Hi there! I think I found a bug, but maybe I just need some explanations. If I set

disable_tables: 'curl'

osquery option via Fleet UI (inspired by https://www.tenchisecurity.com/abusing-the-osquery-curl-table-for-pivoting-into-cloud-environments/) , it continues to work! It looks like this option only applies after restarting osqueryd service on endpoint. Is it right behavior? Looks strange, but maybe I just do something wrong way…

Hi @Artem! That is correct. Such option requires a restart of osquery to take effect. I was able to reproduce the behavior in Fleet.

@Lucas Rodriguez thank you! Got it! Just for future probable feature request, it would be really cool, if it will possible to change such behavior without restarting osquery on endpoints