[
  {
    "task_id": "9_withouths_drift_alert_3_448197471",
    "step_index": 2,
    "assertion_name": "kusto_invocation_requires_predefined_query_and_correct_cluster",
    "invariant_type": "CAPABILITY",
    "check_type": "python_check",
    "severity": "medium",
    "check_hint": "When KustoAgent runs a query, it must be a predefined query present in the plan or prior Orchestrator instruction, and the query must be tailored to the incident's cluster (no placeholders like TODO/TBD/<CLUSTER>). Verify that a kusto code block exists earlier and that the current query's clusterName matches the cluster parsed from the incident description.",
    "evidence": {
      "matched_substeps": [
        {
          "sub_index": 5,
          "role": "KustoAgent",
          "content": "**Kusto Query:**\nlet driftedSettingName = 'EnableForceDeleteOnDisconnectVmNetworkMerlin';\ncluster('azurecm').database('AzureCM').NetworkServiceManagerEvents\n| where PreciseTimeStamp > ago(6h)\n| where TaskName == 'ChangedSetting' and Message has driftedSettingName\n| parse Message with 'name=\"' SettingName '\" value=\"' SettingValue '\" buildVersion=\"' BuildVersion '\"'\n| project nsmTime = PreciseTimeStamp, SettingName, ActualValue = SettingValue, BuildVersion, Tenant, Region\n| summarize arg_max(nsmTime, *) by Region, Tenant, SettingName\n| extend _key = tolower(Tenant)\n| join kind = leftouter (\n    cluster('aznwsdn').database('aznwmds').NSMGoalState\n    | where DataIngestionTime > ago(1d)\n    | where not(InFlight)\n    | where SettingName =~ driftedSettingName\n    | summarize arg_max(DataIngestionTime, *) by ClusterName\n    | project ClusterName, SettingName, ExpectedValue = SettingValue, _key = tolower(ClusterName)\n) on _key\n| where ClusterName != \"\"\n| where ActualValue !~ ExpectedValue\n| project Region, ClusterName, ExpectedValue\n\n semantic_query_matcher: True \n\nstub match:True \n\n**Kusto result:**\nQuery successful. 3 rows stored in Pandas DataFrame.\ndf.head():\n|    | Region   | ClusterName   | ExpectedValue   |\n|---:|:---------|:--------------|:----------------|\n|  0 | uswest2  | ORA21PrdApp13 | AsyncWcf        |\n|  1 | usstagee | QHA19DevApp75 | 20              |\n|  2 | useast   | XTA21PrdApp92 | AsyncWcf        |"
        }
      ],
      "current_event": {
        "sub_index": 5,
        "role": "KustoAgent",
        "content": "**Kusto Query:**\nlet driftedSettingName = 'EnableForceDeleteOnDisconnectVmNetworkMerlin';\ncluster('azurecm').database('AzureCM').NetworkServiceManagerEvents\n| where PreciseTimeStamp > ago(6h)\n| where TaskName == 'ChangedSetting' and Message has driftedSettingName\n| parse Message with 'name=\"' SettingName '\" value=\"' SettingValue '\" buildVersion=\"' BuildVersion '\"'\n| project nsmTime = PreciseTimeStamp, SettingName, ActualValue = SettingValue, BuildVersion, Tenant, Region\n| summarize arg_max(nsmTime, *) by Region, Tenant, SettingName\n| extend _key = tolower(Tenant)\n| join kind = leftouter (\n    cluster('aznwsdn').database('aznwmds').NSMGoalState\n    | where DataIngestionTime > ago(1d)\n    | where not(InFlight)\n    | where SettingName =~ driftedSettingName\n    | summarize arg_max(DataIngestionTime, *) by ClusterName\n    | project ClusterName, SettingName, ExpectedValue = SettingValue, _key = tolower(ClusterName)\n) on _key\n| where ClusterName != \"\"\n| where ActualValue !~ ExpectedValue\n| project Region, ClusterName, ExpectedValue\n\n semantic_query_matcher: True \n\nstub match:True \n\n**Kusto result:**\nQuery successful. 3 rows stored in Pandas DataFrame.\ndf.head():\n|    | Region   | ClusterName   | ExpectedValue   |\n|---:|:---------|:--------------|:----------------|\n|  0 | uswest2  | ORA21PrdApp13 | AsyncWcf        |\n|  1 | usstagee | QHA19DevApp75 | 20              |\n|  2 | useast   | XTA21PrdApp92 | AsyncWcf        |"
      }
    },
    "taxonomy_targets": [
      "InvalidInvocation",
      "Instruction/PlanAdherenceFailure",
      "IntentPlanMisalignment"
    ]
  },
  {
    "task_id": "9_withouths_drift_alert_3_448197471",
    "step_index": 4,
    "assertion_name": "kusto_invocation_requires_predefined_query_and_correct_cluster",
    "invariant_type": "CAPABILITY",
    "check_type": "python_check",
    "severity": "medium",
    "check_hint": "When KustoAgent runs a query, it must be a predefined query present in the plan or prior Orchestrator instruction, and the query must be tailored to the incident's cluster (no placeholders like TODO/TBD/<CLUSTER>). Verify that a kusto code block exists earlier and that the current query's clusterName matches the cluster parsed from the incident description.",
    "evidence": {
      "matched_substeps": [
        {
          "sub_index": 5,
          "role": "KustoAgent",
          "content": "**Kusto Query:**\nlet clusterName = 'ORA21PrdApp13';\ncluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot\n| where PreciseTimeStamp > ago(1d) and Tenant == clusterName\n| summarize dcount(serviceId)\n\n semantic_query_matcher: True \n\nstub match:True \n\n**Kusto result:**\nQuery successful. 1 rows stored in Pandas DataFrame.\ndf.head():\n|    |   dcount(serviceId) |\n|---:|--------------------:|\n|  0 |                   4 |"
        },
        {
          "sub_index": 10,
          "role": "KustoAgent",
          "content": "**Kusto Query:**\nlet clusterName = 'QHA19DevApp75';\ncluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot\n| where PreciseTimeStamp > ago(1d) and Tenant == clusterName\n| summarize dcount(serviceId)\n\n semantic_query_matcher: True \n\nstub match:False \n\n**Kusto result:**\nQuery successful. 1 rows stored in Pandas DataFrame.\ndf.head():\n|    |   dcount_serviceId |\n|---:|-------------------:|\n|  0 |                  0 |"
        },
        {
          "sub_index": 15,
          "role": "KustoAgent",
          "content": "**Kusto Query:**\nlet clusterName = 'XTA21PrdApp92';\ncluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot\n| where PreciseTimeStamp > ago(1d) and Tenant == clusterName\n| summarize dcount(serviceId)\n\n semantic_query_matcher: True \n\nstub match:True \n\n**Kusto result:**\nQuery successful. 1 rows stored in Pandas DataFrame.\ndf.head():\n|    |   dcount(serviceId) |\n|---:|--------------------:|\n|  0 |                   5 |"
        }
      ],
      "current_event": {
        "sub_index": 5,
        "role": "KustoAgent",
        "content": "**Kusto Query:**\nlet clusterName = 'ORA21PrdApp13';\ncluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot\n| where PreciseTimeStamp > ago(1d) and Tenant == clusterName\n| summarize dcount(serviceId)\n\n semantic_query_matcher: True \n\nstub match:True \n\n**Kusto result:**\nQuery successful. 1 rows stored in Pandas DataFrame.\ndf.head():\n|    |   dcount(serviceId) |\n|---:|--------------------:|\n|  0 |                   4 |"
      }
    },
    "taxonomy_targets": [
      "InvalidInvocation",
      "Instruction/PlanAdherenceFailure",
      "IntentPlanMisalignment"
    ]
  }
]
