I am required to search for a specific query, which is stored in a Sentinel workbook Initially, I opened each workbook manually, clicked on edit and expanded all graphs to view the associated query. However, this process is time-consuming, particularly given the number of queries.
Is there a more efficient way to view all stored queries in a single workbook, such as a JSON file?
I attempted to utilise the Resource Graph Explorer to no avail, as the associated queries are not stored in the resource JSON.
I found the code view editor through which I can search through the whole Workbook. It's not perfect but is faster than opening up all graphs.
For sentinel templates, that repo (https://github.com/Azure/Azure-Sentinel/tree/master/Workbooks) would be the place to start. Templates that are shipped as part of azure monitor are here: https://github.com/microsoft/Application-Insights-Workbooks/tree/master/Workbooks
But for saved workbooks, they could have been saved from those templates, or created by any user, from any source.
the content of the workbook is not available in Resource Graph (since it could be up to 2mb in size, stored in BYOS storage, etc).
so if you wanted to be super thorough, you'd have to also write some kind of tool that enumerated every workbook resource you can see, do an ARM GET for each workbook resource with canFetchContent=true for each workbook resource, and then search through the properties.serializedData field for the content you are looking for?