/timeline-api-index.asciidoc[]
 
-include::cases/api/actions-api/cases-actions-api-index.asciidoc[]
+include::siem/cases/api/cases-api/cases-api-index.asciidoc[]
+
+include::siem/cases/api/actions-api/cases-actions-api-index.asciidoc[]

docs/siem/detections/api/rules-api-export.asciidoc

@@ -22,7 +22,8 @@ exported rules is returned.|No, defaults to `false`.
 `export.ndjson`
 |==============================================
 
-TIP: When using cURL to export rules to a file, use the `-O` and `-J` options to save the rules to the file name specified in the URL.
+TIP: When using cURL to export rules to a file, use the `-O` and `-J` options
+to save the rules to the file name specified in the URL.
 
 ==== Request body
 

docs/siem/detections/machine-learning/machine-learning.asciidoc

@@ -75,4 +75,4 @@ the ECS fields listed in each job description.
 NOTE: Some jobs use fields that are not ECS-compliant. These jobs are only
 available when you use {beats} to ship data.
 
-include::{stack-docs-root}/docs/en/stack/ml/anomaly-detection/ootb-ml-jobs.asciidoc[tag=siem-jobs]
+include::{ml-dir}/anomaly-detection/ootb-ml-jobs.asciidoc[tag=siem-jobs]

docs/siem/index.asciidoc

@@ -1,9 +1,9 @@
-:doctype:      book
-:siem-soln:    SIEM
-:siem-app:     SIEM app
-:siem-ui:      SIEM UI
-:ml-dir:       {stack-docs-root}/docs/en/stack/ml
-:sn: ServiceNow
+// :doctype:      book
+// :siem-soln:    Elastic Security
+// :siem-app:     Elastic Security app
+// :siem-ui:      Elastic Security UI
+// :ml-dir:       {stack-docs-root}/docs/en/stack/ml
+// :sn: ServiceNow
 
 // Removed for merging with unified security docs
 // = SIEM Guide
@@ -24,6 +24,6 @@ include::detections/detections-index.asciidoc[]
 
 include::cases/cases-index.asciidoc[]
 
-include::siem-apis.asciidoc[]
+// include::siem-apis.asciidoc[]
 
-include::field-ref.asciidoc[]
+// include::reference/ref-index.asciidoc[]

docs/siem/field-ref.asciidoc → docs/siem/reference/field-ref.asciidoc

@@ -1,8 +1,8 @@
 [[siem-field-reference]]
-[chapter, role="xpack"]
-= SIEM field reference guide
+[role="xpack"]
+== Elastic Security ECS field reference
 
-This section lists ECS fields the {siem-app} uses to display data.
+This section lists ECS fields Elastic Security uses to display data.
 
 IMPORTANT: It is recommended to use {beats} to ship your data. Beat modules
 (for example, {filebeat-ref}/filebeat-modules.html[{filebeat} modules])

docs/siem/reference/ref-index.asciidoc

@@ -0,0 +1,5 @@
+include::ref-intro.asciidoc[]
+
+include::field-ref.asciidoc[]
+
+include::timeline-schema.asciidoc[]

docs/siem/reference/ref-intro.asciidoc

@@ -0,0 +1,9 @@
+[[security-ref-intro]]
+[role="xpack"]
+= Elastic Security fields and object schemas
+
+This reference section provides details on the ECS fields Elastic Security uses
+to display data in the UI and Elastic Security JSON object schemas:
+
+* <<siem-field-reference, ECS fields the used to display data>>
+* <<timeline-object-schema, Timeline object schema>>

docs/siem/reference/timeline-schema.asciidoc

@@ -0,0 +1,4 @@
+[[timeline-object-schema]]
+[role="xpack"]
+== Timeline schema
+

docs/siem/timeline/api/timeline-api-export.asciidoc

@@ -0,0 +1,56 @@
+[[timeline-api-export]]
+=== Export timelines
+
+Exports timelines to an ndjson file.
+
+==== Request URL
+
+`POST <kibana host>:<port>/api/timeline/_export`
+
+
+===== URL query parameters
+
+[width="100%",options="header"]
+|==============================================
+|Name |Type |Description |Required
+
+|`exclude_export_details` |Boolean |Does not affect the returned file.|Yes
+|`file_name` |String |File name for saving the exported rules. |Yes
+|==============================================
+
+TIP: When using cURL to export timelines to a file, use the `-O` and `-J`
+options to save the timelines to the file name specified in the URL.
+
+==== Request body
+
+A JSON `ids` array containing the `savedObjectId` fields of the rules you want to export:
+
+[width="100%",options="header"]
+|==============================================
+|Name |Type |Description |Required
+
+|`ids` |String[] |Array of `savedObjectId` fields. |Yes
+|==============================================
+
+
+===== Example request
+
+Exports two timeline and saves them to the `timelines_export.ndjson` file:
+
+[source,console]
+--------------------------------------------------
+POST api/timeline/_export?exclude_export_details=false&file_name=timelines_export.ndjson
+{
+  "ids": [
+    "34ca11c0-9503-11ea-9f74-e7e108796192",
+    "21cf9a00-9048-11ea-9f74-e7e108796192"
+  ]
+}
+--------------------------------------------------
+// KIBANA
+
+
+==== Response code
+
+`200`:: 
+    Indicates a successful call.

docs/siem/timeline/api/timeline-api-import.asciidoc

@@ -0,0 +1,40 @@
+[[timeline-api-import]]
+=== Import timelines
+
+Imports timelines from an ndjson file.
+
+==== Request URL
+
+`POST <kibana host>:<port>/api/timeline/_import`
+
+The request must include:
+
+* The `Content-Type: multipart/form-data` HTTP header.
+* A link to the ndjson file containing the timelines.
+
+For example, using cURL:
+
+[source,console]
+--------------------------------------------------
+curl -X POST "<KibanaURL>/api/timeline/_import"
+-u <username>:<password> -H 'kbn-xsrf: true'
+-H 'Content-Type: multipart/form-data'
+--form "file=@<link to file>" <1>
+--------------------------------------------------
+<1> The relative link to the ndjson file containing the timelines.
+
+===== Example request
+
+Imports the rules in the `timelines_export.ndjson` file:
+
+[source,console]
+--------------------------------------------------
+curl -X POST "api/detection_engine/rules/_import"
+-H 'kbn-xsrf: true' -H 'Content-Type: multipart/form-data'
+--form "file=@timelines_export.ndjson"
+--------------------------------------------------
+
+==== Response code
+
+`200`:: 
+    Indicates a successful call.

docs/siem/timeline/api/timeline-api-index.asciidoc

@@ -0,0 +1,5 @@
+include::timeline-api-overview.asciidoc[]
+
+include::timeline-api-export.asciidoc[]
+
+include::timeline-api-import.asciidoc[]

docs/siem/timeline/api/timeline-api-overview.asciidoc

@@ -0,0 +1,8 @@
+[[timeline-api-overview]]
+[role="xpack"]
+== Timeline API
+
+beta[]
+
+You can create timelines and timeline templates via the API, as well export
+existing timelines and import new timelines from an ndjson file.