Is there a way to get a list of connected Bluetooth devices, like you have it with

usb_devices

?

I don’t think anyone’s written a table for that information. If you’re on macOS, I believe it’s buried in a plist somewhere. but extracting it may be roundabout.

Thanks!

Hi @Martin Westergaard Lassen, I wrote a query to do this a while back as part of my yet unpublished (😞) plist blog post:

WITH bluetooth_plist AS (
  SELECT *, SPLIT(subkey, '/', 0) AS device_id from plist where path = '/Library/Preferences/com.apple.Bluetooth.plist'
),
bluetooth_devices AS (
SELECT
device_id,
MAX(CASE WHEN subkey = device_id || '/Name' THEN value ELSE NULL END) AS display_name,
MAX(CASE WHEN subkey = device_id || '/Manufacturer' THEN value ELSE NULL END) AS manufacturer,
MAX(CASE WHEN subkey = device_id || '/ClassOfDevice' THEN value ELSE NULL END) AS device_class,
MAX(CASE WHEN subkey = device_id || '/VendorID' THEN value ELSE NULL END) AS vendor_id,
MAX(CASE WHEN subkey = device_id || '/ProductID' THEN value ELSE NULL END) AS product_id,
MAX(CASE WHEN subkey = device_id || '/HeySiriEnabled' THEN value ELSE NULL END) AS siri_enabled,
MAX(CASE WHEN subkey = device_id || '/LastInquiryUpdate' THEN value ELSE NULL END) AS last_inquiry_update,
MAX(CASE WHEN subkey = device_id || '/LastServicesUpdate' THEN value ELSE NULL END) AS last_services_update,
MAX(CASE WHEN subkey = device_id || '/BatteryPercent' THEN value ELSE NULL END) AS battery_percent,
MAX(CASE WHEN device_id IN (SELECT value FROM bluetooth_plist WHERE key = 'PairedDevices') THEN 'true' ELSE NULL END) AS device_paired
FROM bluetooth_plist
GROUP BY device_id)
SELECT * FROM bluetooth_devices WHERE display_name != 'false';

Thanks @fritz! I'm afraid we have plist blocked, so I'm not sure it'll work for us 😞 But great inspiration anyway

@Martin Westergaard Lassen that's a bummer, a lot of the data that is in the macOS tables is actually derived from plists under the hood. They are a pretty valuable data source, but I can understand having some concern for privacy.

It's the default for kolide and I haven't really looked into why

Ah I see, are you using K2, our SaaS offering?

SaaS 🙂

I took this thread to DM but for posterity's sake: K2 implements a GUI blacklist functionality for organizations who wish to limit Live Query access to tables which might expose private data if abused. Because the

plist

table can query any plist on a device, and some plists store sensitive data, it is added by default to the K2 Live Query blacklist. K2 Users wishing to modify this behavior or remove

plist

from the blacklist can do so by navigating to the following setting configuration: Kolide Osquery Table Blacklists