Skip to content

[ BUG ] ReadContainerCombined with filter running_status:'true' is returning both false and true results #1358

New issue
New issue
Open
Bug
Open
[ BUG ] ReadContainerCombined with filter running_status:'true' is returning both false and true results#1358
Bug
Assignees
jshcodes
Labels
bug 🐛Something isn't workingescalatedThis issue has been escalated to the API teamkubernetesKubernetes Protection issues and questions
@achitti-lc

Description

@achitti-lc
achitti-lc
opened on Jul 7, 2025

Describe the bug
A clear and concise description of what the bug is.
API - https://assets.falcon.crowdstrike.com/support/api/swagger.html#/kubernetes-protection/ReadContainerCombined

The filter running_status is not working as expected. This is an FQL I tried:
cluster_name:'my-cluster-name'+running_status:'true', the API keeps returning results with both true and false running status.
Our cluster is using the Falcon KAC agent.

To Reproduce
Steps to reproduce the behavior.

Try the above API with the following FQL:
cluster_name:'my-cluster-name'+running_status:'true',

the API keeps returning results with both true and false running status.

Expected behavior
A clear and concise description of what you expected to happen.
running_status:'true',

the API should return results with only pods running

Environment (please complete the following information):

  • OS: [e.g. Red Hat Enterprise Linux 8.3]
  • Python: [e.g. 3.9]
  • FalconPy: [e.g. 0.7.1]

Tested on both the API swagger and falconpy - 1.5.2 version

Additional context
Add any other context about the problem here.

Metadata

Metadata

Assignees

Labels

bug 🐛Something isn't workingescalatedThis issue has been escalated to the API teamkubernetesKubernetes Protection issues and questions

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions