can anyone confirm which api endpoint is used when osquery responds to a distributed query from Fleet? I know distributed queries aren't logged, so I'm thinking that it won't be the log endpoint. Maybe /distributed/write or /distributed/read? distributed/write seems most appropriate

Yes, distributed/write.

thanks