Collect Audit Failure Data from VM1 to Azure Storage Account

See the explanation below.

Step 1: Create a workspace -

Azure Monitor can collect data directly from your Azure virtual machines into a Log Analytics workspace for detailed analysis and correlation.

1. In the Azure portal, select All services. In the list of resources, type Log Analytics. As you begin typing, the list filters based on your input. Select Log Analytics workspaces.

2. Select Create, and then select choices for the following items:

3. After providing the required information on the Log Analytics workspace pane, select OK.

While the information is verified and the workspace is created, you can track its progress under Notifications from the menu.

Step 2: Enable the Log Analytics VM Extension

Installing the Log Analytics VM extension for Windows and Linux allows Azure Monitor to collect data from your Azure VMs.

1. In the Azure portal, select All services found in the upper left-hand corner. In the list of resources, type Log Analytics. As you begin typing, the list filters based on your input. Select Log Analytics workspaces.

2. In your list of Log Analytics workspaces, select DefaultWorkspace (the name you created in step 1).

3. On the left-hand menu, under Workspace Data Sources, select Virtual machines.

4. In the list of Virtual machines, select a virtual machine you want to install the agent on. Notice that the Log Analytics connection status for the VM indicates that it is Not connected.

5. In the details for your virtual machine, select Connect. The agent is automatically installed and configured for your Log Analytics workspace. This process takes a few minutes, during which time the Status shows Connecting.

After you install and connect the agent, the Log Analytics connection status will be updated with This workspace.

https://docs.microsoft.com/en-us/azure/azure-monitor/learn/quick-collect-azurevm

To collect all the audit failure data from the security log of a virtual machine named VM1 to an Azure Storage account, you can follow the steps below:

1. Log in to the Azure portal at https://portal.azure.com/.
2. In the search box at the top of the portal, type "Virtual machines" and select Virtual machines from the results.
3. Select the virtual machine named VM1.
4. In the VM blade, select "Diagnostic settings" from the left-hand menu.
5. On the "Diagnostic settings" blade, select "Add diagnostic setting".
6. On the "Add diagnostic setting" blade, enter a name for the diagnostic setting, such as "VM1-Audit-Failures".
7. Under "Categories", select "Security".
8. Under "Logs", select "AuditEvent".
9. Under "Destinations", select "Storage account".
10. Under "Storage account", select "Create new".
11. In the "Create storage account" blade, enter a name for the storage account, select the subscription, resource group, and location you want to use, and then select "Review + create".
12. On the "Review + create" blade, review your settings, and then select "Create".
13. Back on the "Add diagnostic setting" blade, select the new storage account you just created.
14. Select the log retention period you want to use.
15. Select "Save" to save the diagnostic setting.

The diagnostic setting you just created will collect all the audit failure data from the security log of VM1 and send it to the Azure Storage account you specified. You can then view this data in the storage account or use it for further analysis or monitoring.