https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/monitoring-bluetooth/m-p/1227236#M181 <P>Hi,</P> <P>&nbsp;</P> <P>We are using Cortex XSIAM. Now we want to perform monitoring of Bluetooth in Microsoft Windows 10 and 11 computers. The reason we want to check whether our users are connecting their mobile phones, like iPhone and Androids, through their office laptop using Bluetooth</P> <P>&nbsp;</P> <P><LI-PRODUCT title="Cortex XSIAM" id="Cortex_XSIAM"></LI-PRODUCT>&nbsp;<LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</P> Wed, 23 Apr 2025 13:44:29 GMT O.Faheem 2025-04-23T13:44:29Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/monitoring-bluetooth/m-p/1227236#M181 <P>Hi,</P> <P>&nbsp;</P> <P>We are using Cortex XSIAM. Now we want to perform monitoring of Bluetooth in Microsoft Windows 10 and 11 computers. The reason we want to check whether our users are connecting their mobile phones, like iPhone and Androids, through their office laptop using Bluetooth</P> <P>&nbsp;</P> <P><LI-PRODUCT title="Cortex XSIAM" id="Cortex_XSIAM"></LI-PRODUCT>&nbsp;<LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</P> Wed, 23 Apr 2025 13:44:29 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/monitoring-bluetooth/m-p/1227236#M181 O.Faheem 2025-04-23T13:44:29Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/monitoring-bluetooth/m-p/1247946#M342 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1523226517">@O.Faheem</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <P>&nbsp;</P> <P>Yes, you can monitor and control Bluetooth connections on Windows 10 and 11 computers using Cortex XSIAM. This functionality is available starting with Cortex XDR Agent version 8.6.</P> <H4>&nbsp;</H4> <H4>Requirements</H4> <UL> <LI> <P><STRONG>Agent Version:</STRONG> Cortex XDR Agent 8.6 or later</P> </LI> <LI> <P><STRONG>Operating System:</STRONG> Windows 10 (Version 1809 and later) or Windows 11</P> </LI> </UL> <H4>&nbsp;</H4> <H4>Configuration Steps:</H4> <P>To monitor or block mobile phone connections via Bluetooth, configure a <STRONG>Device Control policy</STRONG> within an Extensions profile:</P> <OL> <LI> <P>Navigate to <STRONG>Endpoints → Policy Management → Prevention → Profiles</STRONG>.</P> </LI> <LI> <P>Create or edit a <STRONG>Windows Device Configuration profile</STRONG>.</P> </LI> <LI> <P>Locate the <STRONG>Bluetooth Devices</STRONG> section.</P> </LI> </OL> <P>&nbsp;</P> <H4>Monitor Only:</H4> <UL> <LI> <P>Set the policy to <STRONG>Allow</STRONG>.</P> </LI> <LI> <P>Ensure <STRONG>Device Control logging</STRONG> is enabled to capture connection events.</P> </LI> </UL> <H4>Block Mobile Phones</H4> <UL> <LI> <P>Choose <STRONG>Custom settings</STRONG>.</P> </LI> <LI> <P>Under <STRONG>Bluetooth Classic services</STRONG>, select categories such as <STRONG>Phone</STRONG> (including smartphone subcategories) to block.</P> </LI> <LI> <P>Optionally, block specific <STRONG>Low Energy (LE) services</STRONG> if needed.</P> </LI> </UL> <H4>&nbsp;</H4> <H4>Monitoring and Detection:</H4> <P>Bluetooth connection events and data transfer activities are logged in XSIAM and can be queried using XQL.</P> <P>Example query:</P> <PRE><CODE>dataset = device_control_logs | filter device_type = "Bluetooth" | limit 100 </CODE></PRE> <HR /> <H4>Important Considerations and Limitations:</H4> <UL> <LI> <P><STRONG>Existing Connections:</STRONG> Devices already paired when a block policy is applied may not be immediately disconnected. For the policy to take effect, manually unpair the device or restart the computer.</P> </LI> <LI> <P><STRONG>Phone Link Bypass:</STRONG> Microsoft Phone Link may bypass Bluetooth-only file transfer blocks because it can use Wi-Fi or mobile data for transfers after the initial pairing.</P> </LI> <LI> <P><STRONG>Outbound Transfer Issues:</STRONG> Some agent versions (8.6–8.8) may not consistently block outbound file transfers from laptop to phone; this is resolved in Agent 8.9.</P> </LI> <LI> <P><STRONG>Granularity:</STRONG> Serial numbers for Bluetooth devices are not currently extracted; exceptions are typically based on <STRONG>Vendor ID</STRONG> and <STRONG>Product ID</STRONG>.</P> </LI> </UL> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking like and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> Wed, 11 Feb 2026 14:39:31 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/monitoring-bluetooth/m-p/1247946#M342 susekar 2026-02-11T14:39:31Z