Facet Search improvements #9074
Description
Problem Statement
Our current Facet Search is a molecule (simple filter groups + counts). It’s great for light filtering but doesn’t scale for complex, multi-entity discovery (e.g., rules library, exceptions, assets, findings). We lack: multi-select logic (AND/OR/NOT), saved filter sets, pinned/global filters, range/date facets, dynamic facet suggestions, responsive/mobile behaviour, and a consistent API that syncs with KQL / query bar. Teams are re-implementing variations, causing inconsistency and duplicated effort.
Proposed Solution
Promote the Facet Search to an organism with a standardized API and UI, built from EUI primitives, that includes:
1. Facet primitives
• Term facets (checkbox list with counts, virtualized; “show more/less”).
• Range facets (numeric slider + min/max input).
• Date facets (relative/absolute; histogram preview optional).
• Hierarchical facets (e.g., Category → Subcategory).
• Boolean facets (toggle).
• Search-within-facet (typeahead when > 20 items).
2. Query logic & chips
• AND / OR / NOT per facet group.
• Include / exclude (chip shows “NOT tag: linux”).
• Removable chips with keyboard navigation; bulk clear.
• Sync with KQL/query bar and URL state.
Use Case
- Security → Rules library: filter by rule type, severity, MITRE tactic/technique, tags, last updated, owner/package, enabled status.
- Exceptions library: filter by list type, tags, rule linkage, last edited, creator.
- Assets / Findings: filter by cloud provider, account, region, posture status, benchmark, resource type.
- Investigations / Alerts: filter by timeframe, status, rule id, risk score bands, host/user/ip tags.
Value / Impact
- End users: Faster discovery, fewer dead ends, reusable saved views (“My triage view”), clearer mental model via chips + logic.
- Library consumers (product teams): One organism reduces bespoke implementations; consistent UX across apps; faster feature delivery.
- Business: Increases adoption of libraries (rules/findings), improves time-to-value in trials, reduces support for “can’t find X”.
Why widely useful: Faceted filtering is a core pattern across Security, Observability, Search; improvements benefit multiple solutions.
Urgency
9.3 release
Do alternatives or workarounds exist?
Not really
Designs or Specs (Optional)