This is just how it looks when you publish an open source project at Google.

Google controls the repo hence it's under the Google GitHub org. But then you just slap the "not a Google product" thing at the end to clarify that it's "just" some engineers publishing code rather than the release of the code of a Google product (nor a major strategic open source initiative like Go).

Their process is documented at https://opensource.google/documentation/reference/releasing

So it could even be a pure hobby project - not something done for work - where the initial author (over a decade ago) chose to release it under Google's copyright rather than use the exception process.

Any Googler can write code and open source it on the Google GitHub (within reason, the process is quite straightforward). So no, Google as an entity does not official endorse it, all it means is at least one employee is working on that particular effort.

I heard a lecture from one of its users/developers a year ago in Munich. IIRC it’s a tool that came out of their incident response teams, but don‘t quote me on this

I'm more understanding it as a tool so that multiple people collaborating on investigating a hack/data-breach/etc can audit/tag events in the interesting logs (ssh logins, weird executables starting,network probes, etc) from various sources and get a _combined timeline_ to easier determine adversary movement, cause-and-effect and so on to easier find what needs patching,etc.

Thanks, I thought I was the only one baffled by this.