diff --git a/core/mondoo-linux-incident-response.mql.yaml b/core/mondoo-linux-incident-response.mql.yaml
index 3f2ef5e..0f8f70c 100644
--- a/core/mondoo-linux-incident-response.mql.yaml
+++ b/core/mondoo-linux-incident-response.mql.yaml
@@ -46,4 +46,4 @@ packs:
         mql: packages { name version arch installed }
       - uid: mondoo-linux-running-services
         title: Running services
-        mql: services { name running enabled masked type }
+        mql: services.where(running == true) { name running enabled masked type }
diff --git a/core/mondoo-macos-incident-response.mql.yaml b/core/mondoo-macos-incident-response.mql.yaml
index 1b26105..0f463eb 100644
--- a/core/mondoo-macos-incident-response.mql.yaml
+++ b/core/mondoo-macos-incident-response.mql.yaml
@@ -41,7 +41,7 @@ packs:
         mql: packages
       - uid: mondoo-macos-incident-response-running-services
         title: Running services
-        mql: services
+        mql: services.where(running == true) { name running enabled masked type }
       - uid: mondoo-macos-incident-response-alf-extensions
         title: Exceptions from the Application Layer Firewall
         mql: macos.alf.exceptions
diff --git a/core/mondoo-windows-incident-response.mql.yaml b/core/mondoo-windows-incident-response.mql.yaml
index e3bd6d5..486592b 100644
--- a/core/mondoo-windows-incident-response.mql.yaml
+++ b/core/mondoo-windows-incident-response.mql.yaml
@@ -29,4 +29,4 @@ packs:
         mql: windows.computerInfo
       - uid: mondoo-windows-incident-response-running-services
         title: Running services
-        mql: services
+        mql: services.where(running == true)