Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,244 questions
Microsoft Sentinel API - "triggerRuleRun" ExecutionTimeUtc Always Invalid
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 64%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
Shafiq Aziz (Admin Account)
5
Reputation points
Issue Summary
We are trying to manually trigger a Microsoft Sentinel Scheduled Analytics Rule using the triggerRuleRun API, but it always fails with the following error:
{
Even when using the correct timestamp format, the API never accepts ExecutionTimeUtc.
API Request Used
Endpoint:
POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/triggerRuleRun?api-version=2025-01-01-preview
Request Body:
{
"properties": {
"executionTimeUtc": "2025-02-19T05:17:49Z"
}
}
Headers:
Authorization: Bearer
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 77%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Rukmini 86 Reputation points Microsoft External Staff2025-02-28T04:43:13.2333333+00:00 To manually trigger a Microsoft Sentinel rule via the
triggerRuleRunAPI, ensure the rule supports on-demand execution (check fortriggerOnDemandin the rule settings). Use a properly formatted timestamp ("executionTimeUtc": "2025-02-19T05:17:49.000Z") , future timestamps may not be supported. If the rule doesn't support manual triggering, you'll need to adjust its configuration or check permissions.
Sign in to comment
Sign in to answer