Jamf Threat Labs team created Aftermath, a Swift-based, open-source incident response framework tailor-made for macOS.
After a security incident has occurred, rapid collection can take place with Aftermath running a series of modules, creating an output archive ready to be analyzed.
You now have the critical incident data needed to perform a detailed investigation.
Aftermath can be run independently from an endpoint’s command line but was built to be deployed via a device management system to collect results at scale.
Link:
https://trusted.jamf.com/docs/rapid-incident-response-macos
