Add a skipped system test to exercise the new logic.

Skipped until negative system tests are possible.

Author: chrisberkhout

packages/o365/_dev/deploy/docker/config.yml

@@ -66,6 +66,21 @@ rules:
             - "application/json"
         body: |-
           {"contentType": "Audit.General","status": "enabled","webhook": null}
+  - path: /api/v1.0/test-cel-tenant-id/activity/feed/subscriptions/start
+    methods: [POST]
+    query_params:
+      contentType: "Audit.TypeRequiringAdditionalPermissions"
+      PublisherIdentifier: test-cel-tenant-id
+    request_headers:
+      Authorization:
+        - "Bearer CELtoken"
+    responses:
+      - status_code: 401
+        headers:
+          Content-Type:
+            - "application/json"
+        body: |-
+          {"error":{"code":"AF10001","message":"The permission set (...) sent in the request does not include the expected permission."}}
   - path: /api/v1.0/test-cel-tenant-id/activity/feed/subscriptions/content
     methods: [GET]
     query_params:

packages/o365/data_stream/audit/_dev/test/system/test-cel-bad-creds-config.yml

@@ -0,0 +1,20 @@
+input: cel
+service: o365-cel
+vars: ~
+policy_template: o365
+data_stream:
+  vars:
+    url: http://{{Hostname}}:{{Port}}
+    token_url: http://{{Hostname}}:{{Port}}
+    preserve_original_event: true
+    client_id: test-cel-client-id
+    client_secret: test-cel-client-secret
+    azure_tenant_id: test-cel-tenant-id
+    content_types: "Audit.SharePoint, Audit.TypeRequiringAdditionalPermissions, Audit.General"
+    initial_interval: 12h
+    enable_request_tracer: true
+assert:
+  hit_count: 1
+skip:
+  reason: "Negative testing in system tests is not currently possible"
+  link: https://github.com/elastic/elastic-package/issues/2800