Title
#general
m

Martin Westergaard Lassen

02/11/2020, 1:16 PM
Is there a way to get a list of connected Bluetooth devices, like you have it with
usb_devices
?
s

seph

02/11/2020, 3:43 PM
I don’t think anyone’s written a table for that information. If you’re on macOS, I believe it’s buried in a plist somewhere. but extracting it may be roundabout.
m

Martin Westergaard Lassen

02/11/2020, 5:18 PM
Thanks!
f

fritz

02/11/2020, 5:31 PM
Hi @Martin Westergaard Lassen, I wrote a query to do this a while back as part of my yet unpublished (😞) plist blog post:
WITH bluetooth_plist AS (
  SELECT *, SPLIT(subkey, '/', 0) AS device_id from plist where path = '/Library/Preferences/com.apple.Bluetooth.plist'
),
bluetooth_devices AS (
SELECT
device_id,
MAX(CASE WHEN subkey = device_id || '/Name' THEN value ELSE NULL END) AS display_name,
MAX(CASE WHEN subkey = device_id || '/Manufacturer' THEN value ELSE NULL END) AS manufacturer,
MAX(CASE WHEN subkey = device_id || '/ClassOfDevice' THEN value ELSE NULL END) AS device_class,
MAX(CASE WHEN subkey = device_id || '/VendorID' THEN value ELSE NULL END) AS vendor_id,
MAX(CASE WHEN subkey = device_id || '/ProductID' THEN value ELSE NULL END) AS product_id,
MAX(CASE WHEN subkey = device_id || '/HeySiriEnabled' THEN value ELSE NULL END) AS siri_enabled,
MAX(CASE WHEN subkey = device_id || '/LastInquiryUpdate' THEN value ELSE NULL END) AS last_inquiry_update,
MAX(CASE WHEN subkey = device_id || '/LastServicesUpdate' THEN value ELSE NULL END) AS last_services_update,
MAX(CASE WHEN subkey = device_id || '/BatteryPercent' THEN value ELSE NULL END) AS battery_percent,
MAX(CASE WHEN device_id IN (SELECT value FROM bluetooth_plist WHERE key = 'PairedDevices') THEN 'true' ELSE NULL END) AS device_paired
FROM bluetooth_plist
GROUP BY device_id)
SELECT * FROM bluetooth_devices WHERE display_name != 'false';
m

Martin Westergaard Lassen

02/11/2020, 5:32 PM
Thanks @fritz! I'm afraid we have plist blocked, so I'm not sure it'll work for us 😞 But great inspiration anyway
f

fritz

02/11/2020, 5:34 PM
@Martin Westergaard Lassen that's a bummer, a lot of the data that is in the macOS tables is actually derived from plists under the hood. They are a pretty valuable data source, but I can understand having some concern for privacy.
m

Martin Westergaard Lassen

02/11/2020, 5:34 PM
It's the default for kolide and I haven't really looked into why
f

fritz

02/11/2020, 5:35 PM
Ah I see, are you using K2, our SaaS offering?
m

Martin Westergaard Lassen

02/12/2020, 8:26 AM
SaaS 🙂
f

fritz

02/12/2020, 3:27 PM
I took this thread to DM but for posterity's sake: K2 implements a GUI blacklist functionality for organizations who wish to limit Live Query access to tables which might expose private data if abused. Because the
plist
table can query any plist on a device, and some plists store sensitive data, it is added by default to the K2 Live Query blacklist. K2 Users wishing to modify this behavior or remove
plist
from the blacklist can do so by navigating to the following setting configuration: Kolide Osquery Table Blacklists