Question posted in 
I am required to search for a specific query, which is stored in a Sentinel workbook
Initially, I opened each workbook manually, clicked on edit and expanded all graphs to view the associated query. However, this process is time-consuming, particularly given the number of queries.
Is there a more efficient way to view all stored queries in a single workbook, such as a JSON file?
I attempted to utilise the Resource Graph Explorer to no avail, as the associated queries are not stored in the resource JSON.
Update
I found the code view editor through which I can search through the whole Workbook. It’s not perfect but is faster than opening up all graphs.
2
Answers
If this is a workbook that was installed from Sentinel content hub, it should be available in github repository as json
https://github.com/Azure/Azure-Sentinel/tree/master/Workbooks
It might be in the other directory, depending if being an individual workbook or installed as part of other solution
For sentinel templates, that repo (https://github.com/Azure/Azure-Sentinel/tree/master/Workbooks) would be the place to start. Templates that are shipped as part of azure monitor are here: https://github.com/microsoft/Application-Insights-Workbooks/tree/master/Workbooks
But for saved workbooks, they could have been saved from those templates, or created by any user, from any source.
the content of the workbook is not available in Resource Graph (since it could be up to 2mb in size, stored in BYOS storage, etc).
so if you wanted to be super thorough, you’d have to also write some kind of tool that enumerated every workbook resource you can see, do an ARM GET for each workbook resource with
canFetchContent=truefor each workbook resource, and then search through theproperties.serializedDatafield for the content you are looking for?