diff --git a/rules/k8s_audit_rules.yaml b/rules/k8s_audit_rules.yaml
index ebf18e34..7744af2b 100644
--- a/rules/k8s_audit_rules.yaml
+++ b/rules/k8s_audit_rules.yaml
@@ -102,6 +102,12 @@
 - macro: role
   condition: ka.target.resource=roles
 
+- macro: secret
+  condition: ka.target.resource=secrets
+
+- macro: req_service_account_token
+  condition: (jevt.value[/requestObject/type]="kubernetes.io/service-account-token")
+
 - macro: health_endpoint
   condition: ka.uri=/healthz
 
@@ -401,6 +407,22 @@
   source: k8s_audit
   tags: [k8s]
 
+- rule: K8s Secret Created
+  desc: Detect any attempt to create a secret. Service account tokens are excluded.
+  condition: (kactivity and kcreate and secret and ka.target.namespace!=kube-system and not req_service_account_token and response_successful)
+  output: K8s Secret Created (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
+  priority: INFO
+  source: k8s_audit
+  tags: [k8s]
+
+- rule: K8s Secret Deleted
+  desc: Detect any attempt to delete a secret Service account tokens are excluded.
+  condition: (kactivity and kdelete and secret and ka.target.namespace!=kube-system and not req_service_account_token and response_successful)
+  output: K8s Secret Deleted (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
+  priority: INFO
+  source: k8s_audit
+  tags: [k8s]
+
 # This rule generally matches all events, and as a result is disabled
 # by default. If you wish to enable these events, modify the
 # following macro.