diff --git a/examples/k8s_audit_config/audit-policy.yaml b/examples/k8s_audit_config/audit-policy.yaml
index e9fc2427..e63b8d14 100644
--- a/examples/k8s_audit_config/audit-policy.yaml
+++ b/examples/k8s_audit_config/audit-policy.yaml
@@ -56,11 +56,17 @@ rules:
     # The empty string "" can be used to select non-namespaced resources.
     namespaces: ["kube-system"]
 
-  # Log configmap and secret changes in all other namespaces at the RequestResponse level.
+  # Log configmap changes in all other namespaces at the RequestResponse level.
   - level: RequestResponse
     resources:
     - group: "" # core API group
-      resources: ["secrets", "configmaps"]
+      resources: ["configmaps"]
+
+  # Log secret changes in all other namespaces at the Metadata level.
+  - level: Metadata
+    resources:
+    - group: "" # core API group
+      resources: ["secrets"]
 
   # Log all other resources in core and extensions at the Request level.
   - level: Request