diff --git a/ee/app/controllers/ee/omniauth_callbacks_controller.rb b/ee/app/controllers/ee/omniauth_callbacks_controller.rb
index 7f3c81bc14f705e3634407652ab238b30cf87cf4..b0cba893a5acc6e9cbd54e2bfd226c15459b5b25 100644
--- a/ee/app/controllers/ee/omniauth_callbacks_controller.rb
+++ b/ee/app/controllers/ee/omniauth_callbacks_controller.rb
@@ -17,11 +17,20 @@ def openid_connect
 
     override :log_failed_login
     def log_failed_login(author, provider)
-      ::AuditEventService.new(
-        author,
-        nil,
-        with: provider
-      ).for_failed_login.unauth_security_event
+      unauth_author = ::Gitlab::Audit::UnauthenticatedAuthor.new(name: author)
+      user = ::User.new(id: unauth_author.id, name: author)
+      ::Gitlab::Audit::Auditor.audit({
+        name: "omniauth_login_failed",
+        author: unauth_author,
+        scope: user,
+        target: user,
+        additional_details: {
+          failed_login: provider.upcase,
+          author_name: user.name,
+          target_details: user.name
+        },
+        message: "#{provider.upcase} login failed"
+      })
     end
 
     override :sign_in_and_redirect_or_verify_identity
diff --git a/ee/app/controllers/ee/passwords_controller.rb b/ee/app/controllers/ee/passwords_controller.rb
index b686286e1178efd3cb9d5a0f031488c52de59911..c531ea4ba6da91b56b4be39f706935bf84030f73 100644
--- a/ee/app/controllers/ee/passwords_controller.rb
+++ b/ee/app/controllers/ee/passwords_controller.rb
@@ -11,16 +11,15 @@ module PasswordsController
     private
 
     def log_audit_event
-      ::AuditEventService.new(
-        current_user,
-        resource,
-        action: :custom,
-        custom_message: 'Ask for password reset',
+      ::Gitlab::Audit::Auditor.audit({
+        name: "password_reset_requested",
+        author: ::Gitlab::Audit::UnauthenticatedAuthor.new,
+        scope: resource,
+        target: resource || ::User.new,
+        target_details: resource_params[:email],
+        message: "Ask for password reset",
         ip_address: request.remote_ip
-      ).for_user(
-        full_path: resource_params[:email],
-        entity_id: nil
-      ).unauth_security_event
+      })
     end
   end
 end
diff --git a/ee/app/controllers/ee/registrations_controller.rb b/ee/app/controllers/ee/registrations_controller.rb
index 77b1006135e361533c35dfbc886fc00e5d6b2590..7fb339986acbc4791dfe3305371e0991e6c5aa00 100644
--- a/ee/app/controllers/ee/registrations_controller.rb
+++ b/ee/app/controllers/ee/registrations_controller.rb
@@ -87,12 +87,14 @@ def ensure_can_remove_self
     def log_audit_event(user)
       return unless user&.persisted?
 
-      ::AuditEventService.new(
-        user,
-        user,
-        action: :custom,
-        custom_message: _('Instance access request')
-      ).for_user.security_event
+      ::Gitlab::Audit::Auditor.audit({
+        name: "registration_created",
+        author: user,
+        scope: user,
+        target: user,
+        target_details: user.username,
+        message: _("Instance access request")
+      })
     end
 
     def verify_arkose_labs_token
diff --git a/ee/config/audit_events/types/omniauth_login_failed.yml b/ee/config/audit_events/types/omniauth_login_failed.yml
new file mode 100644
index 0000000000000000000000000000000000000000..9415084861f9495685cf9dda136b969bcfa53c91
--- /dev/null
+++ b/ee/config/audit_events/types/omniauth_login_failed.yml
@@ -0,0 +1,9 @@
+---
+name: omniauth_login_failed
+description: Event triggered when an OmniAuth login fails
+introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/374107
+introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/114548
+feature_category: compliance_management
+milestone: '15.11'
+saved_to_database: true
+streamed: false
diff --git a/ee/config/audit_events/types/password_reset_requested.yml b/ee/config/audit_events/types/password_reset_requested.yml
new file mode 100644
index 0000000000000000000000000000000000000000..970a446287e115dbc9b5773bf386245e9eb9a20e
--- /dev/null
+++ b/ee/config/audit_events/types/password_reset_requested.yml
@@ -0,0 +1,10 @@
+---
+name: password_reset_requested
+description: Event triggered when a user requests a password reset using a registered
+  email address
+introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/374107
+introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/114548
+feature_category: compliance_management
+milestone: '15.11'
+saved_to_database: true
+streamed: false
diff --git a/ee/config/audit_events/types/registration_created.yml b/ee/config/audit_events/types/registration_created.yml
new file mode 100644
index 0000000000000000000000000000000000000000..39d940b3588472dc5b2a5c3e6f08763c6ec1249d
--- /dev/null
+++ b/ee/config/audit_events/types/registration_created.yml
@@ -0,0 +1,9 @@
+---
+name: registration_created
+description: Event triggered when a user registers for instance access
+introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/374107
+introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/114548
+feature_category: compliance_management
+milestone: '15.11'
+saved_to_database: true
+streamed: false
diff --git a/ee/spec/controllers/ee/omniauth_callbacks_controller_spec.rb b/ee/spec/controllers/ee/omniauth_callbacks_controller_spec.rb
index 1312db4151bf029e9267a1231a80516d0e913928..c145bfb376368f2c260da0e9c27a0d741c68eb4e 100644
--- a/ee/spec/controllers/ee/omniauth_callbacks_controller_spec.rb
+++ b/ee/spec/controllers/ee/omniauth_callbacks_controller_spec.rb
@@ -30,7 +30,24 @@
 
     it 'audits provider failed login when licensed' do
       stub_licensed_features(extended_audit_events: true)
+      expect(::Gitlab::Audit::Auditor).to receive(:audit).with(hash_including({
+        name: "omniauth_login_failed"
+      })).and_call_original
+
       expect { subject.failure }.to change { AuditEvent.count }.by(1)
+
+      audit_event = AuditEvent.last
+      expect(audit_event.attributes).to include({
+        "author_name" => user.username,
+        "entity_type" => "User",
+        "target_details" => user.username
+      })
+      expect(audit_event.details).to include({
+        failed_login: "LDAP",
+        author_name: user.username,
+        target_details: user.username,
+        custom_message: "LDAP login failed"
+      })
     end
 
     it 'does not audit provider failed login when unlicensed' do
diff --git a/ee/spec/controllers/ee/registrations_controller_spec.rb b/ee/spec/controllers/ee/registrations_controller_spec.rb
index 71344db706d6def5fabed971286c89982f2076ba..3a0f796a41dbb3ad70678280f9c448086d89144e 100644
--- a/ee/spec/controllers/ee/registrations_controller_spec.rb
+++ b/ee/spec/controllers/ee/registrations_controller_spec.rb
@@ -120,14 +120,28 @@
           end
 
           it 'logs the audit event info', :aggregate_failures do
+            expect(::Gitlab::Audit::Auditor).to receive(:audit).with(hash_including({
+              name: "registration_created"
+            })).and_call_original
+
             subject
 
             created_user = User.find_by(email: new_user_email)
             audit_event = AuditEvent.where(author_id: created_user.id).last
 
+            expect(audit_event.entity).to eq(created_user)
+            expect(audit_event.author).to eq(created_user)
             expect(audit_event.ip_address).to eq(created_user.current_sign_in_ip)
-            expect(audit_event.details[:target_details]).to eq(created_user.username)
-            expect(audit_event.details[:custom_message]).to eq('Instance access request')
+            expect(audit_event.attributes).to include({
+              "target_details" => created_user.username,
+              "target_id" => created_user.id,
+              "target_type" => "User",
+              "entity_path" => created_user.full_path
+            })
+            expect(audit_event.details).to include({
+              target_details: created_user.username,
+              custom_message: "Instance access request"
+            })
           end
 
           context 'with invalid user' do
diff --git a/ee/spec/controllers/passwords_controller_spec.rb b/ee/spec/controllers/passwords_controller_spec.rb
index 75ad364e3073af7f7509f0508868adc9ae4df52d..d4a4a338ce48342c9a11d2baca1887760c1d3dd5 100644
--- a/ee/spec/controllers/passwords_controller_spec.rb
+++ b/ee/spec/controllers/passwords_controller_spec.rb
@@ -13,6 +13,25 @@
 
     subject { post :create, params: { user: { email: user.email } } }
 
-    it { expect { subject }.to change { AuditEvent.count }.by(1) }
+    it "generates audit events" do
+      expect { subject }.to change { AuditEvent.count }.by(1)
+
+      audit_event = AuditEvent.last
+      expect(audit_event.attributes).to include({
+        "entity_id" => user.id,
+        "entity_type" => "User",
+        "entity_path" => nil,
+        "author_name" => "An unauthenticated user",
+        "target_type" => "User",
+        "target_details" => user.email,
+        "target_id" => user.id
+      })
+      expect(audit_event.details).to include({
+        custom_message: "Ask for password reset",
+        author_name: "An unauthenticated user",
+        target_type: "User",
+        target_details: user.email
+      })
+    end
   end
 end