Hello, if I understand correctly, the “/api/fleet/orbit/config” endpoint is used to retrieve command line flags. Why is this endpoint queried so frequently?

In case they change? How often do you expect it to be queried?

These requests are coming from a single agent. If I add 1,000 agents, I will end up DDoSing myself. Since osquery flags change infrequently, I would expect something like one request every 60 seconds at minimum.

That endpoint is used to fetch pending scripts and software installs as well. Essentially, anything that isn't native osquery functionality is picked up through this endpoint. The reference architectures account for the volume of traffic we're expecting to see from the agent.

config_tls_refresh

is the osquery setting that controls this interval. Might not be documented however.

Thanks!