================================================================================
VIOLATION REPORT FOR TASK 9_withhs_drift_alert_2_446242179_new
================================================================================

Total Violations: 2
================================================================================


================================================================================
VIOLATION #1
================================================================================

Step Index: 2
Assertion Name: kusto_invocation_requires_predefined_query_and_correct_cluster
Invariant Type: CAPABILITY
Check Type: python_check
Severity: medium

Check Hint:
----------------------------------------
When KustoAgent runs a query, it must be a predefined query present in the plan or prior Orchestrator instruction, and the query must be tailored to the incident's cluster (no placeholders like TODO/TBD/<CLUSTER>). Verify that a kusto code block exists earlier and that the current query's clusterName matches the cluster parsed from the incident description.
----------------------------------------

Evidence:
----------------------------------------
Current Event:
  Role: KustoAgent
  Content:
    **Kusto Query:**
    let driftedSettingName = 'enablepubsubauburnthrowingforsubscriberapi';
    cluster('azurecm').database('AzureCM').NetworkServiceManagerEvents
    | where PreciseTimeStamp > ago(6h)
    | where TaskName == 'ChangedSetting' and Message has driftedSettingName
    | parse Message with 'name="' SettingName '" value="' SettingValue '" buildVersion="' BuildVersion '"'
    | project nsmTime = PreciseTimeStamp, SettingName, ActualValue = SettingValue, BuildVersion, Tenant, Region
    | summarize arg_max(nsmTime, *) by Region, Tenant, SettingName
    | extend _key = tolower(Tenant)
    | join kind = leftouter (
    cluster('aznwsdn').database('aznwmds').NSMGoalState
    | where DataIngestionTime > ago(1d)
    | where not(InFlight)
    | where SettingName =~ driftedSettingName
    | summarize arg_max(DataIngestionTime, *) by ClusterName
    | project ClusterName, SettingName, ExpectedValue = SettingValue, _key = tolower(ClusterName)
    ) on _key
    | where ClusterName != ""
    | where ActualValue !~ ExpectedValue
    | project Region, ClusterName, ExpectedValue
    
     semantic_query_matcher: True 
    
    stub match:True 
    
    **Kusto result:**
    Query successful. 5 rows stored in Pandas DataFrame.
    df.head():
    |    | Region    | ClusterName   | ExpectedValue   |
    |---:|:----------|:--------------|:----------------|
    |  0 | swedenc   | TPA20PrdApp75 | AsyncWcf        |
    |  1 | uswest2   | GGA20PrdApp49 | 20              |
    |  2 | usstagesc | ORA20PrdApp83 | AsyncWcf        |
    |  3 | usstagee  | QHA20PrdApp32 | 20              |
    |  4 | usstagee  | XTA20PrdApp12 | False           |

Matched Substeps:
  Sub-index: 5
  Role: KustoAgent
----------------------------------------

Taxonomy Targets:
  - InvalidInvocation
  - Instruction/PlanAdherenceFailure
  - IntentPlanMisalignment

================================================================================
VIOLATION #2
================================================================================

Step Index: 4
Assertion Name: kusto_invocation_requires_predefined_query_and_correct_cluster
Invariant Type: CAPABILITY
Check Type: python_check
Severity: medium

Check Hint:
----------------------------------------
When KustoAgent runs a query, it must be a predefined query present in the plan or prior Orchestrator instruction, and the query must be tailored to the incident's cluster (no placeholders like TODO/TBD/<CLUSTER>). Verify that a kusto code block exists earlier and that the current query's clusterName matches the cluster parsed from the incident description.
----------------------------------------

Evidence:
----------------------------------------
Current Event:
  Role: KustoAgent
  Content:
    **Kusto Query:**
    let clusterName = 'TPA20PrdApp75';
    cluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot
    | where PreciseTimeStamp > ago(1d) and Tenant == clusterName
    | summarize dcount(serviceId)
    
    // Repeat for the second cluster
    let clusterName = 'GGA20PrdApp49';
    cluster('azurecm').database('AzureCM').LogTenantNetworkInfoSnapshot
    | where PreciseTimeStamp > ago(1d) and Tenant == clusterName
    | summarize dcount(serviceId)
    
    
     semantic_query_matcher: True 
    
    stub match:True 
    
    **Kusto result:**
    Query successful. 1 rows stored in Pandas DataFrame.
    df.head():
    |    |   dcount(serviceId) |
    |---:|--------------------:|
    |  0 |                   0 |

Matched Substeps:
  Sub-index: 5
  Role: KustoAgent
----------------------------------------

Taxonomy Targets:
  - InvalidInvocation
  - Instruction/PlanAdherenceFailure
  - IntentPlanMisalignment

================================================================================
END OF VIOLATION REPORT
================================================================================