This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Monitoring Bluetooth

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Monitoring Bluetooth

O.Faheem
L1 Bithead

‎04-23-2025 06:44 AM

Hi,

 

We are using Cortex XSIAM. Now we want to perform monitoring of Bluetooth in Microsoft Windows 10 and 11 computers. The reason we want to check whether our users are connecting their mobile phones, like iPhone and Androids, through their office laptop using Bluetooth

 

Cortex XSIAM Cortex XDR 

Cortex XSIAM
Thumbnail of Cortex XSIAM
Palo Alto Networks
Cortex XSIAM
Security Operations
View on Product Page
Cortex XDR
Thumbnail of Cortex XDR
Palo Alto Networks
Cortex XDR
Security Operations
View on Product Page
0 Likes Likes
1 REPLY 1

susekar
L4 Transporter

‎02-11-2026 06:39 AM

Hello @O.Faheem ,

 

Greetings for the day.

 

Yes, you can monitor and control Bluetooth connections on Windows 10 and 11 computers using Cortex XSIAM. This functionality is available starting with Cortex XDR Agent version 8.6.

 

Requirements

  • Agent Version: Cortex XDR Agent 8.6 or later

  • Operating System: Windows 10 (Version 1809 and later) or Windows 11

 

Configuration Steps:

To monitor or block mobile phone connections via Bluetooth, configure a Device Control policy within an Extensions profile:

  1. Navigate to Endpoints → Policy Management → Prevention → Profiles.

  2. Create or edit a Windows Device Configuration profile.

  3. Locate the Bluetooth Devices section.

 

Monitor Only:

  • Set the policy to Allow.

  • Ensure Device Control logging is enabled to capture connection events.

Block Mobile Phones

  • Choose Custom settings.

  • Under Bluetooth Classic services, select categories such as Phone (including smartphone subcategories) to block.

  • Optionally, block specific Low Energy (LE) services if needed.

 

Monitoring and Detection:

Bluetooth connection events and data transfer activities are logged in XSIAM and can be queried using XQL.

Example query:

dataset = device_control_logs 
| filter device_type = "Bluetooth" 
| limit 100

Important Considerations and Limitations:

  • Existing Connections: Devices already paired when a block policy is applied may not be immediately disconnected. For the policy to take effect, manually unpair the device or restart the computer.

  • Phone Link Bypass: Microsoft Phone Link may bypass Bluetooth-only file transfer blocks because it can use Wi-Fi or mobile data for transfers after the initial pairing.

  • Outbound Transfer Issues: Some agent versions (8.6–8.8) may not consistently block outbound file transfers from laptop to phone; this is resolved in Agent 8.9.

  • Granularity: Serial numbers for Bluetooth devices are not currently extracted; exceptions are typically based on Vendor ID and Product ID.

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

0 Likes Likes
  • 466 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks