diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 2234cb18..c00318ee 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -295,13 +295,21 @@
     sshd, sudo, su, tmux, screen, emacs, systemd, login, flock, fbash,
     nginx, monit, supervisord, dragent, aws, initdb, docker-compose,
     make, configure, awk, falco, fail2ban-server, apt-get, apt,
-    fleetctl, logrotate
+    fleetctl, logrotate, ansible
     ]
 
+- macro: ansible_running_python
+  condition: proc.pname=python and proc.pcmdline contains ansible
+
 - rule: Run shell untrusted
   desc: an attempt to spawn a shell by a non-shell program. Exceptions are made for trusted binaries.
-  condition: spawned_process and not container and shell_procs and proc.pname exists and not proc.pname in (cron_binaries, shell_binaries, known_shell_spawn_binaries, docker_binaries, k8s_binaries)
-  output: "Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)"
+  condition: >
+    spawned_process and not container
+    and shell_procs
+    and proc.pname exists
+    and not proc.pname in (cron_binaries, shell_binaries, known_shell_spawn_binaries, docker_binaries, k8s_binaries)
+    and not ansible_running_python
+  output: "Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline pcmdline=%proc.pcmdline)"
   priority: WARNING
 
 - macro: trusted_containers