[o365] add agent replacement script test

[kcreddy]

Proposed commit message

[o365] add agent replacement script test

Verify that destroying and re-enrolling the agent does not lose
events. The new agent has no cursor state and re-collects from
initial_interval; fingerprint dedup on o365audit.Id prevents
duplicates. New blobs that appeared during the outage are picked up.

Note

Test only - no changelog needed.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

New script test runs successfully.

--- Test results for package: o365 - START ---
╭─────────┬─────────────┬───────────┬───────────────────┬────────┬─────────────────╮
│ PACKAGE │ DATA STREAM │ TEST TYPE │ TEST NAME         │ RESULT │    TIME ELAPSED │
├─────────┼─────────────┼───────────┼───────────────────┼────────┼─────────────────┤
│ o365    │ audit       │ script    │ agent_replacement │ PASS   │ 2m13.009634417s │
│ o365    │ audit       │ script    │ env               │ PASS   │     68.517167ms │
╰─────────┴─────────────┴───────────┴───────────────────┴────────┴─────────────────╯
--- Test results for package: o365 - END   ---
Done

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 1dbc3ba

[infra-vault-gh-plugin-prod]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[efd6]

I don't think this test does this; specifically, it is incapable of detecting whether the four events from the first phase were not lost.

In order to do this I'd suggest having six events in the first phase, and then six events in the second phase (four of them shared with the first), and then confirming that the final state has eight events.

Phase 1: {sp,gen}-event-{001,002,003}: 6 events
Phase 2: {sp,gen}-event-{002,003,004}: 6 events (001 gone, 004 new)
Expected total: 8 distinct events