Issue Summary
I'm are trying to manually trigger a Microsoft Sentinel Scheduled Analytics Rule using the triggerRuleRun API, but it always fails with the following error:
{ "errors": { "Properties.ExecutionTimeUtc": [ "The field ExecutionTimeUtc is invalid." ] }, "status": 400}
Even when using the correct timestamp format, the API never accepts ExecutionTimeUtc.
API Request Used
Reference: ;tabs=HTTP
Endpoint:
POST /{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/triggerRuleRun?api-version=2025-01-01-preview
Request Body:
{ "properties": { "executionTimeUtc": "2025-02-19T05:17:49Z" }}
Headers:
Authorization: Bearer <Valid-Token>Content-Type: application/json
We followed Microsoft’s official documentation, but the API always fails.
What I Have Tried
Different timestamp formats:
"2025-02-19T05:17:49Z""2025-02-19T05:17:49.000Z""2025-02-19T05:17:49.970379Z"Using both past and future timestamps.
None worked.
Tried different API versions:
2025-01-01-preview2023-12-01-preview2023-10-01-previewSame error in all versions.
Checked Analytics Rule settings in Sentinel:
The rule is enabled and scheduled.
There is no option in the Sentinel UI to allow manual execution.
Does Sentinel allow manually triggering scheduled rules?
Verified API permissions:
We have Microsoft Sentinel Contributor role.
API authentication works for other Sentinel APIs.
Tested in Python instead of Postman:
- Same 400 Bad Request error.
Questions
Does Sentinel allow manually triggering a scheduled rule via API?
If yes, how can we enable it?
The documentation does not mention enabling manual execution.
Are there any undocumented restrictions on
executionTimeUtc?Does the API require a specific timestamp format?
Does
executionTimeUtconly support past times?
Is
triggerOnDemand: truerequired in the rule settings?This field is not documented anywhere.
How can we check if a rule supports on-demand execution?