[Tanium Intel] Create missing YARA intel on update and surface cache-miss outcomes in logs

[Copilot]

Label-driven updates could hit a cache miss for YARA indicators in the Tanium stream connector, resulting in no intel creation and no actionable log trail. This change makes YARA updates resilient to missing cache state and emits explicit logs for success/failure paths.

• Update-path behavior change (YARA only)

  • In IntelManager.update_intel_from_indicator, when Tanium intel ID is missing from cache:
    • pattern_type == "yara" now triggers create_intel_from_indicator(...) (upsert-on-update behavior).
    • Non-YARA behavior remains unchanged (no create on cache miss).

• Observability improvement

  • Added explicit structured logs for:
    • YARA cache miss + create attempt
    • YARA create success (with intel_id)
    • YARA create failure

• Focused regression coverage

  • Added stream/tanium-intel/tests/test_intel_manager.py cases for:
    • YARA cache miss → create path
    • Non-YARA cache miss → no-op path
    • YARA create failure → error log path

if intel_id is None:
    if indicator.get("pattern_type") == PATTERN_TYPE_YARA:
        self.helper.connector_logger.info(
            "[UPDATE] YARA indicator not found in cache, creating intel",
            {"id": indicator_opencti_id},
        )
        created_intel_id = self.create_intel_from_indicator(indicator)
        ...
        return created_intel_id
    self.helper.connector_logger.info(
        "[UPDATE] Indicator does not exist, doing nothing",
        {"id": indicator_opencti_id},
    )
    return None