[
  {
    "task_id": "7_withhs_drift_alert_1_412225437",
    "step_index": 2,
    "assertion_name": "kusto_invocation_requires_predefined_query_and_correct_cluster",
    "invariant_type": "CAPABILITY",
    "check_type": "python_check",
    "severity": "medium",
    "check_hint": "When KustoAgent runs a query, it must be a predefined query present in the plan or prior Orchestrator instruction, and the query must be tailored to the incident's cluster (no placeholders like TODO/TBD/<CLUSTER>). Verify that a kusto code block exists earlier and that the current query's clusterName matches the cluster parsed from the incident description.",
    "evidence": {
      "matched_substeps": [
        {
          "sub_index": 5,
          "role": "KustoAgent",
          "content": "**Kusto Query:**\nlet driftedSettingName = 'VncEndpointCandidates';\ncluster('azurecm').database('AzureCM').NetworkServiceManagerEvents\n| where PreciseTimeStamp > ago(6h)\n| where TaskName == 'ChangedSetting' and Message has driftedSettingName\n| parse Message with 'name=\"' SettingName '\" value=\"' SettingValue '\" buildVersion=\"' BuildVersion '\"'\n| project nsmTime = PreciseTimeStamp, SettingName, ActualValue = SettingValue, BuildVersion, Tenant, Region\n| summarize arg_max(nsmTime, *) by Region, Tenant, SettingName\n| extend _key = tolower(Tenant)\n| join kind = leftouter (\ncluster('aznwsdn').database('aznwmds').NSMGoalState\n| where DataIngestionTime > ago(1d)\n| where not(InFlight)\n| where SettingName =~ driftedSettingName\n| summarize arg_max(DataIngestionTime, *) by ClusterName\n| project ClusterName, SettingName, ExpectedValue = SettingValue, _key = tolower(ClusterName)\n) on _key\n| where ClusterName != \"\"\n| where ActualValue !~ ExpectedValue\n| project Region, ClusterName, ExpectedValue\n\n semantic_query_matcher: True \n\nstub match:False \n\n**Kusto result:**\nError running Kusto Query:\nFailed to process network request for the endpoint: https://.kusto.windows.net/v1/rest/auth/metadata"
        },
        {
          "sub_index": 10,
          "role": "KustoAgent",
          "content": "**Kusto Query:**\nlet driftedSettingName = 'VncEndpointCandidates';\ncluster('azurecm').database('AzureCM').NetworkServiceManagerEvents\n| where PreciseTimeStamp > ago(6h)\n| where TaskName == 'ChangedSetting' and Message has driftedSettingName\n| parse Message with 'name=\"' SettingName '\" value=\"' SettingValue '\" buildVersion=\"' BuildVersion '\"'\n| project nsmTime = PreciseTimeStamp, SettingName, ActualValue = SettingValue, BuildVersion, Tenant, Region\n| summarize arg_max(nsmTime, *) by Region, Tenant, SettingName\n| extend _key = tolower(Tenant)\n| join kind = leftouter (\n    cluster('aznwsdn').database('aznwmds').NSMGoalState\n    | where DataIngestionTime > ago(1d)\n    | where not(InFlight)\n    | where SettingName =~ driftedSettingName\n    | summarize arg_max(DataIngestionTime, *) by ClusterName\n    | project ClusterName, SettingName, ExpectedValue = SettingValue, _key = tolower(ClusterName)\n) on _key\n| where ClusterName != \"\"\n| where ActualValue !~ ExpectedValue\n| project Region, ClusterName, ExpectedValue\n\n semantic_query_matcher: True \n\nstub match:False \n\n**Kusto result:**\nError running Kusto Query:\nFailed to process network request for the endpoint: https://.kusto.windows.net/v1/rest/auth/metadata"
        },
        {
          "sub_index": 19,
          "role": "KustoAgent",
          "content": "**Kusto Query:**\nlet driftedSettingName = 'VncEndpointCandidates';\ncluster('azurecm').database('AzureCM').NetworkServiceManagerEvents\n| where PreciseTimeStamp > ago(6h)\n| where TaskName == 'ChangedSetting' and Message has driftedSettingName\n| parse Message with 'name=\"' SettingName '\" value=\"' SettingValue '\" buildVersion=\"' BuildVersion '\"'\n| project nsmTime = PreciseTimeStamp, SettingName, ActualValue = SettingValue, BuildVersion, Tenant, Region\n| summarize arg_max(nsmTime, *) by Region, Tenant, SettingName\n| extend _key = tolower(Tenant)\n| join kind = leftouter (\ncluster('aznwsdn').database('aznwmds').NSMGoalState\n| where DataIngestionTime > ago(1d)\n| where not(InFlight)\n| where SettingName =~ driftedSettingName\n| summarize arg_max(DataIngestionTime, *) by ClusterName\n| project ClusterName, SettingName, ExpectedValue = SettingValue, _key = tolower(ClusterName)\n) on _key\n| where ClusterName != \"\"\n| where ActualValue !~ ExpectedValue\n| project Region, ClusterName, ExpectedValue\n\n semantic_query_matcher: True \n\nstub match:False \n\n**Kusto result:**\nError running Kusto Query:\nFailed to process network request for the endpoint: https://.kusto.windows.net/v1/rest/auth/metadata"
        }
      ],
      "current_event": {
        "sub_index": 5,
        "role": "KustoAgent",
        "content": "**Kusto Query:**\nlet driftedSettingName = 'VncEndpointCandidates';\ncluster('azurecm').database('AzureCM').NetworkServiceManagerEvents\n| where PreciseTimeStamp > ago(6h)\n| where TaskName == 'ChangedSetting' and Message has driftedSettingName\n| parse Message with 'name=\"' SettingName '\" value=\"' SettingValue '\" buildVersion=\"' BuildVersion '\"'\n| project nsmTime = PreciseTimeStamp, SettingName, ActualValue = SettingValue, BuildVersion, Tenant, Region\n| summarize arg_max(nsmTime, *) by Region, Tenant, SettingName\n| extend _key = tolower(Tenant)\n| join kind = leftouter (\ncluster('aznwsdn').database('aznwmds').NSMGoalState\n| where DataIngestionTime > ago(1d)\n| where not(InFlight)\n| where SettingName =~ driftedSettingName\n| summarize arg_max(DataIngestionTime, *) by ClusterName\n| project ClusterName, SettingName, ExpectedValue = SettingValue, _key = tolower(ClusterName)\n) on _key\n| where ClusterName != \"\"\n| where ActualValue !~ ExpectedValue\n| project Region, ClusterName, ExpectedValue\n\n semantic_query_matcher: True \n\nstub match:False \n\n**Kusto result:**\nError running Kusto Query:\nFailed to process network request for the endpoint: https://.kusto.windows.net/v1/rest/auth/metadata"
      }
    },
    "taxonomy_targets": [
      "InvalidInvocation",
      "Instruction/PlanAdherenceFailure",
      "IntentPlanMisalignment"
    ]
  },
  {
    "task_id": "7_withhs_drift_alert_1_412225437",
    "step_index": 2,
    "assertion_name": "avoid_repeated_identical_kusto_query_after_network_failure",
    "invariant_type": "TEMPORAL",
    "check_type": "python_check",
    "severity": "medium",
    "check_hint": "If the KustoAgent encounters a network/endpoint failure for a given query, it should not repeat the exact same query invocation without changing conditions (e.g., endpoint, credentials). Detect multiple KustoAgent substeps in the same step where the identical query text is executed and produces the same 'Failed to process network request for the endpoint' error. If the same query fails more than once in this step, flag a violation.",
    "evidence": {
      "matched_substeps": [
        {
          "sub_index": 5,
          "role": "KustoAgent",
          "content": "**Kusto Query:**\nlet driftedSettingName = 'VncEndpointCandidates';\ncluster('azurecm').database('AzureCM').NetworkServiceManagerEvents\n| where PreciseTimeStamp > ago(6h)\n| where TaskName == 'ChangedSetting' and Message has driftedSettingName\n| parse Message with 'name=\"' SettingName '\" value=\"' SettingValue '\" buildVersion=\"' BuildVersion '\"'\n| project nsmTime = PreciseTimeStamp, SettingName, ActualValue = SettingValue, BuildVersion, Tenant, Region\n| summarize arg_max(nsmTime, *) by Region, Tenant, SettingName\n| extend _key = tolower(Tenant)\n| join kind = leftouter (\ncluster('aznwsdn').database('aznwmds').NSMGoalState\n| where DataIngestionTime > ago(1d)\n| where not(InFlight)\n| where SettingName =~ driftedSettingName\n| summarize arg_max(DataIngestionTime, *) by ClusterName\n| project ClusterName, SettingName, ExpectedValue = SettingValue, _key = tolower(ClusterName)\n) on _key\n| where ClusterName != \"\"\n| where ActualValue !~ ExpectedValue\n| project Region, ClusterName, ExpectedValue\n\n semantic_query_matcher: True \n\nstub match:False \n\n**Kusto result:**\nError running Kusto Query:\nFailed to process network request for the endpoint: https://.kusto.windows.net/v1/rest/auth/metadata"
        },
        {
          "sub_index": 10,
          "role": "KustoAgent",
          "content": "**Kusto Query:**\nlet driftedSettingName = 'VncEndpointCandidates';\ncluster('azurecm').database('AzureCM').NetworkServiceManagerEvents\n| where PreciseTimeStamp > ago(6h)\n| where TaskName == 'ChangedSetting' and Message has driftedSettingName\n| parse Message with 'name=\"' SettingName '\" value=\"' SettingValue '\" buildVersion=\"' BuildVersion '\"'\n| project nsmTime = PreciseTimeStamp, SettingName, ActualValue = SettingValue, BuildVersion, Tenant, Region\n| summarize arg_max(nsmTime, *) by Region, Tenant, SettingName\n| extend _key = tolower(Tenant)\n| join kind = leftouter (\n    cluster('aznwsdn').database('aznwmds').NSMGoalState\n    | where DataIngestionTime > ago(1d)\n    | where not(InFlight)\n    | where SettingName =~ driftedSettingName\n    | summarize arg_max(DataIngestionTime, *) by ClusterName\n    | project ClusterName, SettingName, ExpectedValue = SettingValue, _key = tolower(ClusterName)\n) on _key\n| where ClusterName != \"\"\n| where ActualValue !~ ExpectedValue\n| project Region, ClusterName, ExpectedValue\n\n semantic_query_matcher: True \n\nstub match:False \n\n**Kusto result:**\nError running Kusto Query:\nFailed to process network request for the endpoint: https://.kusto.windows.net/v1/rest/auth/metadata"
        },
        {
          "sub_index": 19,
          "role": "KustoAgent",
          "content": "**Kusto Query:**\nlet driftedSettingName = 'VncEndpointCandidates';\ncluster('azurecm').database('AzureCM').NetworkServiceManagerEvents\n| where PreciseTimeStamp > ago(6h)\n| where TaskName == 'ChangedSetting' and Message has driftedSettingName\n| parse Message with 'name=\"' SettingName '\" value=\"' SettingValue '\" buildVersion=\"' BuildVersion '\"'\n| project nsmTime = PreciseTimeStamp, SettingName, ActualValue = SettingValue, BuildVersion, Tenant, Region\n| summarize arg_max(nsmTime, *) by Region, Tenant, SettingName\n| extend _key = tolower(Tenant)\n| join kind = leftouter (\ncluster('aznwsdn').database('aznwmds').NSMGoalState\n| where DataIngestionTime > ago(1d)\n| where not(InFlight)\n| where SettingName =~ driftedSettingName\n| summarize arg_max(DataIngestionTime, *) by ClusterName\n| project ClusterName, SettingName, ExpectedValue = SettingValue, _key = tolower(ClusterName)\n) on _key\n| where ClusterName != \"\"\n| where ActualValue !~ ExpectedValue\n| project Region, ClusterName, ExpectedValue\n\n semantic_query_matcher: True \n\nstub match:False \n\n**Kusto result:**\nError running Kusto Query:\nFailed to process network request for the endpoint: https://.kusto.windows.net/v1/rest/auth/metadata"
        }
      ],
      "current_event": {
        "sub_index": 5,
        "role": "KustoAgent",
        "content": "**Kusto Query:**\nlet driftedSettingName = 'VncEndpointCandidates';\ncluster('azurecm').database('AzureCM').NetworkServiceManagerEvents\n| where PreciseTimeStamp > ago(6h)\n| where TaskName == 'ChangedSetting' and Message has driftedSettingName\n| parse Message with 'name=\"' SettingName '\" value=\"' SettingValue '\" buildVersion=\"' BuildVersion '\"'\n| project nsmTime = PreciseTimeStamp, SettingName, ActualValue = SettingValue, BuildVersion, Tenant, Region\n| summarize arg_max(nsmTime, *) by Region, Tenant, SettingName\n| extend _key = tolower(Tenant)\n| join kind = leftouter (\ncluster('aznwsdn').database('aznwmds').NSMGoalState\n| where DataIngestionTime > ago(1d)\n| where not(InFlight)\n| where SettingName =~ driftedSettingName\n| summarize arg_max(DataIngestionTime, *) by ClusterName\n| project ClusterName, SettingName, ExpectedValue = SettingValue, _key = tolower(ClusterName)\n) on _key\n| where ClusterName != \"\"\n| where ActualValue !~ ExpectedValue\n| project Region, ClusterName, ExpectedValue\n\n semantic_query_matcher: True \n\nstub match:False \n\n**Kusto result:**\nError running Kusto Query:\nFailed to process network request for the endpoint: https://.kusto.windows.net/v1/rest/auth/metadata"
      }
    },
    "taxonomy_targets": [
      "Instruction/PlanAdherenceFailure",
      "SystemFailure"
    ]
  },
  {
    "task_id": "7_withhs_drift_alert_1_412225437",
    "step_index": 2,
    "assertion_name": "kusto_error_endpoint_hostname_not_empty",
    "invariant_type": "CAPABILITY",
    "check_type": "python_check",
    "severity": "medium",
    "check_hint": "When KustoAgent reports an endpoint error, the endpoint URL must include a non-empty hostname before '.kusto.windows.net'. Detect error messages containing the endpoint URL and verify it does not match 'https://.kusto.windows.net...'. If the hostname is empty, flag a violation.",
    "evidence": {
      "matched_substeps": [
        {
          "sub_index": 5,
          "role": "KustoAgent",
          "content": "**Kusto Query:**\nlet driftedSettingName = 'VncEndpointCandidates';\ncluster('azurecm').database('AzureCM').NetworkServiceManagerEvents\n| where PreciseTimeStamp > ago(6h)\n| where TaskName == 'ChangedSetting' and Message has driftedSettingName\n| parse Message with 'name=\"' SettingName '\" value=\"' SettingValue '\" buildVersion=\"' BuildVersion '\"'\n| project nsmTime = PreciseTimeStamp, SettingName, ActualValue = SettingValue, BuildVersion, Tenant, Region\n| summarize arg_max(nsmTime, *) by Region, Tenant, SettingName\n| extend _key = tolower(Tenant)\n| join kind = leftouter (\ncluster('aznwsdn').database('aznwmds').NSMGoalState\n| where DataIngestionTime > ago(1d)\n| where not(InFlight)\n| where SettingName =~ driftedSettingName\n| summarize arg_max(DataIngestionTime, *) by ClusterName\n| project ClusterName, SettingName, ExpectedValue = SettingValue, _key = tolower(ClusterName)\n) on _key\n| where ClusterName != \"\"\n| where ActualValue !~ ExpectedValue\n| project Region, ClusterName, ExpectedValue\n\n semantic_query_matcher: True \n\nstub match:False \n\n**Kusto result:**\nError running Kusto Query:\nFailed to process network request for the endpoint: https://.kusto.windows.net/v1/rest/auth/metadata"
        },
        {
          "sub_index": 10,
          "role": "KustoAgent",
          "content": "**Kusto Query:**\nlet driftedSettingName = 'VncEndpointCandidates';\ncluster('azurecm').database('AzureCM').NetworkServiceManagerEvents\n| where PreciseTimeStamp > ago(6h)\n| where TaskName == 'ChangedSetting' and Message has driftedSettingName\n| parse Message with 'name=\"' SettingName '\" value=\"' SettingValue '\" buildVersion=\"' BuildVersion '\"'\n| project nsmTime = PreciseTimeStamp, SettingName, ActualValue = SettingValue, BuildVersion, Tenant, Region\n| summarize arg_max(nsmTime, *) by Region, Tenant, SettingName\n| extend _key = tolower(Tenant)\n| join kind = leftouter (\n    cluster('aznwsdn').database('aznwmds').NSMGoalState\n    | where DataIngestionTime > ago(1d)\n    | where not(InFlight)\n    | where SettingName =~ driftedSettingName\n    | summarize arg_max(DataIngestionTime, *) by ClusterName\n    | project ClusterName, SettingName, ExpectedValue = SettingValue, _key = tolower(ClusterName)\n) on _key\n| where ClusterName != \"\"\n| where ActualValue !~ ExpectedValue\n| project Region, ClusterName, ExpectedValue\n\n semantic_query_matcher: True \n\nstub match:False \n\n**Kusto result:**\nError running Kusto Query:\nFailed to process network request for the endpoint: https://.kusto.windows.net/v1/rest/auth/metadata"
        },
        {
          "sub_index": 19,
          "role": "KustoAgent",
          "content": "**Kusto Query:**\nlet driftedSettingName = 'VncEndpointCandidates';\ncluster('azurecm').database('AzureCM').NetworkServiceManagerEvents\n| where PreciseTimeStamp > ago(6h)\n| where TaskName == 'ChangedSetting' and Message has driftedSettingName\n| parse Message with 'name=\"' SettingName '\" value=\"' SettingValue '\" buildVersion=\"' BuildVersion '\"'\n| project nsmTime = PreciseTimeStamp, SettingName, ActualValue = SettingValue, BuildVersion, Tenant, Region\n| summarize arg_max(nsmTime, *) by Region, Tenant, SettingName\n| extend _key = tolower(Tenant)\n| join kind = leftouter (\ncluster('aznwsdn').database('aznwmds').NSMGoalState\n| where DataIngestionTime > ago(1d)\n| where not(InFlight)\n| where SettingName =~ driftedSettingName\n| summarize arg_max(DataIngestionTime, *) by ClusterName\n| project ClusterName, SettingName, ExpectedValue = SettingValue, _key = tolower(ClusterName)\n) on _key\n| where ClusterName != \"\"\n| where ActualValue !~ ExpectedValue\n| project Region, ClusterName, ExpectedValue\n\n semantic_query_matcher: True \n\nstub match:False \n\n**Kusto result:**\nError running Kusto Query:\nFailed to process network request for the endpoint: https://.kusto.windows.net/v1/rest/auth/metadata"
        }
      ],
      "current_event": {
        "sub_index": 5,
        "role": "KustoAgent",
        "content": "**Kusto Query:**\nlet driftedSettingName = 'VncEndpointCandidates';\ncluster('azurecm').database('AzureCM').NetworkServiceManagerEvents\n| where PreciseTimeStamp > ago(6h)\n| where TaskName == 'ChangedSetting' and Message has driftedSettingName\n| parse Message with 'name=\"' SettingName '\" value=\"' SettingValue '\" buildVersion=\"' BuildVersion '\"'\n| project nsmTime = PreciseTimeStamp, SettingName, ActualValue = SettingValue, BuildVersion, Tenant, Region\n| summarize arg_max(nsmTime, *) by Region, Tenant, SettingName\n| extend _key = tolower(Tenant)\n| join kind = leftouter (\ncluster('aznwsdn').database('aznwmds').NSMGoalState\n| where DataIngestionTime > ago(1d)\n| where not(InFlight)\n| where SettingName =~ driftedSettingName\n| summarize arg_max(DataIngestionTime, *) by ClusterName\n| project ClusterName, SettingName, ExpectedValue = SettingValue, _key = tolower(ClusterName)\n) on _key\n| where ClusterName != \"\"\n| where ActualValue !~ ExpectedValue\n| project Region, ClusterName, ExpectedValue\n\n semantic_query_matcher: True \n\nstub match:False \n\n**Kusto result:**\nError running Kusto Query:\nFailed to process network request for the endpoint: https://.kusto.windows.net/v1/rest/auth/metadata"
      }
    },
    "taxonomy_targets": [
      "InvalidInvocation",
      "SystemFailure"
    ]
  }
]
