Martin Westergaard Lassen
02/11/2020, 1:16 PMusb_devices
?seph
Martin Westergaard Lassen
02/11/2020, 5:18 PMfritz
02/11/2020, 5:31 PMWITH bluetooth_plist AS (
SELECT *, SPLIT(subkey, '/', 0) AS device_id from plist where path = '/Library/Preferences/com.apple.Bluetooth.plist'
),
bluetooth_devices AS (
SELECT
device_id,
MAX(CASE WHEN subkey = device_id || '/Name' THEN value ELSE NULL END) AS display_name,
MAX(CASE WHEN subkey = device_id || '/Manufacturer' THEN value ELSE NULL END) AS manufacturer,
MAX(CASE WHEN subkey = device_id || '/ClassOfDevice' THEN value ELSE NULL END) AS device_class,
MAX(CASE WHEN subkey = device_id || '/VendorID' THEN value ELSE NULL END) AS vendor_id,
MAX(CASE WHEN subkey = device_id || '/ProductID' THEN value ELSE NULL END) AS product_id,
MAX(CASE WHEN subkey = device_id || '/HeySiriEnabled' THEN value ELSE NULL END) AS siri_enabled,
MAX(CASE WHEN subkey = device_id || '/LastInquiryUpdate' THEN value ELSE NULL END) AS last_inquiry_update,
MAX(CASE WHEN subkey = device_id || '/LastServicesUpdate' THEN value ELSE NULL END) AS last_services_update,
MAX(CASE WHEN subkey = device_id || '/BatteryPercent' THEN value ELSE NULL END) AS battery_percent,
MAX(CASE WHEN device_id IN (SELECT value FROM bluetooth_plist WHERE key = 'PairedDevices') THEN 'true' ELSE NULL END) AS device_paired
FROM bluetooth_plist
GROUP BY device_id)
SELECT * FROM bluetooth_devices WHERE display_name != 'false';
Martin Westergaard Lassen
02/11/2020, 5:32 PMfritz
02/11/2020, 5:34 PMMartin Westergaard Lassen
02/11/2020, 5:34 PMfritz
02/11/2020, 5:35 PMMartin Westergaard Lassen
02/12/2020, 8:26 AMfritz
02/12/2020, 3:27 PMplist
table can query any plist on a device, and some plists store sensitive data, it is added by default to the K2 Live Query blacklist.
K2 Users wishing to modify this behavior or remove plist
from the blacklist can do so by navigating to the following setting configuration: Kolide Osquery Table Blacklists