diff --git a/test/falco_k8s_audit_tests.yaml b/test/falco_k8s_audit_tests.yaml
index 9e1229af..285b9690 100644
--- a/test/falco_k8s_audit_tests.yaml
+++ b/test/falco_k8s_audit_tests.yaml
@@ -576,3 +576,40 @@ trace_files: !mux
     detect_counts:
       - K8s Role/Clusterrolebinding Deleted: 1
     trace_file: trace_files/k8s_audit/delete_clusterrolebinding.json
+
+  create_secret:
+    detect: True
+    detect_level: INFO
+    rules_file:
+      - ../rules/falco_rules.yaml
+      - ../rules/k8s_audit_rules.yaml
+    detect_counts:
+      - K8s Secret Created: 1
+    trace_file: trace_files/k8s_audit/create_secret.json
+
+  # Should *not* result in any event as the secret rules skip service account token secrets
+  create_service_account_token_secret:
+    detect: False
+    detect_level: INFO
+    rules_file:
+      - ../rules/falco_rules.yaml
+      - ../rules/k8s_audit_rules.yaml
+    trace_file: trace_files/k8s_audit/create_service_account_token_secret.json
+
+  create_kube_system_secret:
+    detect: False
+    detect_level: INFO
+    rules_file:
+      - ../rules/falco_rules.yaml
+      - ../rules/k8s_audit_rules.yaml
+    trace_file: trace_files/k8s_audit/create_kube_system_secret.json
+
+  delete_secret:
+    detect: True
+    detect_level: INFO
+    rules_file:
+      - ../rules/falco_rules.yaml
+      - ../rules/k8s_audit_rules.yaml
+    detect_counts:
+      - K8s Secret Deleted: 1
+    trace_file: trace_files/k8s_audit/delete_secret.json
\ No newline at end of file
diff --git a/test/trace_files/k8s_audit/create_kube_system_secret.json b/test/trace_files/k8s_audit/create_kube_system_secret.json
new file mode 100644
index 00000000..488c9f12
--- /dev/null
+++ b/test/trace_files/k8s_audit/create_kube_system_secret.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"263db4e4-f0bb-41b4-913d-c03815f49be5","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/kube-system/secrets","verb":"create","user":{"username":"admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kubeadm/v1.16.2 (linux/amd64) kubernetes/c97fe50","objectRef":{"resource":"secrets","namespace":"kube-system","name":"bootstrap-token-ne7bxu","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Secret","apiVersion":"v1","metadata":{"name":"bootstrap-token-ne7bxu","namespace":"kube-system","creationTimestamp":null},"data":{"auth-extra-groups":"c3lzdGVtOmJvb3RzdHJhcHBlcnM6a3ViZWFkbTpkZWZhdWx0LW5vZGUtdG9rZW4=","expiration":"MjAyMC0wMy0yNVQxMTo1Mzo0OS0wNzowMA==","token-id":"bmU3Ynh1","token-secret":"eGNwcGRha3Z1cTJ6d3Eycw==","usage-bootstrap-authentication":"dHJ1ZQ==","usage-bootstrap-signing":"dHJ1ZQ=="},"type":"bootstrap.kubernetes.io/token"},"responseObject":{"kind":"Secret","apiVersion":"v1","metadata":{"name":"bootstrap-token-ne7bxu","namespace":"kube-system","selfLink":"/api/v1/namespaces/kube-system/secrets/bootstrap-token-ne7bxu","uid":"799b20e8-a196-4061-9a55-d8c76ab092df","resourceVersion":"161","creationTimestamp":"2020-03-24T18:53:49Z"},"data":{"auth-extra-groups":"c3lzdGVtOmJvb3RzdHJhcHBlcnM6a3ViZWFkbTpkZWZhdWx0LW5vZGUtdG9rZW4=","expiration":"MjAyMC0wMy0yNVQxMTo1Mzo0OS0wNzowMA==","token-id":"bmU3Ynh1","token-secret":"eGNwcGRha3Z1cTJ6d3Eycw==","usage-bootstrap-authentication":"dHJ1ZQ==","usage-bootstrap-signing":"dHJ1ZQ=="},"type":"bootstrap.kubernetes.io/token"},"requestReceivedTimestamp":"2020-03-24T18:53:49.023018Z","stageTimestamp":"2020-03-24T18:53:49.025530Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
diff --git a/test/trace_files/k8s_audit/create_secret.json b/test/trace_files/k8s_audit/create_secret.json
new file mode 100644
index 00000000..76f961a4
--- /dev/null
+++ b/test/trace_files/k8s_audit/create_secret.json
@@ -0,0 +1,2 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"c07ab0e2-9b07-4cc6-8e3b-91ac69586a1f","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/sysdig-agent/secrets","verb":"create","user":{"username":"minikube-user","groups":["system:masters","system:authenticated"]},"sourceIPs":["10.0.2.15"],"userAgent":"kubectl/v1.13.3 (linux/amd64) kubernetes/721bfa7","objectRef":{"resource":"secrets","namespace":"sysdig-agent","name":"sysdig-agent","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Secret","apiVersion":"v1","metadata":{"name":"sysdig-agent","creationTimestamp":null},"data":{"access-key":"MzFiNGQ0YjctMDAyNi00YzI3LWJiMGItNDk5ZDZkZjg1ZGJi"},"type":"Opaque"},"responseObject":{"kind":"Secret","apiVersion":"v1","metadata":{"name":"sysdig-agent","namespace":"sysdig-agent","selfLink":"/api/v1/namespaces/sysdig-agent/secrets/sysdig-agent","uid":"9c812531-09bd-11ea-a1f9-08002719228f","resourceVersion":"830","creationTimestamp":"2019-11-18T04:40:56Z"},"data":{"access-key":"MzFiNGQ0YjctMDAyNi00YzI3LWJiMGItNDk5ZDZkZjg1ZGJi"},"type":"Opaque"},"requestReceivedTimestamp":"2019-11-18T04:40:56.739299Z","stageTimestamp":"2019-11-18T04:40:56.741993Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
+
diff --git a/test/trace_files/k8s_audit/create_service_account_token_secret.json b/test/trace_files/k8s_audit/create_service_account_token_secret.json
new file mode 100644
index 00000000..92ff5219
--- /dev/null
+++ b/test/trace_files/k8s_audit/create_service_account_token_secret.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"80ec4e21-2144-4156-bac3-7db13f966060","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/sysdig-agent/secrets","verb":"create","user":{"username":"system:kube-controller-manager","groups":["system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.12 (linux/amd64) kubernetes/a8b5220/tokens-controller","objectRef":{"resource":"secrets","namespace":"sysdig-agent","name":"default-token-lmsbg","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Secret","apiVersion":"v1","metadata":{"name":"default-token-lmsbg","namespace":"sysdig-agent","creationTimestamp":null,"annotations":{"kubernetes.io/service-account.name":"default","kubernetes.io/service-account.uid":"8b65cb69-09bd-11ea-a1f9-08002719228f"}},"data":{"ca.crt":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwdGFXNXAKYTNWaVpVTkJNQjRYRFRFNU1EZ3hNVEl5TkRJeU5Gb1hEVEk1TURnd09USXlOREl5TkZvd0ZURVRNQkVHQTFVRQpBeE1LYldsdWFXdDFZbVZEUVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBT1ZLCkdtd2diY3dhdTJyVW9GVDJ1bFo1d09HRlR4WmRNMjRrUEhMcCs1NXpLd25BamlXeDNCcXg5SDlTb3JzVStnMnYKQkVncjZpMHM0TGlldFNGNmVGR1NvUG1XZ2FGK1ZnQy9XZlJmR0FFU3dWQXVyb3VZZ0VCRW5XTjVvZ1c3TW45eQo4K1pkZXo3OC9Md1hSbmwxWFZFei92RFc2OUZTaVNEZzI5eURkVWVxa2lMTTJOV0hsZ0hDT2FKRVFjZWt5bUFrCjE3SzlSWS90cDJXT3FUVEVBR2p1NU1vSmtqbEF4TDZBNHNlMG1YZWhhM2tVVGNMWnJQUGZJWUpLeC9EZldoRDEKWU1NL2JBelNmYlIyZ2QxVEJqTjlhUy81bE1kcDY2N3NYNFh4WVhxSmlxY3BkTTNhdTkvMW96UkRZQjJ0VTl1bgp6a2pDOXJqRkthNWI2TjE0bVo4Q0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUIwR0ExVWRKUVFXCk1CUUdDQ3NHQVFVRkJ3TUNCZ2dyQmdFRkJRY0RBVEFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFDa3haeHNqNFZCam5VcGpuOXJEKzd0UmJFYWR1NXczcU52SjczN1ZBSlFFZUhKaUhPZwp5eHhRK21NMkIvek9pcHdTOC9yTi90SUpydHF0eSt3TnBpcWxZTFhrcTBveEJNdjVzd1p0YnU5Mm55eVhwTkgrCk9tR0MxQmNscWxlUzE0VlBPWHVFL011SlpIaW5HMG5EdWR5eTlvZmVqdTZXSDJJU3FRWEJUK0tKQmtYL1RDcDcKM1NYZS9vUk1pMTdxY01WOTBoV2ZOYldmeDdya0l2bWwrVzEzWnc1WkdVaGxSODdNb1ZMdENybnBmbHBpcDgvYgptbWFra1FPblN4d0FaUkJCQXQrclc4ZUFqSFRFSktJb0s5ZllsMWJtYTU3VTE5ZVZudEIrL0N2RDRUcWkrL0lwClpqMThYNVJXbm8zUkRzUElIQkpDL2ZMK2Juc1ErcFMvSUhGRgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==","namespace":"c3lzZGlnLWFnZW50","token":"ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSnplWE5rYVdjdFlXZGxiblFpTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxZM0psZEM1dVlXMWxJam9pWkdWbVlYVnNkQzEwYjJ0bGJpMXNiWE5pWnlJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZ5ZG1salpTMWhZMk52ZFc1MExtNWhiV1VpT2lKa1pXWmhkV3gwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXpaWEoyYVdObExXRmpZMjkxYm5RdWRXbGtJam9pT0dJMk5XTmlOamt0TURsaVpDMHhNV1ZoTFdFeFpqa3RNRGd3TURJM01Ua3lNamhtSWl3aWMzVmlJam9pYzNsemRHVnRPbk5sY25acFkyVmhZMk52ZFc1ME9uTjVjMlJwWnkxaFoyVnVkRHBrWldaaGRXeDBJbjAuYmxGU05kVzh3a3Z5SzhEVUJUWVJoZFJKaDl3OEw5alp3NDJhMlRacW53bkJvYXg0R21UN2JyblRXS2lkcGZUU2h6UUh5ZVRpU2REMk1Pc1NDeXg3S1J2SWp0dDB3d1JDWUhQUHJ6TE5VR2pyRTJ1ckVGaWJjelJPRU8telV5amJiN0VBanJ3blRhWkZMMVRUMWdsU3hkZDNGbFZzTTg4eU1aaEJZN2NUVU9hUkVDV3VLNG9hc2hQYnZKSHAteWZzVDBSQ0Q3eFhtWmQzbE9kRG9rOHZRZUQtXzQ0VmlrQzljcThwV3FxRHhBTGRsQk1jUHNSc1ZXRDFjb2taZ0RsUHJ2Q0xPemx5b19kZGQ5c1A3VFVrTlhNYjVWcHNVWm4wMlN2QVFMUG44MGhFWHdYaTNnNGRJWG1XaVFIc0pCTmpEeUF6d1FGZXZlZE10cS1uVmpJci13"},"type":"kubernetes.io/service-account-token"},"responseObject":{"kind":"Secret","apiVersion":"v1","metadata":{"name":"default-token-lmsbg","namespace":"sysdig-agent","selfLink":"/api/v1/namespaces/sysdig-agent/secrets/default-token-lmsbg","uid":"8b69fccc-09bd-11ea-a1f9-08002719228f","resourceVersion":"795","creationTimestamp":"2019-11-18T04:40:28Z","annotations":{"kubernetes.io/service-account.name":"default","kubernetes.io/service-account.uid":"8b65cb69-09bd-11ea-a1f9-08002719228f"}},"data":{"ca.crt":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwdGFXNXAKYTNWaVpVTkJNQjRYRFRFNU1EZ3hNVEl5TkRJeU5Gb1hEVEk1TURnd09USXlOREl5TkZvd0ZURVRNQkVHQTFVRQpBeE1LYldsdWFXdDFZbVZEUVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBT1ZLCkdtd2diY3dhdTJyVW9GVDJ1bFo1d09HRlR4WmRNMjRrUEhMcCs1NXpLd25BamlXeDNCcXg5SDlTb3JzVStnMnYKQkVncjZpMHM0TGlldFNGNmVGR1NvUG1XZ2FGK1ZnQy9XZlJmR0FFU3dWQXVyb3VZZ0VCRW5XTjVvZ1c3TW45eQo4K1pkZXo3OC9Md1hSbmwxWFZFei92RFc2OUZTaVNEZzI5eURkVWVxa2lMTTJOV0hsZ0hDT2FKRVFjZWt5bUFrCjE3SzlSWS90cDJXT3FUVEVBR2p1NU1vSmtqbEF4TDZBNHNlMG1YZWhhM2tVVGNMWnJQUGZJWUpLeC9EZldoRDEKWU1NL2JBelNmYlIyZ2QxVEJqTjlhUy81bE1kcDY2N3NYNFh4WVhxSmlxY3BkTTNhdTkvMW96UkRZQjJ0VTl1bgp6a2pDOXJqRkthNWI2TjE0bVo4Q0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUIwR0ExVWRKUVFXCk1CUUdDQ3NHQVFVRkJ3TUNCZ2dyQmdFRkJRY0RBVEFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFDa3haeHNqNFZCam5VcGpuOXJEKzd0UmJFYWR1NXczcU52SjczN1ZBSlFFZUhKaUhPZwp5eHhRK21NMkIvek9pcHdTOC9yTi90SUpydHF0eSt3TnBpcWxZTFhrcTBveEJNdjVzd1p0YnU5Mm55eVhwTkgrCk9tR0MxQmNscWxlUzE0VlBPWHVFL011SlpIaW5HMG5EdWR5eTlvZmVqdTZXSDJJU3FRWEJUK0tKQmtYL1RDcDcKM1NYZS9vUk1pMTdxY01WOTBoV2ZOYldmeDdya0l2bWwrVzEzWnc1WkdVaGxSODdNb1ZMdENybnBmbHBpcDgvYgptbWFra1FPblN4d0FaUkJCQXQrclc4ZUFqSFRFSktJb0s5ZllsMWJtYTU3VTE5ZVZudEIrL0N2RDRUcWkrL0lwClpqMThYNVJXbm8zUkRzUElIQkpDL2ZMK2Juc1ErcFMvSUhGRgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==","namespace":"c3lzZGlnLWFnZW50","token":"ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSnplWE5rYVdjdFlXZGxiblFpTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxZM0psZEM1dVlXMWxJam9pWkdWbVlYVnNkQzEwYjJ0bGJpMXNiWE5pWnlJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZ5ZG1salpTMWhZMk52ZFc1MExtNWhiV1VpT2lKa1pXWmhkV3gwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXpaWEoyYVdObExXRmpZMjkxYm5RdWRXbGtJam9pT0dJMk5XTmlOamt0TURsaVpDMHhNV1ZoTFdFeFpqa3RNRGd3TURJM01Ua3lNamhtSWl3aWMzVmlJam9pYzNsemRHVnRPbk5sY25acFkyVmhZMk52ZFc1ME9uTjVjMlJwWnkxaFoyVnVkRHBrWldaaGRXeDBJbjAuYmxGU05kVzh3a3Z5SzhEVUJUWVJoZFJKaDl3OEw5alp3NDJhMlRacW53bkJvYXg0R21UN2JyblRXS2lkcGZUU2h6UUh5ZVRpU2REMk1Pc1NDeXg3S1J2SWp0dDB3d1JDWUhQUHJ6TE5VR2pyRTJ1ckVGaWJjelJPRU8telV5amJiN0VBanJ3blRhWkZMMVRUMWdsU3hkZDNGbFZzTTg4eU1aaEJZN2NUVU9hUkVDV3VLNG9hc2hQYnZKSHAteWZzVDBSQ0Q3eFhtWmQzbE9kRG9rOHZRZUQtXzQ0VmlrQzljcThwV3FxRHhBTGRsQk1jUHNSc1ZXRDFjb2taZ0RsUHJ2Q0xPemx5b19kZGQ5c1A3VFVrTlhNYjVWcHNVWm4wMlN2QVFMUG44MGhFWHdYaTNnNGRJWG1XaVFIc0pCTmpEeUF6d1FGZXZlZE10cS1uVmpJci13"},"type":"kubernetes.io/service-account-token"},"requestReceivedTimestamp":"2019-11-18T04:40:28.066497Z","stageTimestamp":"2019-11-18T04:40:28.070609Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:kube-controller-manager\" of ClusterRole \"system:kube-controller-manager\" to User \"system:kube-controller-manager\""}}
diff --git a/test/trace_files/k8s_audit/delete_secret.json b/test/trace_files/k8s_audit/delete_secret.json
new file mode 100644
index 00000000..327e52cb
--- /dev/null
+++ b/test/trace_files/k8s_audit/delete_secret.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"39ca37c2-1e47-4ca9-a719-646688a4cea4","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/tes/secrets/default-token-lmq4v","verb":"delete","user":{"username":"system:kube-controller-manager","groups":["system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.12 (linux/amd64) kubernetes/a8b5220/tokens-controller","objectRef":{"resource":"secrets","namespace":"tes","name":"default-token-lmq4v","apiVersion":"v1"},"responseStatus":{"metadata":{},"status":"Success","code":200},"requestObject":{"kind":"DeleteOptions","apiVersion":"v1","preconditions":{"uid":"ac540c76-09c2-11ea-a1f9-08002719228f"}},"responseObject":{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Success","details":{"name":"default-token-lmq4v","kind":"secrets","uid":"ac540c76-09c2-11ea-a1f9-08002719228f"}},"requestReceivedTimestamp":"2019-11-18T05:17:20.899988Z","stageTimestamp":"2019-11-18T05:17:20.904826Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:kube-controller-manager\" of ClusterRole \"system:kube-controller-manager\" to User \"system:kube-controller-manager\""}}