- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-10-2025 01:21 AM - edited 01-10-2025 07:05 AM
Hello all,
I'm trying to switch to Ansible for my Windows application deployments (among other things), but Cortex XDR blocks everything Ansible tries to do with a Behavioral Threat response (it works via powershell.exe -EncodedCommand).
What are the best practices for using Ansible on an endpoint protected by Cortex XDR?
01-15-2025 01:43 AM
Hi @NicolasBriche
Thanks for writing to LC!
Ideally, if the activity is legit, the agent should not block it. It seems that the XDR agent may be seeing that as obfuscated activity hence blocking it.
In this case, its better we understand how you are running them and what BTP module is doing the detecting to have an appropriate exceptions created hence I suggest raising a ticket to TAC team to have the alert data investigated for most feasible exceptions.(TAC would suggest the exceptions for that specific use case).
Give it a like & mark as solution if this helped.
Best,
01-15-2025 01:43 AM
Hi @NicolasBriche
Thanks for writing to LC!
Ideally, if the activity is legit, the agent should not block it. It seems that the XDR agent may be seeing that as obfuscated activity hence blocking it.
In this case, its better we understand how you are running them and what BTP module is doing the detecting to have an appropriate exceptions created hence I suggest raising a ticket to TAC team to have the alert data investigated for most feasible exceptions.(TAC would suggest the exceptions for that specific use case).
Give it a like & mark as solution if this helped.
Best,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!