fix(azure): update flow log compliance text for NSG retirement

[davletd]

Context

Fix #10936

PR #10645 fixed the Azure Network Watcher flow log check behavior and generic check metadata. After that merge, some Azure compliance mappings still contained stale flow-log text for the legacy controls.

The remaining problem is compliance-content specific: several Azure entries still tell users to create or inspect NSG flow logs directly, including old NSG-only portal steps, az network watcher flow-log configure --nsg ... examples, or NSG-only control wording. That guidance is misleading now that Azure stopped allowing creation of new NSG flow logs after June 30, 2025 and is retiring them on September 30, 2027.

This PR keeps the control mappings intact and updates only the Azure compliance text.

Description

• update the Azure CIS remediation text for the legacy network_flow_log_captured_sent mappings so it is retirement-aware and points new or migrated deployments to Virtual network flow logs
• update the Azure CIS audit text for the same mappings so it no longer implies an NSG-only review path
• update the Azure CIS remediation and audit text for the legacy network_flow_log_more_than_90_days mappings to remove deprecated --nsg CLI guidance and reflect current flow log migration guidance
• update prowler_threatscore_azure.json so the custom flow-log narrative uses Network Watcher / supported-target wording instead of NSG-only wording and reflects the current retention logic
• add an SDK changelog entry for the compliance-text cleanup

Steps to review

1. Review the Azure compliance updates in:

   • prowler/compliance/azure/cis_2.0_azure.json
   • prowler/compliance/azure/cis_2.1_azure.json
   • prowler/compliance/azure/cis_3.0_azure.json
   • prowler/compliance/azure/cis_4.0_azure.json
   • prowler/compliance/azure/cis_5.0_azure.json
   • prowler/compliance/azure/prowler_threatscore_azure.json

2. Confirm the legacy NSG benchmark entries now:

   • keep the original benchmark control mapping/title where required by the source benchmark
   • clarify that existing NSG flow logs may still be reviewed until migration is complete
   • direct new or migrated deployments to Virtual network flow logs
   • remove deprecated NSG-only remediation steps such as az network watcher flow-log configure --nsg ...

3. Confirm the ThreatScore flow-log entries now:

   • use Network Watcher flow logs wording instead of Network Security Group Flow logs
   • refer to supported targets such as virtual networks and network security groups
   • reflect retention logic of 0 or at least 90 days

4. Confirm the SDK changelog entry in prowler/CHANGELOG.md.

5. Validate JSON syntax:

   python3 - <<'PY'
   import json, pathlib
   for p in sorted(pathlib.Path('prowler/compliance/azure').glob('*.json')):
   json.load(open(p))
   print('json-ok')
   PY

Expected result: json-ok.

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? No

UI

• Not applicable.

API

• Not applicable.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.17%. Comparing base (7076900) to head (1fce68d).
⚠️ Report is 3 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff             @@
##           master   #10937       +/-   ##
===========================================
+ Coverage   69.01%   86.17%   +17.16%     
===========================================
  Files         104      223      +119     
  Lines        7596     5744     -1852     
===========================================
- Hits         5242     4950      -292     
+ Misses       2354      794     -1560     

Flag	Coverage Δ
prowler-py3.10-azure	86.17% <ø> (?)
prowler-py3.10-lib	?
prowler-py3.11-azure	86.17% <ø> (?)
prowler-py3.11-lib	?
prowler-py3.12-azure	86.17% <ø> (?)
prowler-py3.12-lib	?

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	86.17% <ø> (+17.16%)	⬆️
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[danibarranqueroo]

Thanks for this! 💯

[pedrooot]

Thanks for this! I love it 🥇