diff --git a/conf/logs.json b/conf/logs.json
index a8f88e756..d56527926 100644
--- a/conf/logs.json
+++ b/conf/logs.json
@@ -27,6 +27,14 @@
       ]
     }
   },
+  "carbonblack:audit": {
+    "schema": {
+      "cb_server": "string",
+      "message": "string",
+      "type": "string"
+    },
+    "parser": "json"
+  },
   "carbonblack:alert.status.updated": {
     "schema": {
       "alert_resolution": "string",
diff --git a/tests/integration/rules/carbonblack/audit_schema.json b/tests/integration/rules/carbonblack/audit_schema.json
new file mode 100644
index 000000000..3b2bd876e
--- /dev/null
+++ b/tests/integration/rules/carbonblack/audit_schema.json
@@ -0,0 +1,17 @@
+{
+  "records": [
+    {
+      "data": {
+        "cb_server": "cbserver",
+        "message": "2018-03-14 18:34:23:  host: 12.17.170.21 (12470), user: testuser (31), command: rm -rf / (11), object: /Applications/CarbonBlack/touch, result: error (WinHresult 0x80070002)",
+        "type": "audit.log.liveresponse"
+      },
+      "description": "CB Audit log schema (validation only)",
+      "log": "carbonblack:audit",
+      "service": "s3",
+      "source": "airbnb.csirt.carbonblack.us-east-1",
+      "trigger_rules": [],
+      "validate_schema_only": true
+    }
+  ]
+}
\ No newline at end of file