Collect information about connected or paired Bluetooth-enabled devices.
name: MacOS.Network.Bluetooth
type: CLIENT
author: Wes Lambert - @therealwlambert
description: |
Collect information about connected or paired Bluetooth-enabled devices.
parameters:
- name: BluetoothGlob
default: /Library/Bluetooth/Library/Preferences/com.apple.MobileBluetooth.devices.plist
precondition:
SELECT OS From info() where OS = 'darwin'
sources:
- query: |
LET BluetoothLocation = SELECT OSPath from glob(globs=BluetoothGlob)
LET BluetoothDevices = SELECT plist(file=OSPath) AS BD FROM BluetoothLocation
SELECT * from foreach(
row=BluetoothDevices,
query={
SELECT _value.Name AS Name,
timestamp(epoch=_value.LastSeenTime) AS LastSeen,
_value.DefaultName AS Description,
base64decode(string=_value.DeviceClass) AS _DeviceClass,
_value.DeviceIdProduct AS DeviceIDProduct,
_value.DeviceIdVendor AS DeviceIdVendor,
_value.DeviceIdVendorSource AS DeviceIdVendorSource,
_value.DeviceIdVersion AS DeviceIdVersion,
_value.SerialPort AS SerialPort,
_value.ServiceRemote AS SerialRemote,
_value.initiateSDPMirroringState AS SDPMirroring,
_key AS MACAddress,
_value.DevicePrimaryHash AS DevicePrimaryHash,
_value AS _Value
FROM items(item=BD)
}
)