diff --git a/doc/user/compliance/audit_event_types.md b/doc/user/compliance/audit_event_types.md
index fb1f1479292fa43a7c5001d6c9a38c5314b80188..2601ae552784f6dae4a8b6ad2180e4eee01ec0a8 100644
--- a/doc/user/compliance/audit_event_types.md
+++ b/doc/user/compliance/audit_event_types.md
@@ -604,6 +604,7 @@ Audit event types belong to the following product categories.
 | [`user_email_changed_and_user_signed_in`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/106090) | User email changed and user signed in | **{check-circle}** Yes | GitLab [15.8](https://gitlab.com/gitlab-org/gitlab/-/issues/369331) | User |
 | [`user_impersonation`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/79340) | An instance administrator starts or stops impersonating a user | **{check-circle}** Yes | GitLab [14.8](https://gitlab.com/gitlab-org/gitlab/-/issues/300961) | User, Group |
 | [`user_password_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/106086) | A user password is updated | **{check-circle}** Yes | GitLab [15.7](https://gitlab.com/gitlab-org/gitlab/-/issues/369330) | User |
+| [`user_provisioned_by_scim`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/174040) | A user is provisioned by SCIM | **{check-circle}** Yes | GitLab [17.8](https://gitlab.com/gitlab-org/gitlab/-/issues/423322) | Group |
 | [`user_rejected`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/113784) | A user registration is rejected | **{check-circle}** Yes | GitLab [15.11](https://gitlab.com/gitlab-org/gitlab/-/issues/374107) | User |
 
 ### User profile
diff --git a/ee/config/audit_events/types/user_provisioned_by_scim.yml b/ee/config/audit_events/types/user_provisioned_by_scim.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d96211b058c5a8906d062d5bcbeaf8c32d384c3d
--- /dev/null
+++ b/ee/config/audit_events/types/user_provisioned_by_scim.yml
@@ -0,0 +1,10 @@
+---
+name: user_provisioned_by_scim
+description: A user is provisioned by SCIM
+introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/423322
+introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/174040
+feature_category: user_management
+milestone: '17.8'
+saved_to_database: true
+streamed: true
+scope: [Group]
diff --git a/ee/lib/ee/gitlab/scim/group/provisioning_service.rb b/ee/lib/ee/gitlab/scim/group/provisioning_service.rb
index fa8fdfa9cc1d6597a5b8d8160b370b52072f9e89..cdeb07e0800b3e392fe85d5b1d3f52d40c6c1a41 100644
--- a/ee/lib/ee/gitlab/scim/group/provisioning_service.rb
+++ b/ee/lib/ee/gitlab/scim/group/provisioning_service.rb
@@ -83,7 +83,10 @@ def create_identity_and_member
           end
 
           def create_user_and_member
-            return success_response if user.save && member.errors.empty?
+            if user.save && member.errors.empty?
+              log_audit_event
+              return success_response
+            end
 
             error_response(objects: [user, identity, member])
           end
@@ -107,6 +110,18 @@ def existing_user?
           def success_response
             ProvisioningResponse.new(status: :success, identity: identity)
           end
+
+          def log_audit_event
+            audit_context = {
+              name: "user_provisioned_by_scim",
+              author: ::Gitlab::Audit::UnauthenticatedAuthor.new(name: '(System)'),
+              scope: @group,
+              target: user,
+              target_details: user.username,
+              message: "User was provisioned by SCIM"
+            }
+            ::Gitlab::Audit::Auditor.audit(audit_context)
+          end
         end
       end
     end
diff --git a/ee/spec/lib/ee/gitlab/scim/group/provisioning_service_spec.rb b/ee/spec/lib/ee/gitlab/scim/group/provisioning_service_spec.rb
index 7d5291355db94fcfa8da288a1d19013ae6d4a128..06f1eb3f340b8ac8aae49046f757e2ebe755741e 100644
--- a/ee/spec/lib/ee/gitlab/scim/group/provisioning_service_spec.rb
+++ b/ee/spec/lib/ee/gitlab/scim/group/provisioning_service_spec.rb
@@ -51,6 +51,14 @@
       it 'does not create the SAML identity' do
         expect { service.execute }.not_to change { Identity.count }
       end
+
+      it 'does not log user_provisioned_by_scim audit event' do
+        expect(::Gitlab::Audit::Auditor).not_to receive(:audit).with(hash_including({
+          name: "user_provisioned_by_scim"
+        })).and_call_original
+
+        service.execute
+      end
     end
 
     context 'when valid params' do
@@ -173,6 +181,36 @@ def user
           end
         end
       end
+
+      context 'for audit' do
+        let(:author) { ::Gitlab::Audit::UnauthenticatedAuthor.new(name: '(System)') }
+
+        before do
+          stub_licensed_features(extended_audit_events: true)
+        end
+
+        it 'logs user_provisioned_by_scim audit event' do
+          expect { service.execute }.to change { AuditEvent.count }.by(1)
+
+          expect(AuditEvent.last).to have_attributes({
+            attributes: hash_including({
+              "entity_id" => group.id,
+              "entity_type" => "Group",
+              "author_id" => author.id,
+              "target_details" => user.username,
+              "target_id" => user.id
+            }),
+            details: hash_including({
+              event_name: "user_provisioned_by_scim",
+              author_class: author.class.to_s,
+              author_name: author.name,
+              custom_message: "User was provisioned by SCIM",
+              target_type: "User",
+              target_details: user.username
+            })
+          })
+        end
+      end
     end
 
     context 'when a provisioning error occurs' do