starts adding timeline api and object schema

Author: Ben Skelker

docs/siem/detections/api/rules-api-export.asciidoc

@@ -22,7 +22,8 @@ exported rules is returned.|No, defaults to `false`.
 `export.ndjson`
 |==============================================
 
-TIP: When using cURL to export rules to a file, use the `-O` and `-J` options to save the rules to the file name specified in the URL.
+TIP: When using cURL to export rules to a file, use the `-O` and `-J` options
+to save the rules to the file name specified in the URL.
 
 ==== Request body
 

docs/siem/detections/machine-learning/machine-learning.asciidoc

@@ -75,4 +75,4 @@ the ECS fields listed in each job description.
 NOTE: Some jobs use fields that are not ECS-compliant. These jobs are only
 available when you use {beats} to ship data.
 
-include::{stack-docs-root}/docs/en/stack/ml/anomaly-detection/ootb-ml-jobs.asciidoc[tag=siem-jobs]
+include::{ml-dir}/anomaly-detection/ootb-ml-jobs.asciidoc[tag=siem-jobs]

docs/siem/index.asciidoc

@@ -26,4 +26,4 @@ include::cases/cases-index.asciidoc[]
 
 include::siem-apis.asciidoc[]
 
-include::field-ref.asciidoc[]
+include::reference/ref-index.asciidoc[]

docs/siem/field-ref.asciidoc renamed to docs/siem/reference/field-ref.asciidoc

@@ -1,6 +1,6 @@
 [[siem-field-reference]]
-[chapter, role="xpack"]
-= SIEM field reference guide
+[role="xpack"]
+== SIEM field reference guide
 
 This section lists ECS fields the {siem-app} uses to display data.
 

docs/siem/reference/ref-index.asciidoc

@@ -0,0 +1,5 @@
+include::ref-intro.asciidoc[]
+
+include::field-ref.asciidoc[]
+
+include::timeline-schema.asciidoc[]

docs/siem/reference/ref-intro.asciidoc

@@ -0,0 +1,9 @@
+[[siem-ref-intro]]
+[role="xpack"]
+= SIEM fields and objects
+
+This section lists ECS fields the {siem-app} uses to display data and
+{siem-soln} JSON object schemas:
+
+* <<siem-field-reference, ECS fields the {siem-app} uses to display data>>
+* <<timeline-object-schema>>

docs/siem/reference/timeline-schema.asciidoc

@@ -0,0 +1,45 @@
+[[timeline-object-schema]]
+[role="xpack"]
+== Timeline object schema
+
+[width="100%",options="header"]
+|==============================================
+|Name |Type |Description
+
+|`columns` |Object[] |The timeline's displayed columns.
+|`created` |Float |The time the timeline was created, using a
+13-digit Epoch timestamp.
+|`createdBy` |String |The user who created the timeline.
+|`dataProviders` |Object[] |The dropzone query.
+|`dateRange` |Object |The timeline's range.
+|`description` |String |The timeline's description.
+|`eventNotes` |Object[] |Ben: ??Notes added to specific events.
+|`eventType` |String a|Event types displayed in the timeline, which can be:
+
+* `all`: all events
+* `raw`: raw events only
+* `signal`: signals only
+
+|`filters` |Object[] |Filters used in addition to the dropzone query.
+|`globalNotes` |Object[] |Notes added to the timeline.
+|`kqlMode` |String a|Determines whether the dropzone queries are filtered (`and`) or additional search results are displayed (`or`), can be:
+
+* `filter`: filters dropzone query results
+* `search`: displays additional search results
+
+|`kqlQuery` |Object |Determines whether additional filters use KQL or Lucene
+queries.
+|`pinnedEventIds` |Object[] |Pinned events
+|`savedObjectId` |String |Saved object ID.
+|`savedQueryId` |String |If used, the saved query ID used to filter or search
+dropzone query results.
+|`sort` |Object |Determines how rows are sorted in the result's grid.
+|`templateTimelineId` |Ben: ??? |
+|`templateTimelineVersion` |Ben: ??? |
+|`timelineType` |String |Ben: ????
+|`title` |String |The timeline's title.
+|`updated` |Float |The time the timeline was last updated, using a
+13-digit Epoch timestamp.
+|`updatedBy` |String |The user who last updated the timeline.
+|`version` |String |Timeline version.
+|==============================================

docs/siem/siem-apis.asciidoc

@@ -5,6 +5,7 @@
 You can use these APIs to interface with {siem-soln} features:
 
 * <<rule-api-overview>>: Manage detection rules and signals
+* <<timeline-api-overview>>: Import and export timelines
 * <<cases-api-overview>>: Open and manage cases
 
 Additionally, the {kib} <<actions-api-overview, Actions API>> is partially
@@ -72,6 +73,8 @@ how to work with and disable the random path component.
 
 include::detections/api/det-api-index.asciidoc[]
 
+include::timeline/api/timeline-api-index.asciidoc[]
+
 include::cases/api/cases-api/cases-api-index.asciidoc[]
 
-include::cases/api/actions-api/cases-actions-api-index.asciidoc[]
+include::cases/api/actions-api/cases-actions-api-index.asciidoc[]

docs/siem/timeline/api/timeline-api-export.asciidoc

@@ -0,0 +1,56 @@
+[[timeline-api-export]]
+=== Export timelines
+
+Exports timelines to an ndjson file.
+
+==== Request URL
+
+`POST <kibana host>:<port>/api/timeline/_export`
+
+
+===== URL query parameters
+
+[width="100%",options="header"]
+|==============================================
+|Name |Type |Description |Required
+
+|`exclude_export_details` |Boolean |Does not affect the returned file.|Yes
+|`file_name` |String |File name for saving the exported rules. |Yes
+|==============================================
+
+TIP: When using cURL to export timelines to a file, use the `-O` and `-J`
+options to save the timelines to the file name specified in the URL.
+
+==== Request body
+
+A JSON `ids` array containing the `savedObjectId` fields of the rules you want to export:
+
+[width="100%",options="header"]
+|==============================================
+|Name |Type |Description |Required
+
+|`ids` |String[] |Array of `savedObjectId` fields. |Yes
+|==============================================
+
+
+===== Example request
+
+Exports two timeline and saves them to the `timelines_export.ndjson` file:
+
+[source,console]
+--------------------------------------------------
+POST api/timeline/_export?exclude_export_details=false&file_name=timelines_export.ndjson
+{
+  "ids": [
+    "34ca11c0-9503-11ea-9f74-e7e108796192",
+    "21cf9a00-9048-11ea-9f74-e7e108796192"
+  ]
+}
+--------------------------------------------------
+// KIBANA
+
+
+==== Response code
+
+`200`:: 
+    Indicates a successful call.

docs/siem/timeline/api/timeline-api-import.asciidoc

@@ -0,0 +1,40 @@
+[[timeline-api-import]]
+=== Import timelines
+
+Imports timelines from an ndjson file.
+
+==== Request URL
+
+`POST <kibana host>:<port>/api/timeline/_import`
+
+The request must include:
+
+* The `Content-Type: multipart/form-data` HTTP header.
+* A link to the ndjson file containing the timelines.
+
+For example, using cURL:
+
+[source,console]
+--------------------------------------------------
+curl -X POST "<KibanaURL>/api/timeline/_import"
+-u <username>:<password> -H 'kbn-xsrf: true'
+-H 'Content-Type: multipart/form-data'
+--form "file=@<link to file>" <1>
+--------------------------------------------------
+<1> The relative link to the ndjson file containing the timelines.
+
+===== Example request
+
+Imports the rules in the `timelines_export.ndjson` file:
+
+[source,console]
+--------------------------------------------------
+curl -X POST "api/detection_engine/rules/_import"
+-H 'kbn-xsrf: true' -H 'Content-Type: multipart/form-data'
+--form "file=@timelines_export.ndjson"
+--------------------------------------------------
+
+==== Response code
+
+`200`:: 
+    Indicates a successful call.