[
  {
    "task_id": "7_withouths_drift_alert_1_412225437",
    "step_index": 2,
    "assertion_name": "kusto_invocation_requires_predefined_query_and_correct_cluster",
    "invariant_type": "CAPABILITY",
    "check_type": "python_check",
    "severity": "medium",
    "check_hint": "When KustoAgent runs a query, it must be a predefined query present in the plan or prior Orchestrator instruction, and the query must be tailored to the incident's cluster (no placeholders like TODO/TBD/<CLUSTER>). Verify that a kusto code block exists earlier and that the current query's clusterName matches the cluster parsed from the incident description.",
    "evidence": {
      "matched_substeps": [
        {
          "sub_index": 5,
          "role": "KustoAgent",
          "content": "**Kusto Query:**\nlet driftedSettingName = 'VncEndpointCandidates';\ncluster('azurecm').database('AzureCM').NetworkServiceManagerEvents\n| where PreciseTimeStamp > ago(6h)\n| where TaskName == 'ChangedSetting' and Message has driftedSettingName\n| parse Message with 'name=\"' SettingName '\" value=\"' SettingValue '\" buildVersion=\"' BuildVersion '\"'\n| project nsmTime = PreciseTimeStamp, SettingName, ActualValue = SettingValue, BuildVersion, Tenant, Region\n| summarize arg_max(nsmTime, *) by Region, Tenant, SettingName\n| extend _key = tolower(Tenant)\n| join kind = leftouter (\ncluster('aznwsdn').database('aznwmds').NSMGoalState\n| where DataIngestionTime > ago(1d)\n| where not(InFlight)\n| where SettingName =~ driftedSettingName\n| summarize arg_max(DataIngestionTime, *) by ClusterName\n| project ClusterName, SettingName, ExpectedValue = SettingValue, _key = tolower(ClusterName)\n) on _key\n| where ClusterName != \"\"\n| where ActualValue !~ ExpectedValue\n| project Region, ClusterName, ExpectedValue\n\n semantic_query_matcher: True \n\nstub match:True \n\n**Kusto result:**\nQuery successful. 5 rows stored in Pandas DataFrame.\ndf.head():\n|    | Region      | ClusterName   | ExpectedValue   |\n|---:|:------------|:--------------|:----------------|\n|  0 | usstagesc   | TPA20PrdApp75 | AsyncWcf        |\n|  1 | useast2euap | GGA20PrdApp49 | 20              |\n|  2 | usstagesc   | ORA20PrdApp83 | AsyncWcf        |\n|  3 | usstagesc   | QHA20PrdApp32 | 20              |\n|  4 | usstagee    | XTA20PrdApp12 | False           |"
        }
      ],
      "current_event": {
        "sub_index": 5,
        "role": "KustoAgent",
        "content": "**Kusto Query:**\nlet driftedSettingName = 'VncEndpointCandidates';\ncluster('azurecm').database('AzureCM').NetworkServiceManagerEvents\n| where PreciseTimeStamp > ago(6h)\n| where TaskName == 'ChangedSetting' and Message has driftedSettingName\n| parse Message with 'name=\"' SettingName '\" value=\"' SettingValue '\" buildVersion=\"' BuildVersion '\"'\n| project nsmTime = PreciseTimeStamp, SettingName, ActualValue = SettingValue, BuildVersion, Tenant, Region\n| summarize arg_max(nsmTime, *) by Region, Tenant, SettingName\n| extend _key = tolower(Tenant)\n| join kind = leftouter (\ncluster('aznwsdn').database('aznwmds').NSMGoalState\n| where DataIngestionTime > ago(1d)\n| where not(InFlight)\n| where SettingName =~ driftedSettingName\n| summarize arg_max(DataIngestionTime, *) by ClusterName\n| project ClusterName, SettingName, ExpectedValue = SettingValue, _key = tolower(ClusterName)\n) on _key\n| where ClusterName != \"\"\n| where ActualValue !~ ExpectedValue\n| project Region, ClusterName, ExpectedValue\n\n semantic_query_matcher: True \n\nstub match:True \n\n**Kusto result:**\nQuery successful. 5 rows stored in Pandas DataFrame.\ndf.head():\n|    | Region      | ClusterName   | ExpectedValue   |\n|---:|:------------|:--------------|:----------------|\n|  0 | usstagesc   | TPA20PrdApp75 | AsyncWcf        |\n|  1 | useast2euap | GGA20PrdApp49 | 20              |\n|  2 | usstagesc   | ORA20PrdApp83 | AsyncWcf        |\n|  3 | usstagesc   | QHA20PrdApp32 | 20              |\n|  4 | usstagee    | XTA20PrdApp12 | False           |"
      }
    },
    "taxonomy_targets": [
      "InvalidInvocation",
      "Instruction/PlanAdherenceFailure",
      "IntentPlanMisalignment"
    ]
  },
  {
    "task_id": "7_withouths_drift_alert_1_412225437",
    "step_index": 4,
    "assertion_name": "kusto_invocation_requires_predefined_query_and_correct_cluster",
    "invariant_type": "CAPABILITY",
    "check_type": "python_check",
    "severity": "medium",
    "check_hint": "When KustoAgent runs a query, it must be a predefined query present in the plan or prior Orchestrator instruction, and the query must be tailored to the incident's cluster (no placeholders like TODO/TBD/<CLUSTER>). Verify that a kusto code block exists earlier and that the current query's clusterName matches the cluster parsed from the incident description.",
    "evidence": {
      "matched_substeps": [
        {
          "sub_index": 5,
          "role": "KustoAgent",
          "content": "**Kusto Query:**\nlet clusterName = 'TPA20PrdApp75';\ncluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot\n| where PreciseTimeStamp > ago(1d) and Tenant == clusterName\n| summarize dcount(serviceId)\n\nlet clusterName = 'GGA20PrdApp49';\ncluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot\n| where PreciseTimeStamp > ago(1d) and Tenant == clusterName\n| summarize dcount(serviceId)\n\nlet clusterName = 'ORA20PrdApp83';\ncluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot\n| where PreciseTimeStamp > ago(1d) and Tenant == clusterName\n| summarize dcount(serviceId)\n\nlet clusterName = 'QHA20PrdApp32';\ncluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot\n| where PreciseTimeStamp > ago(1d) and Tenant == clusterName\n| summarize dcount(serviceId)\n\nlet clusterName = 'XTA20PrdApp12';\ncluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot\n| where PreciseTimeStamp > ago(1d) and Tenant == clusterName\n| summarize dcount(serviceId)\n\n semantic_query_matcher: True \n\nstub match:False \n\n**Kusto result:**\nKustoApiError: Request is invalid and cannot be processed: Syntax error: SYN0002: Expected: , [line:position=4:30]; "
        },
        {
          "sub_index": 10,
          "role": "KustoAgent",
          "content": "**Kusto Query:**\nlet clusterName = 'TPA20PrdApp75';\ncluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot\n| where PreciseTimeStamp > ago(1d) and Tenant == clusterName\n| summarize dcount(serviceId)\n\nlet clusterName = 'GGA20PrdApp49';\ncluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot\n| where PreciseTimeStamp > ago(1d) and Tenant == clusterName\n| summarize dcount(serviceId)\n\nlet clusterName = 'ORA20PrdApp83';\ncluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot\n| where PreciseTimeStamp > ago(1d) and Tenant == clusterName\n| summarize dcount(serviceId)\n\nlet clusterName = 'QHA20PrdApp32';\ncluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot\n| where PreciseTimeStamp > ago(1d) and Tenant == clusterName\n| summarize dcount(serviceId)\n\nlet clusterName = 'XTA20PrdApp12';\ncluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot\n| where PreciseTimeStamp > ago(1d) and Tenant == clusterName\n| summarize dcount(serviceId)\n\n semantic_query_matcher: True \n\nstub match:False \n\n**Kusto result:**\nKustoApiError: Request is invalid and cannot be processed: Syntax error: SYN0002: Expected: , [line:position=4:30]; "
        },
        {
          "sub_index": 15,
          "role": "KustoAgent",
          "content": "**Kusto Query:**\nlet clusterName = 'TPA20PrdApp75';\ncluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot\n| where PreciseTimeStamp > ago(1d) and Tenant == clusterName\n| summarize dcount(serviceId)\n\nlet clusterName = 'GGA20PrdApp49';\ncluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot\n| where PreciseTimeStamp > ago(1d) and Tenant == clusterName\n| summarize dcount(serviceId)\n\nlet clusterName = 'ORA20PrdApp83';\ncluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot\n| where PreciseTimeStamp > ago(1d) and Tenant == clusterName\n| summarize dcount(serviceId)\n\nlet clusterName = 'QHA20PrdApp32';\ncluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot\n| where PreciseTimeStamp > ago(1d) and Tenant == clusterName\n| summarize dcount(serviceId)\n\nlet clusterName = 'XTA20PrdApp12';\ncluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot\n| where PreciseTimeStamp > ago(1d) and Tenant == clusterName\n| summarize dcount(serviceId)\n\n semantic_query_matcher: True \n\nstub match:False \n\n**Kusto result:**\nKustoApiError: Request is invalid and cannot be processed: Syntax error: SYN0002: Expected: , [line:position=4:30]; "
        },
        {
          "sub_index": 24,
          "role": "KustoAgent",
          "content": "**Kusto Query:**\nlet clusterName = 'BY1PrdApp28';\ncluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot\n| where PreciseTimeStamp > ago(1d) and Tenant == clusterName\n| summarize dcount(serviceId)\n\n semantic_query_matcher: True \n\nstub match:False \n\n**Kusto result:**\nQuery successful. 1 rows stored in Pandas DataFrame.\ndf.head():\n|    |   dcount_serviceId |\n|---:|-------------------:|\n|  0 |              17866 |"
        }
      ],
      "current_event": {
        "sub_index": 5,
        "role": "KustoAgent",
        "content": "**Kusto Query:**\nlet clusterName = 'TPA20PrdApp75';\ncluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot\n| where PreciseTimeStamp > ago(1d) and Tenant == clusterName\n| summarize dcount(serviceId)\n\nlet clusterName = 'GGA20PrdApp49';\ncluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot\n| where PreciseTimeStamp > ago(1d) and Tenant == clusterName\n| summarize dcount(serviceId)\n\nlet clusterName = 'ORA20PrdApp83';\ncluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot\n| where PreciseTimeStamp > ago(1d) and Tenant == clusterName\n| summarize dcount(serviceId)\n\nlet clusterName = 'QHA20PrdApp32';\ncluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot\n| where PreciseTimeStamp > ago(1d) and Tenant == clusterName\n| summarize dcount(serviceId)\n\nlet clusterName = 'XTA20PrdApp12';\ncluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot\n| where PreciseTimeStamp > ago(1d) and Tenant == clusterName\n| summarize dcount(serviceId)\n\n semantic_query_matcher: True \n\nstub match:False \n\n**Kusto result:**\nKustoApiError: Request is invalid and cannot be processed: Syntax error: SYN0002: Expected: , [line:position=4:30]; "
      }
    },
    "taxonomy_targets": [
      "InvalidInvocation",
      "Instruction/PlanAdherenceFailure",
      "IntentPlanMisalignment"
    ]
  }
]
