2 of 2 people found this helpful
(Assuming Windows) The trick is to figure out how presence of a bluetooth device would log... if you don't have built-in bluetooth you could potentially detect the addition of a USB bluetooth dongle via USB-Defender, and alert/detach it.
Or, if you've got bluetooth hardware installed but disabled disabled maybe you could use FIM to watch the registry for an enable (you'd need to find where the device disable flag is in the registry first).
Or, maybe use something from the event logs to look for a service being turned on or process started when a device is inserted, like outrun. I'm not sure if pairing will launch an app or be handled internally. It would be nice if pairing a bluetooth event logged... I did some digging and didn't find anything reliable (side note: this is what led to the creation of USB-Defender with USB devices, too).
Depending on where you're starting from (no bluetooth and watching for dongles, bluetooth but disabled, bluetooth but enabled), I'd probably get a test bluetooth device and create a filter just for anything related to that system in LEM and see what happens. You might also be able to look at the logs on the system and see if you can pinpoint an event that then we can trace back to LEM.