DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action has been issued in response to Applicant’s Communication of application S/N 16/222,269 filed on November 19, 2020. Claims 1 to 20 have been cancelled. Claims 21-40 are pending with the application.

Terminal Disclaimer
The terminal disclaimer filed on November 19, 2020 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of S/N 16/288,508 has been reviewed and is accepted.  The terminal disclaimer has been recorded.

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 12/17/2018, 12/21/2018, 08/22/2019, 11/06/2019, 12/06/2019, 01/09/2020 were filed before the mailing date of the first office action on the merits. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


With respect to claims 21, the claims recite a computer-implementable method for performing a risk assessment operation, comprising: receiving a stream of events via a protected endpoint, the stream of events comprising a plurality of events, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device; enriching data associated with each of the plurality of events to provide enriched data associated with each of the plurality of events; extracting features from the plurality of events using the enriched data associated with each of the plurality of events; generating enriched events corresponding to each of the plurality of events based upon enriched data associated with each of the plurality of events and the features extracted from the plurality of events; and, performing the risk assessment operation via a security analytics system based upon the enriched events.
The limitations directed towards enriching data associated with each of the plurality of events to provide enriched data associated with each of the plurality of events, extracting features from the plurality of events using the enriched data associated with each of the plurality of events, generating enriched events corresponding to each of the plurality of events based upon enriched data associated with each of the plurality of events and the features extracted from the plurality of events, and performing the risk assessment operation based upon the enriched events is a process that, under its broadest reasonably interpretation, covers performance of these limitations in the mind but for the recitation of generic computer components. That is, other than reciting a computer-implementable method for performing a risk assessment operation, comprising: receiving a stream of events via a protected endpoint, the stream of events comprising a plurality of events, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an 
For example, but for the limitations stating “a computer-implementable method for performing a risk assessment operation, comprising: receiving a stream of events via a protected endpoint, the stream of events comprising a plurality of events, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device” and “a security analytics system”, the mention of “enriching”, “extracting”, “generating”, and “performing” in the context of this claim, encompasses a user mentally augmenting data tied to a plurality of events and using that augmented data to mentally generate event data based on features of those events using the augmented data to mentally make a risk assessment. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
The judicial exception is not integrated into a practical application by additional elements. In particular, claim 21 recites a computer-implementable method for performing a risk assessment operation, comprising: receiving a stream of events via a protected endpoint, the stream of events comprising a plurality of events, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device and a security analytics system. A computer-implementable method for performing a risk assessment operation, comprising: receiving a stream of events via a protected endpoint, the stream of events comprising a plurality of events, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint 
These claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements, a computer-implementable method for performing a risk assessment operation and a security analytics system as recited in claim 21 is recited at a high level of generality to apply the exception using generic computer components. Receiving a stream of events via a protected endpoint, the stream of events comprising a plurality of events, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device is interpreted to be well understood, routine and conventional activity (Receiving or transmitting data over a network e.g., using the internet to gather data, Symantec (see MPEP 2106.05(d))). Mere instructions to apply an exception using generic computer components cannot provide an inventive concept. To further elaborate, the additional limitation of a computer-implementable method for performing a risk assessment operation, comprising: receiving a stream of events via a protected 
With respect to claims 27, the claims recite a system comprising: a processor; a data bus coupled to the processor; and a non-transitory, computer-readable storage medium embodying computer program code for performing a risk assessment operation, the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code interacting with a plurality of computer operations and comprising instructions executable by the processor and configured for: receiving a stream of events via a protected endpoint, the stream of events comprising a plurality of events, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device; enriching data associated with each of the plurality of events to provide enriched data associated with each of the plurality of events; extracting features from the plurality of events using the enriched data associated with each of the plurality of events; generating enriched events corresponding to each of the plurality of events based upon enriched data associated with each of the plurality of events and the features extracted from the plurality of events; and, performing the risk assessment operation via a security analytics system based upon the enriched events.
The limitations directed towards enriching data associated with each of the plurality of events to provide enriched data associated with each of the plurality of events, extracting features from the plurality of events using the enriched data associated with each of the plurality of events, generating enriched events corresponding to each of the plurality of events based upon enriched data associated 
For example, but for the limitations stating “a system comprising: a processor; a data bus coupled to the processor; and a non-transitory, computer-readable storage medium embodying computer program code for performing a risk assessment operation, the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code interacting with a plurality of computer operations and comprising instructions executable by the processor and configured for: receiving a stream of events via a protected endpoint, the stream of events comprising a plurality of events, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device” and “a security analytics system”, the mention of “enriching”, “extracting”, “generating”, and “performing” in the context of this claim, encompasses a 
The judicial exception is not integrated into a practical application by additional elements. In particular, claim 27 recites a system comprising: a processor; a data bus coupled to the processor; and a non-transitory, computer-readable storage medium embodying computer program code for performing a risk assessment operation, the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code interacting with a plurality of computer operations and comprising instructions executable by the processor and configured for: receiving a stream of events via a protected endpoint, the stream of events comprising a plurality of events, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device and a security analytics system. A system comprising: a processor; a data bus coupled to the processor; and a non-transitory, computer-readable storage medium embodying computer program code for performing a risk assessment operation, the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code interacting with a plurality of computer operations and comprising instructions executable by the processor and configured for: receiving a stream of events via a protected endpoint, the stream of events comprising a plurality of events, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device and a security analytics system as recited in claim 21 is recited at a high-level of generality (i.e., as a generic computer performing a generic computer function of receiving). Receiving a stream of events via a 
These claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements, a system comprising: a processor; a data bus coupled to the processor; and a non-transitory, computer-readable storage medium embodying computer program code for performing a risk assessment operation, the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code interacting with a plurality of computer operations and comprising instructions executable by the processor and a security analytics system as recited in claim 27 is recited at a high level of generality to apply the exception using generic computer components. Receiving a stream of events via a protected endpoint, the stream of events comprising a plurality of events, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device is interpreted to be well understood, routine and conventional activity (Receiving or transmitting data over a network e.g., using the internet to gather data, Symantec (see MPEP 2106.05(d))). Mere instructions to apply an exception using generic computer components cannot provide an inventive concept. To further elaborate, the additional limitation of a system comprising: a processor; a data bus coupled to the processor; and a non-transitory, computer-
With respect to claims 33, the claims recite a non-transitory, computer-readable storage medium embodying computer program code for performing a risk assessment operation, the computer program code comprising computer executable instructions configured for: receiving a stream of events via a protected endpoint, the stream of events comprising a plurality of events, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device; enriching data associated with each of the plurality of events to provide enriched data associated with each of the plurality of events; extracting features from the plurality of events using the enriched data associated with each of the plurality of events; generating enriched events corresponding to each of the plurality of events based upon enriched data associated with each of the plurality of events and the features extracted from the plurality of events; and, performing the risk assessment operation via a security analytics system based upon the enriched events.
The limitations directed towards enriching data associated with each of the plurality of events to provide enriched data associated with each of the plurality of events, extracting features from the plurality of events using the enriched data associated with each of the plurality of events, generating 
For example, but for the limitations stating “A non-transitory, computer-readable storage medium embodying computer program code for performing a risk assessment operation, the computer program code comprising computer executable instructions configured for: receiving a stream of events via a protected endpoint, the stream of events comprising a plurality of events, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device” and “a security analytics system”, the mention of “enriching”, “extracting”, “generating”, and “performing” in the context of this claim, encompasses a user mentally augmenting data tied to a plurality of events and using that augmented data to mentally generate event data based on features of those events using the augmented data to mentally make a risk assessment. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the 
The judicial exception is not integrated into a practical application by additional elements. In particular, claim 33 recites a non-transitory, computer-readable storage medium embodying computer program code for performing a risk assessment operation, the computer program code comprising computer executable instructions configured for: receiving a stream of events via a protected endpoint, the stream of events comprising a plurality of events, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device and a security analytics system. A non-transitory, computer-readable storage medium embodying computer program code for performing a risk assessment operation, the computer program code comprising computer executable instructions configured for: receiving a stream of events via a protected endpoint, the stream of events comprising a plurality of events, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device and a security analytics system as recited in claim 33 is recited at a high-level of generality (i.e., as a generic computer performing a generic computer function of receiving). Receiving a stream of events via a protected endpoint, the stream of events comprising a plurality of events, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device is considered by the examiner to be mere data gathering such that it amounts to no more than insignificant extra solution activity. These elements do not integrate the abstract idea into a practical application because it does not impose a meaningful limit on the judicial exception and it merely confines the claim to a 
These claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements, a non-transitory, computer-readable storage medium embodying computer program code for performing a risk assessment operation, the computer program code comprising computer executable instructions configured for and a security analytics system as recited in claim 33 is recited at a high level of generality to apply the exception using generic computer components. Receiving a stream of events via a protected endpoint, the stream of events comprising a plurality of events, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device is interpreted to be well understood, routine and conventional activity (Receiving or transmitting data over a network e.g., using the internet to gather data, Symantec (see MPEP 2106.05(d))). Mere instructions to apply an exception using generic computer components cannot provide an inventive concept. To further elaborate, the additional limitation of a non-transitory, computer-readable storage medium embodying computer program code for performing a risk assessment operation, the computer program code comprising computer executable instructions configured for: receiving a stream of events via a protected endpoint, the stream of events comprising a plurality of events, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device and a security analytics system does not impose a meaningful limit on the judicial exception and it merely confines the claim to a particular technological environment or field of use. Claim 33 is not patent eligible.

With respects to claims 22, 28, and 34, the limitations are directed towards storing the enriched events corresponding to each of the plurality of events within a datastore. These elements further elaborate the abstract idea and merely confine the claim to a particular technological environment or field of use. Therefore, claims 22, 28, and 34, do not recite additional limitations which tie the abstract idea into a practical application and does not amount to significantly more than the identified judicial exception.
With respects to claims 23, 29, and 35, the limitations are directed towards the enriching data comprises at least one of validating event data associated with at least some of the plurality of events, disclaiming certain event data associated with at least some of the plurality of events; deduplicating at least some of the plurality of events; performing an entity resolution operation on at least some of the plurality of events; performing an attachment enrichment operation on data associated with at least some of the plurality of events; and, performing a domain enrichment on at least some of the plurality of events. The elements directed to validating event data associated with at least some of the plurality of events further elaborate the abstract idea and the human mind and/or with pen and paper can label at least some of the plurality of events prior to extracting features from the plurality of events. Therefore, claims 23, 29, and 35, do not recite additional limitations which tie the abstract idea into a practical application and does not amount to significantly more than the identified judicial exception.

With respects to claims 25, 31, and 37, the limitations are directed towards extracting features comprises performing transformation operations on certain features associated with an event to generate a smaller set of derived features. These elements further elaborate the abstract idea and the human mind and/or with pen and paper can extract features comprises performing transformation operations on certain features associated with an event to generate a smaller set of derived features. Therefore, claims 25, 31, and 37, do not recite additional limitations which tie the abstract idea into a practical application and does not amount to significantly more than the identified judicial exception.
With respects to claims 26, 32, and 38, the limitations are directed towards processing a query relating to the plurality of events, the processing the query being performed via a streaming query framework. These additional limitations appear to be insignificant extra solution activity and are interpreted to be well understood, routine and conventional (Receiving or transmitting data over a network e.g., using the internet to gather data, Symantec (see MPEP 2106.05(d))). Therefore, claims 26, 32, and 38, do not recite additional limitations which tie the abstract idea into a practical application and does not amount to significantly more than the identified judicial exception.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:



Claim(s) 21-38 is/are rejected under 35 U.S.C. 103 as being unpatentable over Puri et al. (US 20160371489 A1) hereinafter Puri in view of Li et al. (U.S. Publication No.: US 20190294482 A1) hereinafter Li.
As to claim 21:
Puri discloses:
A computer-implementable method for performing a risk assessment operation, comprising [Paragraph 0051 teaches incoming data 118 may be analyzed for anomalies by the data anomaly analyzer 116 using graph matching, pattern recognition, or other techniques, such as correlation algorithms, to extract anomalies and risks. Paragraph 0096 teaches categorizations may be fed into a real-time CEP engine to generate rules to grade new events for a given time of a day to aid analysts and help provide context to risk assessments. Paragraph 0118 methods, functions and other processes may be embodied as machine readable instructions stored on a computer readable medium, which may be non-transitory.]:
receiving a stream of events via a protected endpoint, the stream of events comprising a plurality of events [Paragraph 0024 teaches CEP may he described as tracking and processing streams of event data (e.g., dick streams or video feeds) from multiple sources to infer and identify patterns]  
enriching data associated with each of the plurality of events to provide enriched data associated with each of the plurality of events [Paragraph 0080 teaches CEP 252 may be described as tracking and processing streams of event data (e.g., click streams or video feeds) from multiple sources to infer and identify patterns that suggest more complicated circumstances. An example may include 
Note: The examiner interprets pre-processing each record or event to enrich data by adding to it or transforming it to be the claimed enriching data associated with each of the plurality of events to provide enriched data, wherein the streams of event data tracked and processed by the CEP is interpreted to be the claimed plurality of events and validating security events is interpreted to be the claimed enriching data associated with each of the plurality of events.]
extracting features from the plurality of events using the enriched data associated with each of the plurality of events [Paragraph 0051 teaches data present in log files may be characterized by log traces containing unique identifiers, timestamps, events, and actions… the incoming data 118 may be analyzed for anomalies by the data anomaly analyzer 116 using graph matching, pattern recognition, or other techniques, such as correlation algorithms, to extract anomalies and risks. Paragraph 0097 teaches In addition to mining, analytics may be performed on learned graphs to extract anomalous behaviors.
Note: The examiner interprets the anomalies and risks to be the claimed extracting features from the plurality of events using the enriched data associated with each of the plurality of events. Timestamps used in the analysis to extract anomalies and risks is interpreted to be claimed extracting features from the plurality of events using the enriched data. The examiner also interprets incoming data that is data present in log files containing events is interpreted to be the claimed plurality of events.]; 
generating enriched events corresponding to each of the plurality of events based upon enriched data associated with each of the plurality of events and the features extracted from the plurality of events [Paragraph 0046 teaches an anomaly visualizer 124 may generate various types of visualizations 126 to facilitate an identification of anomalies in the data 118. Paragraph 0080 teaches the CEP 252 may be described as tracking and processing streams of event data (e.g., click streams or video feeds) from multiple sources to infer and identify patterns that suggest more complicated circumstances. An example may include validating security events against previously verified breaches of information in real time to assess new threats. The CEP 252 may combine data from multiple sources to infer events or patterns that suggest more complicated circumstances. The CEP 252 may identify meaningful events (such as opportunities or threats). Paragraph 0081 teaches a map/reduce job may take a relatively long time to execute based on the amount of data, and the complexity of the algorithms in the map/reduce job, in contrast, the CEP 252 operates on one record at a time. Each record or event (in a file) may be consumed by the CEP 252 and is pre-processed (i.e., the data is enriched by adding to it or transforming it).
Note: The examiner interprets streams of event data tracked and processed by the CEP to be the claimed plurality of events, the identified patterns to be the claimed extracted features, and the meaningful events (such as opportunities or threats) is interpreted to be the generated enriched events. Although, not explicitly stated, the examiner interprets the enriched data as a result of CEP pre-processing to be the claimed enriched data associated with each of the plurality of events, wherein the pre-processing is interpreted to have occurred prior to the identification of meaningful events, therefore identification of meaningful events is based on enriching of the data resulting from CEP pre-processing.]
performing the risk assessment operation via a security analytics system based upon the enriched events [Paragraph 0019 teaches an event anomaly analysis and prediction apparatus. The apparatus provides for the extraction of correlations between trace events within a log and the information surrounding the correlations such as probability of occurrence of trace log events, probability of transitions between particular trace log events, execution times of trace log events, and 
Note: The examiner interprets extracting risks and providing contexts to risks reads on the claimed risk assessment operation and an event anomaly analysis and prediction apparatus that includes data anomaly analyzer is interpreted to be the claimed security analytics system. The event anomaly analysis and prediction apparatus that includes data anomaly analyzer that extracts anomalies, risks, provides context to risk assessments, all based on events is interpreted to read on the claimed risk assessments operation based upon the enriched events.]

Puri discloses most of the limitations of claim 21 but do not appear to expressly disclose receiving a stream of events via a protected endpoint, the stream of events comprising a plurality of events, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device.
Li discloses:
receiving a stream of events via a protected endpoint, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device [Paragraph 0024 teaches an event receiver 108. One or more of the event receiver 108, the stream processors 112, and/or the query server 116 may be located within one or more computing devices within the network, such as one or more servers within the network. Other numbers of agents, structures, and distribution 
Note: The examiner interprets the endpoints that are computing devices with an agent to provide endpoint processes information for security purposes to be the claimed protected endpoint, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device. Agents on computing device endpoints providing the process event information to the event receiver is interpreted to read on the claimed receiving a stream of events via a protected endpoint. Events received by the event received and processed by the stream processor 112 are interpreted to be the claimed stream of events, wherein events includes information on one or more of process properties, such as reasons for process creation/termination (e.g., ;
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri, by incorporating endpoint on computing devices that include an agent that transmit event information to an event receiver and stream processor, as taught by Li (Paragraph 0024, 0029, 0031, 0032, 0044, and 0058), because both applications are directed to event processing in technical environments; incorporating endpoint on computing devices that include an agent that transmit event information to an event receiver and stream processor provide desirable comprehensive tracking of states of processes running on computing devices (see Lo Paragraph 0003).

As to claim 22:
Puri discloses:
The method of claim 21, further comprising: storing the enriched events corresponding to each of the plurality of events within a datastore [Paragraph 0024 teaches CEP may be described as tracking and processing streams of event data (e.g., click streams or video feeds) from multiple sources to infer and identify patterns. Paragraph 0078 teaches when an anomalous event is encountered, the anomalous event may be flagged and stored in the IMDB 254. In response to a determination that there is a pattern match, the event is flagged as an anomalous event and stored in the IMDB 254. Paragraph 0082 teaches the IMDB 254 may be described as a database management system that relies primarily on main memory for data storage.
Note: The examiner interprets the encountered anomalous event to be the claimed enriched event and the streams of event data tracked and processed by the CEP is interpreted to be the claimed 

As to claim 23:
Puri discloses:
The method of claim 22, wherein:
2the enriching data comprises at least one of 3validating event data associated with at least some of the plurality of events [Paragraph 0080 teaches tracking and processing streams of event data (e.g., click streams or video feeds) from multiple sources to infer and identify patterns that suggest more complicated circumstances. An example may include validating security events against previously verified breaches of information in real time. Paragraph 0081 each record or event (in a file) may be consumed by the CEP 252 and is pre-processed (i.e., the data is enriched by adding to it or transforming it)], 
4disclaiming certain event data associated with at least some of the plurality of 5events [Paragraph 0065 teaches as trace events are tagged and ingested, for example, by CEP, a model representing agent behaviors may be learned in real-time. Paragraph 0078 teaches referring to FIGS. 2A and 2B, with respect to real-time processing of a data stream, a message queue 250 may collect and organize events which are pulled by downstream subscribers, CEP 252 may be applied to evaluate events based on programmed or dynamic rules/algorithms to identify key information. Paragraph 0104 teaches incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). 
Tagging events by the CEP where tagging occurs on data deemed to be anomalous is interpreted to be the claimed disclaiming certain event data associated. The examiner also interprets data stream of events to be the claimed plurality of events.]; 6deduplicating at least some of the plurality of events 
  
7performing an entity resolution operation on at least some of the plurality of 8events [Paragraph 0104 teaches any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets tagging and associating data with relevant information such as the agent originator to be the claimed performing an entity resolution operation on at least some of the plurality of events wherein the agent originator is interpreted to be the entity outputted from the entity resolution (similar to name or domain name resolution in networking).];  
9performing an attachment enrichment operation on data associated with at 10least some of the plurality of events [Paragraph 0104 teaches any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets tagging to be the claimed attachment enrichment operation wherein tagging includes tags associated with all relevant information is interpreted to be the claimed data associated with at least some of the plurality of the events.]; and,  
11performing a domain enrichment on at least some of the plurality of events [Paragraph 0104 teaches Any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets agent originator information to be the claimed domain enrichment wherein tagging and associating is interpreted to be the claimed enrichment process.]

As to claim 24:
Puri discloses:
The method of claim 21, further comprising:  2labeling at least some of the plurality of events prior to extracting features from the 3plurality of events [Paragraph 0104 teaches any incoming trace 

As to claim 25:
Puri discloses:
The method of claim 21, wherein:  2the extracting features comprises performing transformation operations on certain features associated with an event to generate a smaller set of derived features [Paragraph 0107 teaches referring to FIG. 5, with respect to the example of network security events disclosed herein, the apparatus 100 may be applied to three months (e.g., three petabyte) of security data to generate graphs with nodes representing the events, edges connecting events that are related to each other, the size representing the anomalousness (i.e., the very high probability of anomalousness events being displayed on the outer bounds as shown in FIG. 5 at 500, to the very-low probability of anomalousness events being displayed towards the middle), and different colors (e.g., red, yellow, orange, etc.) representing the probability of occurrence of the events. Further analysis may be performed by grouping events and providing mechanisms to navigate and visualize them according to their features. The examiner interprets using three months of use of data, grouping events, and sizing representing anomalousness to be the claimed transformation operations for smaller sets on certain features wherein anomalousness is interpreted to be the claimed certain features.]

As to claim 26:
Puri discloses:
The method of claim 21, further comprising: processing a query relating to the plurality of events, the processing the query being performed via a streaming query framework [Paragraph 0056 
The examiner interprets query processing and data ingestion to be the claimed processing relating to the plurality of events wherein querying and data ingestion as part of the LCA framework stack is interpreted to be the claimed performed via a streaming query framework.]

As to claim 27:
Puri discloses:
A system comprising: a processor; a data bus coupled to the processor; and a non-transitory, computer-readable storage medium embodying computer program code, the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code interacting with a plurality of computer operations and comprising instructions executable by the processor [Paragraph 0118 teaches methods, functions and other processes may be embodied as machine readable instructions stored on a computer readable medium, which may be non-transitory (e.g., the memory 904 of FIG. 9, and the non-transitory computer readable medium 1102 of FIG. 11), such as hardware storage devices (e.g., RAM (random access memory), ROM (read only memory), EPROM (erasable, programmable ROM), EEPROM (electrically erasable, programmable ROM), hard drives, and flash memory). The memory 904 may include a RAM, where the machine readable instructions and data for the processor 902 may reside during runtime.] and configured for: 
receiving a stream of events via a protected endpoint, the stream of events comprising a plurality of events [Paragraph 0024 teaches CEP may he described as tracking and processing streams of event data (e.g., dick streams or video feeds) from multiple sources to infer and identify patterns]
enriching data associated with each of the plurality of events to provide enriched data associated with each of the plurality of events [Paragraph 0080 teaches CEP 252 may be described as tracking and processing streams of event data (e.g., click streams or video feeds) from multiple sources to infer and identify patterns that suggest more complicated circumstances. An example may include validating security events against previously verified breaches of information in real time to assess new threats. Paragraph 0081 teaches a map/reduce job may take a relatively long time to execute based on the amount of data, and the complexity of the algorithms in the map/reduce job, in contrast, the CEP 252 operates on one record at a time. Each record or event (in a file) may be consumed by the CEP 252 and is pre-processed (i.e., the data is enriched by adding to it or transforming it). 
Note: The examiner interprets pre-processing each record or event to enrich data by adding to it or transforming it to be the claimed enriching data associated with each of the plurality of events to provide enriched data, wherein the streams of event data tracked and processed by the CEP is interpreted to be the claimed plurality of events and validating security events is interpreted to be the claimed enriching data associated with each of the plurality of events.]
extracting features from the plurality of events using the enriched data associated with each of the plurality of events [Paragraph 0051 teaches data present in log files may be characterized by log traces containing unique identifiers, timestamps, events, and actions… the incoming data 118 may be analyzed for anomalies by the data anomaly analyzer 116 using graph matching, pattern recognition, or other techniques, such as correlation algorithms, to extract anomalies and risks. Paragraph 0097 teaches In addition to mining, analytics may be performed on learned graphs to extract anomalous behaviors.
Note: The examiner interprets the anomalies and risks to be the claimed extracting features from the plurality of events using the enriched data associated with each of the plurality of events. Timestamps used in the analysis to extract anomalies and risks is interpreted to be claimed extracting features from the plurality of events using the enriched data. The examiner also interprets incoming ; 
generating enriched events corresponding to each of the plurality of events based upon enriched data associated with each of the plurality of events and the features extracted from the plurality of events [Paragraph 0046 teaches an anomaly visualizer 124 may generate various types of visualizations 126 to facilitate an identification of anomalies in the data 118. Paragraph 0080 teaches the CEP 252 may be described as tracking and processing streams of event data (e.g., click streams or video feeds) from multiple sources to infer and identify patterns that suggest more complicated circumstances. An example may include validating security events against previously verified breaches of information in real time to assess new threats. The CEP 252 may combine data from multiple sources to infer events or patterns that suggest more complicated circumstances. The CEP 252 may identify meaningful events (such as opportunities or threats). Paragraph 0081 teaches a map/reduce job may take a relatively long time to execute based on the amount of data, and the complexity of the algorithms in the map/reduce job, in contrast, the CEP 252 operates on one record at a time. Each record or event (in a file) may be consumed by the CEP 252 and is pre-processed (i.e., the data is enriched by adding to it or transforming it).
Note: The examiner interprets streams of event data tracked and processed by the CEP to be the claimed plurality of events, the identified patterns to be the claimed extracted features, and the meaningful events (such as opportunities or threats) is interpreted to be the generated enriched events. Although, not explicitly stated, the examiner interprets the enriched data as a result of CEP pre-processing to be the claimed enriched data associated with each of the plurality of events, wherein the pre-processing is interpreted to have occurred prior to the identification of meaningful events, therefore identification of meaningful events is based on enriching of the data resulting from CEP pre-processing.]
performing the risk assessment operation via a security analytics system based upon the enriched events [Paragraph 0019 teaches an event anomaly analysis and prediction apparatus. The apparatus provides for the extraction of correlations between trace events within a log and the information surrounding the correlations such as probability of occurrence of trace log events, probability of transitions between particular trace log events, execution times of trace log events, and anomalous occurrences of trace log events. Paragraph 0051 teaches incoming data 118 may be analyzed for anomalies by the data anomaly analyzer 116 using graph matching, pattern recognition, or other techniques, such as correlation algorithms, to extract anomalies and risks. Paragraph 0096 teaches categorizations may be fed into a real-time CEP engine to generate rules to grade new events for a given time of a day to aid analysts and help provide context to risk assessments. 
Note: The examiner interprets extracting risks and providing contexts to risks reads on the claimed risk assessment operation and an event anomaly analysis and prediction apparatus that includes data anomaly analyzer is interpreted to be the claimed security analytics system. The event anomaly analysis and prediction apparatus that includes data anomaly analyzer that extracts anomalies, risks, provides context to risk assessments, all based on events is interpreted to read on the claimed risk assessments operation based upon the enriched events.]

Puri discloses most of the limitations of claim 27 but do not appear to expressly disclose receiving a stream of events via a protected endpoint, the stream of events comprising a plurality of events, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device.
Li discloses:
receiving a stream of events via a protected endpoint, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device [Paragraph 0024 teaches an event receiver 108. One or more of the event receiver 108, the stream processors 112, and/or the query server 116 may be located within one or more computing devices within the network, such as one or more servers within the network. Other numbers of agents, structures, and distribution of components of the environment 100 within one or more computing devices are contemplated. Paragraph 0029 teaches investigation into a given process running on a computing device (e.g., for security, antivirus analysis, intrusion detection, device monitoring purposes) may require knowledge about which process(es) directly/indirectly created the given process, when the given process was created, what tasks the given process performed, and/or what process(es) the given process created. Paragraph 0031 teaches the process event information may include metadata relating to processes. For example, for a given process, the process event information may include information on one or more of process properties, such as reasons for process creation/termination (e.g., user/system request to create a process, user log-off). Paragraph 0032 teaches the agents 102, 104, 106 may provide the process event information and/or other information to the event receiver 108. Paragraph 0044 teaches the event receiver 108 may store the process event information within the queue 110. In some embodiments, the queue 110 may include an online server. In some embodiments, the queue 110 may include one or more distributed buffer storage. The queue 110 may utilize one or more stream processing platforms for handing real-time data feeds, such as Apache Kafka and/or other platforms. Paragraph 0058 teaches a computer system that includes a one or more hardware processors.
Note: The examiner interprets the endpoints that are computing devices with an agent to provide endpoint processes information for security purposes to be the claimed protected endpoint, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing ;
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri, by incorporating endpoint on computing devices that include an agent that transmit event information to an event receiver and stream processor, as taught by Li (Paragraph 0024, 0029, 0031, 0032, 0044, and 0058), because both applications are directed to event processing in technical environments; incorporating endpoint on computing devices that include an agent that transmit event information to an event receiver and stream processor provide desirable comprehensive tracking of states of processes running on computing devices (see Lo Paragraph 0003).

As to claim 28:
Puri discloses:
The system of claim 27, wherein the instructions are further configured for: storing the enriched events corresponding to each of the plurality of events within a datastore [Paragraph 0024 teaches CEP may be described as tracking and processing streams of event data (e.g., click streams or video feeds) from multiple sources to infer and identify patterns. Paragraph 0078 teaches when an anomalous event is encountered, the anomalous event may be flagged and stored in the IMDB 254. In response to a determination that there is a pattern match, the event is flagged as an anomalous event 
Note: The examiner interprets the encountered anomalous event to be the claimed enriched event and the streams of event data tracked and processed by the CEP is interpreted to be the claimed plurality of events. Flagging and storing the anomalous events in the IMDB is interpreted to be the claimed storing the enriched events within a datastore.]

As to claim 29:
Puri discloses:
The system of claim 28, wherein: 
2the enriching data comprises at least one of 3validating event data associated with at least some of the plurality of events [Paragraph 0080 teaches tracking and processing streams of event data (e.g., click streams or video feeds) from multiple sources to infer and identify patterns that suggest more complicated circumstances. An example may include validating security events against previously verified breaches of information in real time. Paragraph 0081 each record or event (in a file) may be consumed by the CEP 252 and is pre-processed (i.e., the data is enriched by adding to it or transforming it)], 
4disclaiming certain event data associated with at least some of the plurality of 5events [Paragraph 0065 teaches as trace events are tagged and ingested, for example, by CEP, a model representing agent behaviors may be learned in real-time. Paragraph 0078 teaches referring to FIGS. 2A and 2B, with respect to real-time processing of a data stream, a message queue 250 may collect and organize events which are pulled by downstream subscribers, CEP 252 may be applied to evaluate events based on programmed or dynamic rules/algorithms to identify key information. Paragraph 0104 
Tagging events by the CEP where tagging occurs on data deemed to be anomalous is interpreted to be the claimed disclaiming certain event data associated. The examiner also interprets data stream of events to be the claimed plurality of events.]; 6deduplicating at least some of the plurality of events 
  
7performing an entity resolution operation on at least some of the plurality of 8events [Paragraph 0104 teaches any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets tagging and associating data with relevant information such as the agent originator to be the claimed performing an entity resolution operation on at least some of the plurality of events wherein the agent originator is interpreted to be the entity outputted from the entity resolution (similar to name or domain name resolution in networking).];  
9performing an attachment enrichment operation on data associated with at 10least some of the plurality of events [Paragraph 0104 teaches any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets tagging to be the claimed attachment enrichment operation wherein tagging includes tags associated with all relevant information is interpreted to be the claimed data associated with at least some of the plurality of the events.]; and,  
11performing a domain enrichment on at least some of the plurality of events [Paragraph 0104 teaches Any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets agent originator information to be the claimed domain enrichment wherein tagging and associating is interpreted to be the claimed enrichment process.]

As to claim 30:
Puri discloses:
The system of claim 27, wherein the instructions are further configured for: labeling at least some of the plurality of events prior to extracting features from the plurality of events [Paragraph 0104 teaches any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets agent originator information to be the claimed labeling at least some of the plurality of events.]

As to claim 31:
Puri discloses:
The system of claim 27, wherein: the extracting features comprises performing transformation operations on certain features associated with an event to generate a smaller set of derived features [Paragraph 0107 teaches referring to FIG. 5, with respect to the example of network security events disclosed herein, the apparatus 100 may be applied to three months (e.g., three petabyte) of security data to generate graphs with nodes representing the events, edges connecting events that are related to each other, the size representing the anomalousness (i.e., the very high probability of anomalousness events being displayed on the outer bounds as shown in FIG. 5 at 500, to the very-low probability of anomalousness events being displayed towards the middle), and different colors (e.g., red, yellow, orange, etc.) representing the probability of occurrence of the events. Further analysis may be performed by grouping events and providing mechanisms to navigate and visualize them according to their features. The examiner interprets using three months of use of data, grouping events, and sizing 

As to claim 32:
Puri discloses:
The system of claim 27, wherein: processing a query relating to the plurality of events, the processing the query being performed via a streaming query framework [Paragraph 0056 teaches the LCA framework stack may include a plurality of layers for data collection (i.e., event collection and management), data ingestion (normalization, parsing, and storage), query processing, data filtering, data mining, data analytics, an API wrapper allowing for extensive use and interplay with other tools and visualization applications to complete all necessary analytics, and web services control.
The examiner interprets query processing and data ingestion to be the claimed processing relating to the plurality of events wherein querying and data ingestion as part of the LCA framework stack is interpreted to be the claimed performed via a streaming query framework.]

As to claim 33:
Puri discloses:
A non-transitory, computer-readable storage medium embodying computer program code, the computer program code comprising computer executable instructions [Paragraph 0118 teach methods, functions and other processes may be embodied as machine readable instructions stored on a computer readable medium, which may be non-transitory (e.g., the memory 904 of FIG. 9, and the non-transitory computer readable medium 1102 of FIG. 11), such as hardware storage devices (e.g., RAM (random access memory), ROM (read only memory), EPROM (erasable, programmable ROM), EEPROM (electrically erasable, programmable ROM), hard drives, and flash memory). The memory 904 may  configured for: 
receiving a stream of events via a protected endpoint, the stream of events comprising a plurality of events [Paragraph 0024 teaches CEP may he described as tracking and processing streams of event data (e.g., dick streams or video feeds) from multiple sources to infer and identify patterns]
enriching data associated with each of the plurality of events to provide enriched data associated with each of the plurality of events [Paragraph 0080 teaches CEP 252 may be described as tracking and processing streams of event data (e.g., click streams or video feeds) from multiple sources to infer and identify patterns that suggest more complicated circumstances. An example may include validating security events against previously verified breaches of information in real time to assess new threats. Paragraph 0081 teaches a map/reduce job may take a relatively long time to execute based on the amount of data, and the complexity of the algorithms in the map/reduce job, in contrast, the CEP 252 operates on one record at a time. Each record or event (in a file) may be consumed by the CEP 252 and is pre-processed (i.e., the data is enriched by adding to it or transforming it). 
Note: The examiner interprets pre-processing each record or event to enrich data by adding to it or transforming it to be the claimed enriching data associated with each of the plurality of events to provide enriched data, wherein the streams of event data tracked and processed by the CEP is interpreted to be the claimed plurality of events and validating security events is interpreted to be the claimed enriching data associated with each of the plurality of events.]
extracting features from the plurality of events using the enriched data associated with each of the plurality of events [Paragraph 0051 teaches data present in log files may be characterized by log traces containing unique identifiers, timestamps, events, and actions… the incoming data 118 may be analyzed for anomalies by the data anomaly analyzer 116 using graph matching, pattern recognition, or 
Note: The examiner interprets the anomalies and risks to be the claimed extracting features from the plurality of events using the enriched data associated with each of the plurality of events. Timestamps used in the analysis to extract anomalies and risks is interpreted to be claimed extracting features from the plurality of events using the enriched data. The examiner also interprets incoming data that is data present in log files containing events is interpreted to be the claimed plurality of events.]; 
generating enriched events corresponding to each of the plurality of events based upon enriched data associated with each of the plurality of events and the features extracted from the plurality of events [Paragraph 0046 teaches an anomaly visualizer 124 may generate various types of visualizations 126 to facilitate an identification of anomalies in the data 118. Paragraph 0080 teaches the CEP 252 may be described as tracking and processing streams of event data (e.g., click streams or video feeds) from multiple sources to infer and identify patterns that suggest more complicated circumstances. An example may include validating security events against previously verified breaches of information in real time to assess new threats. The CEP 252 may combine data from multiple sources to infer events or patterns that suggest more complicated circumstances. The CEP 252 may identify meaningful events (such as opportunities or threats). Paragraph 0081 teaches a map/reduce job may take a relatively long time to execute based on the amount of data, and the complexity of the algorithms in the map/reduce job, in contrast, the CEP 252 operates on one record at a time. Each record or event (in a file) may be consumed by the CEP 252 and is pre-processed (i.e., the data is enriched by adding to it or transforming it).
Note: The examiner interprets streams of event data tracked and processed by the CEP to be the claimed plurality of events, the identified patterns to be the claimed extracted features, and the 
performing the risk assessment operation via a security analytics system based upon the enriched events [Paragraph 0019 teaches an event anomaly analysis and prediction apparatus. The apparatus provides for the extraction of correlations between trace events within a log and the information surrounding the correlations such as probability of occurrence of trace log events, probability of transitions between particular trace log events, execution times of trace log events, and anomalous occurrences of trace log events. Paragraph 0051 teaches incoming data 118 may be analyzed for anomalies by the data anomaly analyzer 116 using graph matching, pattern recognition, or other techniques, such as correlation algorithms, to extract anomalies and risks. Paragraph 0096 teaches categorizations may be fed into a real-time CEP engine to generate rules to grade new events for a given time of a day to aid analysts and help provide context to risk assessments. 
Note: The examiner interprets extracting risks and providing contexts to risks reads on the claimed risk assessment operation and an event anomaly analysis and prediction apparatus that includes data anomaly analyzer is interpreted to be the claimed security analytics system. The event anomaly analysis and prediction apparatus that includes data anomaly analyzer that extracts anomalies, risks, provides context to risk assessments, all based on events is interpreted to read on the claimed risk assessments operation based upon the enriched events.]

Puri discloses most of the limitations of claim 33 but do not appear to expressly disclose receiving a stream of events via a protected endpoint, the stream of events comprising a plurality of 
Li discloses:
receiving a stream of events via a protected endpoint, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device [Paragraph 0024 teaches an event receiver 108. One or more of the event receiver 108, the stream processors 112, and/or the query server 116 may be located within one or more computing devices within the network, such as one or more servers within the network. Other numbers of agents, structures, and distribution of components of the environment 100 within one or more computing devices are contemplated. Paragraph 0029 teaches investigation into a given process running on a computing device (e.g., for security, antivirus analysis, intrusion detection, device monitoring purposes) may require knowledge about which process(es) directly/indirectly created the given process, when the given process was created, what tasks the given process performed, and/or what process(es) the given process created. Paragraph 0031 teaches the process event information may include metadata relating to processes. For example, for a given process, the process event information may include information on one or more of process properties, such as reasons for process creation/termination (e.g., user/system request to create a process, user log-off). Paragraph 0032 teaches the agents 102, 104, 106 may provide the process event information and/or other information to the event receiver 108. Paragraph 0044 teaches the event receiver 108 may store the process event information within the queue 110. In some embodiments, the queue 110 may include an online server. In some embodiments, the queue 110 may include one or more distributed buffer storage. The queue 110 may utilize one or more stream 
Note: The examiner interprets the endpoints that are computing devices with an agent to provide endpoint processes information for security purposes to be the claimed protected endpoint, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device. Agents on computing device endpoints providing the process event information to the event receiver is interpreted to read on the claimed receiving a stream of events via a protected endpoint. Events received by the event received and processed by the stream processor 112 are interpreted to be the claimed stream of events, wherein events includes information on one or more of process properties, such as reasons for process creation/termination (e.g., user/system request to create a process, user log-off) is interpreted to read on the claimed stream of events corresponding to user actions.];
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri, by incorporating endpoint on computing devices that include an agent that transmit event information to an event receiver and stream processor, as taught by Li (Paragraph 0024, 0029, 0031, 0032, 0044, and 0058), because both applications are directed to event processing in technical environments; incorporating endpoint on computing devices that include an agent that transmit event information to an event receiver and stream processor provide desirable comprehensive tracking of states of processes running on computing devices (see Lo Paragraph 0003).

As to claim 34:
Puri discloses:
The non-transitory, computer-readable storage medium of claim 33, wherein the computer executable instructions are further configured for: storing the enriched events corresponding to each of the plurality of events within a datastore [Paragraph 0024 teaches CEP may be described as tracking and processing streams of event data (e.g., click streams or video feeds) from multiple sources to infer and identify patterns. Paragraph 0078 teaches when an anomalous event is encountered, the anomalous event may be flagged and stored in the IMDB 254. In response to a determination that there is a pattern match, the event is flagged as an anomalous event and stored in the IMDB 254. Paragraph 0082 teaches the IMDB 254 may be described as a database management system that relies primarily on main memory for data storage.
Note: The examiner interprets the encountered anomalous event to be the claimed enriched event and the streams of event data tracked and processed by the CEP is interpreted to be the claimed plurality of events. Flagging and storing the anomalous events in the IMDB is interpreted to be the claimed storing the enriched events within a datastore.]

As to claim 35:
Puri discloses:
The non-transitory, computer-readable storage medium of claim 34, wherein: 
2the enriching data comprises at least one of 3validating event data associated with at least some of the plurality of events [Paragraph 0080 teaches tracking and processing streams of event data (e.g., click streams or video feeds) from multiple sources to infer and identify patterns that suggest more complicated circumstances. An example may include validating security events against previously verified breaches of information in real time. Paragraph 0081 each record or event (in a file) may be consumed by the CEP 252 and is pre-processed (i.e., the data is enriched by adding to it or transforming it)], 
4disclaiming certain event data associated with at least some of the plurality of 5events [Paragraph 0065 teaches as trace events are tagged and ingested, for example, by CEP, a model representing agent behaviors may be learned in real-time. Paragraph 0078 teaches referring to FIGS. 2A and 2B, with respect to real-time processing of a data stream, a message queue 250 may collect and organize events which are pulled by downstream subscribers, CEP 252 may be applied to evaluate events based on programmed or dynamic rules/algorithms to identify key information. Paragraph 0104 teaches incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). 
Tagging events by the CEP where tagging occurs on data deemed to be anomalous is interpreted to be the claimed disclaiming certain event data associated. The examiner also interprets data stream of events to be the claimed plurality of events.]; 6deduplicating at least some of the plurality of events 
  
7performing an entity resolution operation on at least some of the plurality of 8events [Paragraph 0104 teaches any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets tagging and associating data with relevant information such as the agent originator to be the claimed performing an entity resolution operation on at least some of the plurality of events wherein the agent originator is interpreted to be the entity outputted from the entity resolution (similar to name or domain name resolution in networking).];  
9performing an attachment enrichment operation on data associated with at 10least some of the plurality of events [Paragraph 0104 teaches any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets tagging to be the claimed attachment enrichment ; and,  
11performing a domain enrichment on at least some of the plurality of events [Paragraph 0104 teaches Any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets agent originator information to be the claimed domain enrichment wherein tagging and associating is interpreted to be the claimed enrichment process.]

As to claim 36:
Puri discloses:
The non-transitory, computer-readable storage medium of claim 33, wherein the computer executable instructions are further configured for: labeling at least some of the plurality of events prior to extracting features from the plurality of events [Paragraph 0104 teaches any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets agent originator information to be the claimed labeling at least some of the plurality of events.]

As to claim 37:
Puri discloses:
The non-transitory, computer-readable storage medium of claim 33, wherein: the extracting features comprises performing transformation operations on certain features associated with an event to generate a smaller set of derived features [Paragraph 0107 teaches referring to FIG. 5, with respect to the example of network security events disclosed herein, the apparatus 100 may be applied to three months (e.g., three petabyte) of security data to generate graphs with nodes representing the 

As to claim 38:
Puri discloses:
The non-transitory, computer-readable storage medium of claim 33, wherein the computer executable instructions are further configured for: processing a query relating to the plurality of events, the processing the query being performed via a streaming query framework [Paragraph 0056 teaches the LCA framework stack may include a plurality of layers for data collection (i.e., event collection and management), data ingestion (normalization, parsing, and storage), query processing, data filtering, data mining, data analytics, an API wrapper allowing for extensive use and interplay with other tools and visualization applications to complete all necessary analytics, and web services control.
The examiner interprets query processing and data ingestion to be the claimed processing relating to the plurality of events wherein querying and data ingestion as part of the LCA framework stack is interpreted to be the claimed performed via a streaming query framework.]

(s) 39 and 40 is/are rejected under 35 U.S.C. 103 as being unpatentable over Puri et al. (US 20160371489 A1) hereinafter Puri, in view of Li et al. (U.S. Publication No.: US 20190294482 A1) hereinafter Li, and further in view of Cherubini et al. (U.S. Patent No.: US 10579281 B2) hereinafter Cherubini.
As to claim 39:
Puri and Li discloses all of the limitations of claim 33 but do not appear to expressly disclose the non-transitory, computer-readable storage medium of claim 33, 2wherein the computer executable instructions are deployable to a client system from a server 3system at a remote location.
Cherubini discloses:
The non-transitory, computer-readable storage medium of claim 33, 2wherein the computer executable instructions are deployable to a client system from a server 3system at a remote location [Column 27 Lines 33-37 teach the computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. 
The examiner interprets computer readable program instructions to be the claimed computer executable instructions. Instructions executed on entirely or partially on the remote computer or server is interpreted to be the claimed deployable to a client system from a server system at remote location.]
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri and Li, by incorporating computer readable program instructions  to execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server, as taught by Cherubini (Column 27 Lines 33-37), because all three applications are directed to event processing in technical environments; configuring the event detector to use computer readable program 

As to claim 40:
Puri and Li discloses all of the limitations of claim 33 but do not appear to expressly disclose the non-transitory, computer-readable storage medium of claim 33, 2wherein the computer executable instructions are provided by a service provider to a user on an on-demand basis.
Cherubini discloses:
	The non-transitory, computer-readable storage medium of claim 33, 2wherein the computer executable instructions are provided by a service provider to a user on an on-demand basis [Column 27 Lines 33-43 teach the computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. Remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
The examiner interprets the internet service provider providing internet for computer readable program instructions to be the claimed computer executable instructions provided by a service provider. The user’s computer in receipt of the computer readable program instructions via the internet service provider is interpreted to be the claimed provided to a user on an on-demand basis.]
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as .

Response to Arguments
The following is in response to Applicant’s arguments filed on November 19, 2020:
“It is respectfully submitted that nowhere within Puri, taken alone or in combination is there any disclosure or suggestion of receiving a stream of events from a protected endpoint, much less at least some of the stream of events corresponding to user actions, much less the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device, all as required by claims 1, 7 and 13.”

Examiner respectfully presents the following response to Applicant’s amendments and remarks:
Applicant’s arguments have been fully and respectfully considered, but are moot in view of new grounds of rejections as necessitated by the amendments. Claims 1, 7, and 13 are not pending in this application.

Additionally, in response to Applicant’s arguments filed on November 19, 2020, regarding the following:
“Additionally, nowhere within Puri is there any disclosure or suggestion of performing a risk assessment operation via a security analytics system based upon the enriched events, as required by claims 21, 27 and 33.”

Examiner respectfully presents the following response to Applicant’s amendments and remarks:
Applicant’s arguments have been fully considered but they are not persuasive. The examiner respectfully disagrees with the applicant’s arguments regarding claims 1, 8, and 15’s newly amended recitation of "performing a risk assessment operation via a security analytics system based upon the enriched events". Puri’s disclosure of an event anomaly analysis and prediction apparatus, and methods for event anomaly analysis and prediction sufficiently discloses the current claim language (see Puri Paragraph 0019, 0051, and 0096). An event anomaly analysis and prediction apparatus. The apparatus provides for the extraction of correlations between trace events within a log and the information surrounding the correlations such as probability of occurrence of trace log events, probability of transitions between particular trace log events, execution times of trace log events, and anomalous occurrences of trace log events (see Paragraph 0019). Incoming data 118 may be analyzed for anomalies by the data anomaly analyzer 116 using graph matching, pattern recognition, or other techniques, such as correlation algorithms, to extract anomalies and risks (see Paragraph 0051)). Categorizations may be fed into a real-time CEP engine to generate rules to grade new events for a given time of a day to aid analysts and help provide context to risk assessments (see Paragraph 0096). Extracting risks and providing contexts to risks reads on the claimed risk assessment operation and an event anomaly analysis and prediction apparatus that includes data anomaly analyzer is interpreted to be the claimed security analytics system. The event anomaly analysis and prediction apparatus that includes data anomaly analyzer that extracts anomalies, risks, provides context to risk assessments, all based on events is interpreted to read on the claimed risk assessments operation based upon the enriched 

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EARL ELIAS whose telephone number is (571)272-9762.  The examiner can normally be reached on Monday - Friday (IFP).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Usmaan Saeed can be reached on 571-272-4046.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/E.E./Examiner, Art Unit 2169                                                                                                                                                                                                        
/USMAAN SAEED/Supervisory Patent Examiner, Art Unit 2169