================================================================================
VIOLATION REPORT FOR TASK 7_withhs_drift_alert_1_412225437_new
================================================================================

Total Violations: 3
================================================================================


================================================================================
VIOLATION #1
================================================================================

Step Index: 2
Assertion Name: kusto_invocation_requires_predefined_query_and_correct_cluster
Invariant Type: CAPABILITY
Check Type: python_check
Severity: medium

Check Hint:
----------------------------------------
When KustoAgent runs a query, it must be a predefined query present in the plan or prior Orchestrator instruction, and the query must be tailored to the incident's cluster (no placeholders like TODO/TBD/<CLUSTER>). Verify that a kusto code block exists earlier and that the current query's clusterName matches the cluster parsed from the incident description.
----------------------------------------

Evidence:
----------------------------------------
Current Event:
  Role: KustoAgent
  Content:
    **Kusto Query:**
    let driftedSettingName = 'VncEndpointCandidates';
    cluster('azurecm').database('AzureCM').NetworkServiceManagerEvents
    | where PreciseTimeStamp > ago(6h)
    | where TaskName == 'ChangedSetting' and Message has driftedSettingName
    | parse Message with 'name="' SettingName '" value="' SettingValue '" buildVersion="' BuildVersion '"'
    | project nsmTime = PreciseTimeStamp, SettingName, ActualValue = SettingValue, BuildVersion, Tenant, Region
    | summarize arg_max(nsmTime, *) by Region, Tenant, SettingName
    | extend _key = tolower(Tenant)
    | join kind = leftouter (
    cluster('aznwsdn').database('aznwmds').NSMGoalState
    | where DataIngestionTime > ago(1d)
    | where not(InFlight)
    | where SettingName =~ driftedSettingName
    | summarize arg_max(DataIngestionTime, *) by ClusterName
    | project ClusterName, SettingName, ExpectedValue = SettingValue, _key = tolower(ClusterName)
    ) on _key
    | where ClusterName != ""
    | where ActualValue !~ ExpectedValue
    | project Region, ClusterName, ExpectedValue
    
     semantic_query_matcher: True 
    
    stub match:False 
    
    **Kusto result:**
    Error running Kusto Query:
    Failed to process network request for the endpoint: https://.kusto.windows.net/v1/rest/auth/metadata

Matched Substeps:
  Sub-index: 5
  Role: KustoAgent
  Sub-index: 10
  Role: KustoAgent
  Sub-index: 19
  Role: KustoAgent
----------------------------------------

Taxonomy Targets:
  - InvalidInvocation
  - Instruction/PlanAdherenceFailure
  - IntentPlanMisalignment

================================================================================
VIOLATION #2
================================================================================

Step Index: 2
Assertion Name: avoid_repeated_identical_kusto_query_after_network_failure
Invariant Type: TEMPORAL
Check Type: python_check
Severity: medium

Check Hint:
----------------------------------------
If the KustoAgent encounters a network/endpoint failure for a given query, it should not repeat the exact same query invocation without changing conditions (e.g., endpoint, credentials). Detect multiple KustoAgent substeps in the same step where the identical query text is executed and produces the same 'Failed to process network request for the endpoint' error. If the same query fails more than once in this step, flag a violation.
----------------------------------------

Evidence:
----------------------------------------
Current Event:
  Role: KustoAgent
  Content:
    **Kusto Query:**
    let driftedSettingName = 'VncEndpointCandidates';
    cluster('azurecm').database('AzureCM').NetworkServiceManagerEvents
    | where PreciseTimeStamp > ago(6h)
    | where TaskName == 'ChangedSetting' and Message has driftedSettingName
    | parse Message with 'name="' SettingName '" value="' SettingValue '" buildVersion="' BuildVersion '"'
    | project nsmTime = PreciseTimeStamp, SettingName, ActualValue = SettingValue, BuildVersion, Tenant, Region
    | summarize arg_max(nsmTime, *) by Region, Tenant, SettingName
    | extend _key = tolower(Tenant)
    | join kind = leftouter (
    cluster('aznwsdn').database('aznwmds').NSMGoalState
    | where DataIngestionTime > ago(1d)
    | where not(InFlight)
    | where SettingName =~ driftedSettingName
    | summarize arg_max(DataIngestionTime, *) by ClusterName
    | project ClusterName, SettingName, ExpectedValue = SettingValue, _key = tolower(ClusterName)
    ) on _key
    | where ClusterName != ""
    | where ActualValue !~ ExpectedValue
    | project Region, ClusterName, ExpectedValue
    
     semantic_query_matcher: True 
    
    stub match:False 
    
    **Kusto result:**
    Error running Kusto Query:
    Failed to process network request for the endpoint: https://.kusto.windows.net/v1/rest/auth/metadata

Matched Substeps:
  Sub-index: 5
  Role: KustoAgent
  Sub-index: 10
  Role: KustoAgent
  Sub-index: 19
  Role: KustoAgent
----------------------------------------

Taxonomy Targets:
  - Instruction/PlanAdherenceFailure
  - SystemFailure

================================================================================
VIOLATION #3
================================================================================

Step Index: 2
Assertion Name: kusto_error_endpoint_hostname_not_empty
Invariant Type: CAPABILITY
Check Type: python_check
Severity: medium

Check Hint:
----------------------------------------
When KustoAgent reports an endpoint error, the endpoint URL must include a non-empty hostname before '.kusto.windows.net'. Detect error messages containing the endpoint URL and verify it does not match 'https://.kusto.windows.net...'. If the hostname is empty, flag a violation.
----------------------------------------

Evidence:
----------------------------------------
Current Event:
  Role: KustoAgent
  Content:
    **Kusto Query:**
    let driftedSettingName = 'VncEndpointCandidates';
    cluster('azurecm').database('AzureCM').NetworkServiceManagerEvents
    | where PreciseTimeStamp > ago(6h)
    | where TaskName == 'ChangedSetting' and Message has driftedSettingName
    | parse Message with 'name="' SettingName '" value="' SettingValue '" buildVersion="' BuildVersion '"'
    | project nsmTime = PreciseTimeStamp, SettingName, ActualValue = SettingValue, BuildVersion, Tenant, Region
    | summarize arg_max(nsmTime, *) by Region, Tenant, SettingName
    | extend _key = tolower(Tenant)
    | join kind = leftouter (
    cluster('aznwsdn').database('aznwmds').NSMGoalState
    | where DataIngestionTime > ago(1d)
    | where not(InFlight)
    | where SettingName =~ driftedSettingName
    | summarize arg_max(DataIngestionTime, *) by ClusterName
    | project ClusterName, SettingName, ExpectedValue = SettingValue, _key = tolower(ClusterName)
    ) on _key
    | where ClusterName != ""
    | where ActualValue !~ ExpectedValue
    | project Region, ClusterName, ExpectedValue
    
     semantic_query_matcher: True 
    
    stub match:False 
    
    **Kusto result:**
    Error running Kusto Query:
    Failed to process network request for the endpoint: https://.kusto.windows.net/v1/rest/auth/metadata

Matched Substeps:
  Sub-index: 5
  Role: KustoAgent
  Sub-index: 10
  Role: KustoAgent
  Sub-index: 19
  Role: KustoAgent
----------------------------------------

Taxonomy Targets:
  - InvalidInvocation
  - SystemFailure

================================================================================
END OF VIOLATION REPORT
================================================================================