DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office action is in response to the amendment, arguments and remarks, filed on 10/27/2020, in which claim(s) 1-20 is/are presented for further examination.
Claims 1, 7 and 13 have been amended.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 10/27/2020 has been entered.

Response to Amendments
Applicant’s amendments to claims 1, 7 and 13 have been accepted.  The objections to the claims for informalities have been withdrawn.
Applicant’s amendments to claims 1, 7 and 13 have been accepted.  Support was found in at least [0033], [0053], [0076], [0080] and [0081] of the specification.

Response to Arguments
Applicant’s arguments with respect to claim(s) 1-20, filed on 10/27/2020, have been fully considered but they are not persuasive.

Applicant’s arguments with respect to the rejections of claim(s) 1-20 under 35 U.S.C. 103(a), see the middle of page 8 to the middle of page 9 of applicant’s remarks, filed on 10/27/2020, have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Information Disclosure Statement
The information disclosure statement(s) (IDS), submitted on 10/28/2020, 11/10/2020 and 11/20/2020, is/are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement(s) is/are being considered by the examiner.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claim(s) 1-20 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Coates et al., US 2016/0147380 A1 (hereinafter “Coates”).
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the 

Claims 1, 7 and 13
Coates discloses a computer-implementable method for resolving an identity of an entity, comprising:
receiving a stream of events from a protected endpoint, the stream of events comprising a plurality of events (Coates, [0152], see event processing system that processes machine data from different sources [i.e., protected endpoint] to represent machine data as events), the protected endpoint comprising an endpoint agent executing on an endpoint device (Coates, [0145], see entity definitions associations an entity with machine data, where the machine that produces the machine data is interpreted as the “endpoint device” and whatever sends the machine data is being interpreted as the “endpoint agent”), the endpoint agent requiring the endpoint device to comply with particular criteria before being granted access to network resources (Coates, [0470], see security related information for the endpoint include access control information and login/logout information and access failure notification [i.e., all deal with allowing access to the network only when authorized]);
parsing entity identifier information associated with the entity to provide an entity identifier element (Coates, [0152], see processing the raw data from the events including a timestamp for the event data; a host from which the event data originated; a source of the event data; and a source type for the event data, which are associated with an entity), the entity identifier information comprising temporal information (Coates, [0152], see timestamps for the event data);
classifying the entity identifier element to provide a classified entity identifier element (Coates, [0152] and [0153], see processing machine data to represent machine data as events including a schema to the events and extracting fields defined by the schema including a source of the event data and a source type for the event data [i.e., entity identifying elements] and indexing and storing them and establishing associations between the entity and machine data [i.e., classified]), the classified entity identifier element comprising an entity identifier element type, the entity identifier element type providing a representation of a particular attribute associated with the entity identifier element (Coates, [0152] and [0153], see processing machine data to represent machine data as events including a schema to the events and extracting fields defined by the schema including a source of the event data and a source type for the event data [i.e., entity identifying elements] and indexing and storing them and establishing associations between the entity and machine data [i.e., classified]);
normalizing the classified entity identifier element to provide a classified and normalized entity identifier element (Coates, [0152] and [0159], see normalizing the various aliases for the entity [i.e., entity identifier elements]), the classified and normalized entity identifier element being type dependent (Coates, [0152] and [0153], see processing machine data to represent machine data as events including a schema to the events and extracting fields defined by the schema including a source of the event data and a source type for the event data [i.e., entity identifying elements] and indexing and storing them and establishing associations between the entity and machine data [i.e., classified]; and Coates, [0150] and [0159] describes normalizing different aliases [i.e., entity identifier element] and formats of machine data, where an alias is associated with the machine data, which has a format [i.e., type] associated with it, thus, the normalization alias will also have the format [i.e., type] associated with it and, Note: The claim language recites “type dependent”; however, it is unclear whether the “type” refers to the “entity identifier element type” or another “type”.  As such, the examiner is interpreting the “type” to be another type besides the “entity identifier element type”); and,
associating the classified and normalized entity identifier element and the temporal information with the entity to resolve the identity of the entity at a particular point in time (Coates, [0152], see processing the raw data from the events including a timestamp for the event data; a host from which the event data originated; a source of the event data; and a source type for the event data, which are associated with an entity; and Coates, [0187], see the ability to search within a time range, which means a time/temporal element is associated with the respective entities), the associating determining whether the classified and normalized entity identifier element matches a known entity identifier element type (Coates, [0154], see specifying an entity type for an entity; and Coates, [0158], see being able to search for entities by the entity type, which means entities (and their associated identifiers] have been linked to entity types); and,
performing a security analysis operation, the security analysis operation using the resolved identity of the entity at the particular point in time to assess a risk associated with the entity (Coates, [0410], see running a search and indicating a security threat or operational problem; Coates, [0152], see processing the raw data from the events including a timestamp for the event data; a host from which the event data originated; a source of the event data; and a source type for the event data, which are associated with an entity; and Coates, [0187], see the ability to search within a time range, which means a time/temporal element is associated with the respective entities).
a system comprising:
a processor (Coates, [0481] and [0482], see processor);
a data bus coupled to the processor (Coates, [0481], see bus); and
a non-transitory, computer-readable storage medium embodying computer program code (Coates, [0481], see memory]).
With respect to claim 13, Coates discloses a non-transitory, computer-readable storage medium embodying computer program code (Coates, [0481], see memory]).

Claims 2, 8 and 14
With respect to claims 2, 8 and 14, Coates discloses wherein:
the temporal information is associated with an event of the plurality of events associated with a particular point in time (Coates, [0152], see processing the raw data from the events including a timestamp for the event data; a host from which the event data originated; a source of the event data; and a source type for the event data, which are associated with an entity; and Coates, [0187], see the ability to search within a time range, which means a time/temporal element is associated with the respective entities).

Claims 3, 9 and 15
With respect to claims 3, 9 and 15, Coates discloses wherein:
the temporal information comprises temporal event information, the temporal event information being associated with a particular event of the plurality of events (Coates, [0152], see processing the raw data from the events including a timestamp for the event data; a host from which the event data originated; a source of the event data; and a source type for the 

Claims 4, 10 and 16
With respect to claims 4, 10 and 16, Coates discloses wherein:
the temporal event information comprises content, the content comprising at least one of text, unstructured data, structured data, a graphical image, a photograph, an audio recording, and a video recording (Coates, [0152], see processing the raw data from the events including a timestamp for the event data; a host from which the event data originated; a source of the event data; and a source type for the event data, which are associated with an entity; and Coates, [0187], see the ability to search within a time range, which means a time/temporal element is associated with the respective entities).

Claims 5, 11 and 17
With respect to claims 5, 11 and 17, Coates discloses wherein:
the temporal event information comprises metadata associated with the content, the metadata comprising a temporal event attribute for the content (Coates, [0152], see processing the raw data from the events including a timestamp for the event data; a host from which the event data originated; a source of the event data; and a source type for the event data, which are associated with an entity; and Coates, [0187], see the ability to search within a time range, which means a time/temporal element is associated with the respective entities).

Claims 6, 12 and 18
With respect to claims 6, 12 and 18, Coates discloses wherein:
the normalizing provides an implicit identifier pair associated with the normalized entity identifier element (Coates, [0152] and [0159]; Coates; [0394]; Coates, [0433]; and Coates, [0462]).

Claim 19
With respect to claim 19, Coates discloses wherein:
the computer executable instructions are deployable to a client system from a server system at a remote location (Coates, [0121]).

Claim 20
With respect to claim 20, Coates discloses wherein:
the computer executable instructions are provided by a service provider to a user on an on-demand basis (Coates, [0107] and [0108]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
– Ahmed et al. for threat detection and mitigation in a virtualized computing environment;
– Chari et al. for detecting malicious user activity;

– Manadhata et al. for risk scores for entities; and
– Scheib et al. for MDL-based clustering for dependency mapping.

Point of Contact
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HUBERT G CHEUNG whose telephone number is (571) 270-1396.  The examiner can normally be reached on M-R 8:00A-5:00P EST; alt. F 8:00A-4:00P EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neveen Abel-Jalil can be reached on (571) 270-0474.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-




Examiner: Hubert Cheung
Date: February 10, 2021
/Hubert Cheung/Assistant Examiner, Art Unit 2152

/NEVEEN ABEL JALIL/Supervisory Patent Examiner, Art Unit 2152