diff --git a/rules/cloud/azure_kubernetes_cluster_created_or_deleted.yml b/rules/cloud/azure_kubernetes_cluster_created_or_deleted.yml
new file mode 100644
index 000000000..4264a4285
--- /dev/null
+++ b/rules/cloud/azure_kubernetes_cluster_created_or_deleted.yml
@@ -0,0 +1,24 @@
+title: Azure Kubernetes Cluster Created or Deleted
+id: 9541f321-7cba-4b43-80fc-fbd1fb922808
+description: Detects when a Azure Kubernetes Cluster is created or deleted.
+author: Austin Songer
+status: experimental
+date: 2021/08/07
+references:
+    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
+logsource:
+  service: azure.activitylogs
+detection:
+    selection:
+        properties.message: 
+            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/WRITE
+            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/DELETE
+    condition: selection
+level: low
+tags:
+    - attack.impact
+falsepositives:
+ - Kubernetes cluster being created or  deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+
+
+