DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are pending.
The objection to claims --1, 9, 13, and 18-19 has been withdrawn in view of the claim amendment. 
The rejection of claims 1-12 under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, has been withdrawn in view of the claim amendment.

Response to Arguments
Applicant's arguments filed on 12/03/20 have been fully considered. 
In response to Applicant’s argument that a person of ordinary skill in the art would recognize the invention as an improvement in the computer environments by reducing the amount of benign information being processed which results in an improved detection and correction system for computer environments (page 9 of Remarks), Examiner acknowledged Applicant’s perspective but upon further consideration of the claims, it was determined that this improvement is not clearly reflected in the claims.  Other than the collecting steps, the other steps recited in the claims, under their broadest reasonable interpretation, fall within the “Mental Processes” grouping of abstract ideas as explained in more detailed below.  With respect to the collecting step, upon further consideration of its claim language, the collecting step is recited at a high level of generality (i.e. as a general means of collecting event data for use in the constructing step), and amounts to mere data gathering, which is a form of insignificant extra-solution activity.  Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose 
Applicant could consider reciting “electronically performing a countermeasure to resolve the issue in the computing environment” to integrate the abstract idea into a practical application and thus amounts to significantly more than the judicial exception.  
In response to Applicant’s arguments regarding the 102 and 103 rejection (pages 9-12 of Remarks), Examiner acknowledged Applicant’s perspective but these arguments are moot in view of the new grounds of rejection presented below in view of newly found prior art Sharifi.

Claim Objections
Claim 1 is objected to because of the following informalities:  
“the system” in line 11 of claim 1 should read “the computing environment”.
Appropriate correction is required.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.  
Claim 1 recites construct, based on the event data representing a plurality of events in the computing environment, a representation of the plurality of events, the representation including links relating the plurality of events; wherein the representation includes a graphical representation of the plurality of events and the links include temporal links relating the plurality of events; compute issue indications corresponding to potential issues in the system; add information based 
The limitation of construct, based on the event data representing a plurality of events in the computing environment, a representation of the plurality of events, the representation including links relating the plurality of events; wherein the representation includes a graphical representation of the plurality of events and the links include temporal links relating the plurality of events, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind. For example, “constructing” in the context of this claim encompasses the user manually creating a graph of the events.  Moreover, the limitation of compute issue indications corresponding to potential issues in the system, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind. For example, “compute” in the context of this claim encompasses the user manually calculates issues indications corresponding to potential issues in the system.  The limitation of add information based on the issue indications to the representation to form an enriched representation, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind. For example, “add” in the context of this claim encompasses the user manually adds information to the graph of the events.  Lastly, the limitation of search the enriched representation to find a chain of events representing an issue in the computing environment, wherein each event of the plurality of events represents an activity of the at least one of the plurality of entities, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind. For example, “search” in the context of this claim encompasses the user manually looking at the graph to find a chain of events representing an issue in the computing environment.  
If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
The claim does not recite additional elements that integrate the judicial exception into a practical application. 
Claim 1 recites the additional limitation of “a non-transitory machine-readable medium storing instructions” and “a system” to perform the steps.  The medium and the system are recited at a high-level of generality and are generic computer components such that they amount to no more than mere instructions to apply the exception using generic computers or computer components. Mere instructions to apply an exception using generic computers or computer components cannot provide an inventive concept.  Moreover, claim 1 recites the additional limitation of “electronically collect event data, wherein the event data is in a form of a least one of electronic network event data, electronic host event data and electronic application event data from at least one of a plurality of entities in a computing environment”.  However, the collecting step is recited at a high level of generality (i.e. as a general means of collecting event data for use in the constructing step), and amounts to mere data gathering, which is a form of insignificant extra-solution activity.  Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea.  The claim is directed to an abstract idea.
Considering the claim as a whole, looking at the elements individually and in an ordered combination, does not integrate the abstract idea into a practical application using the considerations set forth above.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception.  As discussed above with respect to integration of the abstract idea into a practical application, the additional element of “a non-transitory machine-readable medium storing instructions” and “a system”  amount to no more than mere instructions to apply the exception using generic computer components.  Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept.  The collecting step is recited at a high level of generality (i.e. as a general means of collecting event data for use in the constructing step), and amounts to mere data gathering, which is a form of insignificant extra-solution activity.  The claim is not patent eligible.  There are no well-understood, routine, and conventional additional elements recited in the claim.
	Thus, the claimed elements, either individually, or in the ordered combination do not add significantly more to the abstract idea.
Dependent claims 2-12 further clarify the concept recited in claim 1 however this clarification still falls under the concept recited in claim 1 and does not amount to significantly more than the judicial exception.  
Claim 13 although not using the exact claim language, contain similar elements as recited in claim 1 and is also rejected for similar reasons. Claim 13 additionally recites “a processor” to perform the steps.  This additional element is recited at a high-level of generality and is generic computer or computer component such that it amounts to no more than mere instructions to apply the exception using generic computer or computer component. Mere instructions to apply an exception using generic computers or computer components cannot provide an inventive concept.  Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.  Moreover, the claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception.
Dependent claims 13-18 further clarify the concept recited in claim 13 however this clarification still falls under the concept recited in claim 13 and does not amount to significantly more than the judicial exception.  
Claim 19 although not using the exact claim language, contain similar elements as recited in claim 1 and is also rejected for similar reasons. Moreover, the limitation of performing a countermeasure to resolve the issue, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind. For example, “performing” in the context of this claim encompasses the user manually figuring out an action to counteract the issue or the user alerts an appropriate personnel about the issue.  If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
The claim does not recite additional elements that integrate the judicial exception into a practical application. 
Claim 19 additionally recites “a system comprising a hardware processor” to perform the steps.  This additional element is recited at a high-level of generality and is generic computer or computer component such that it amounts to no more than mere instructions to apply the exception using generic computer or computer component. Mere instructions to apply an exception using generic computers or computer components cannot provide an inventive concept.  Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.  Moreover, the claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception.
Dependent claim 20 further clarifies the concept recited in claim 19 however this clarification still falls under the concept recited in claim 19 and does not amount to significantly more than the judicial exception.  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-4, 6-9, 13-16, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Sharifi (US 10521584) in view of Marquardt (US 20180034840).

Claim 1, Sharifi discloses A non-transitory machine-readable storage medium storing instructions that upon execution cause a system to: 
electronically collect event data, wherein the event data is in a form of a least one of electronic network event data, electronic host event data and electronic application event data from at least one of a plurality of entities in a computing environment; (e.g. figs. 1, 3, col. 2, ll. 8-12, col. 8, ll. 38-col. 9, ll. 9: acquiring event logs, trace logs, diagnostic logs or information, operational logs, operational history)
construct, based on the event data representing a plurality of events in the computing environment, a representation of the plurality of events, the representation including links relating the plurality of events, wherein the representation includes a graphical representation of the plurality of events and the links include temporal links relating the plurality of events; (e.g. figs. 7, 9, col. 2, ll. 21-31, col. 9, ll. 37-59, col. 12, ll. 21-22, col. 15, ll. 15-17: based on the acquired data, generating a graph of event records where individual event records are represented by individual nodes of the graph and each edge of the graph links a pair of event records by a matching attribute)
compute issue indications corresponding to potential issues in the system; (e.g. fig. 10, col. 16, ll. 38-48: computing threat scores for the event records) and 
search the representation to find a chain of events representing an issue in the computing environment, (e.g. fig. 10, col. 3, ll. 4-21, col. 13, ll. 19-39, col. 16, ll. 11-22: using the graph to determine various connections between events to detect potential system compromises that are comprised of events originating from different streams of diagnostic information)
wherein each event of the plurality of events represents an activity of the at least one of the plurality of entities. (e.g. figs. 7, 9, col. 2, ll. 21-31, col. 9, ll. 37-59, col. 12, ll. 21-22, col. 15, ll. 15-25: generating a graph of event records)
Although Sharifi discloses searching the representation to find a chain of events representing an issue in the computing environment (see above), Sharifi does not appear to explicitly disclose but Marquardt discloses:
add information based on the issue indications to the representation to form an enriched representation; and (e.g. fig. 9, ¶54-55: As shown in FIG. 9, the interface 900 may respond with more detailed alert information 902, including data type, analysis type, anomaly score, explanation, history, and other information. The GUI generation circuitry 120 may additionally create a full-screen list of alerts for review)
search the enriched representation to find a chain of events representing an issue in the computing environment (e.g. fig. 9, ¶53-55: The operator may interact with the interface 700 to zoom, rotate in three dimensions, and scroll horizontally and vertically to focus on any given area of the interface 700. The operator may select a node for review, or the interface 700 may automatically highlight nodes implicated in an anomalous event. In FIG. 7, the interface 700 has highlighted a particular path, including path segment 726, through the network in connection with the review of the internal node 720).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Marquardt into the invention of Sharifi for the purpose of providing the graph with more detailed information to further aid in the analysis of the graph.
	
Claim 2, Sharifi-Marquardt discloses The non-transitory machine-readable storage medium of claim 1, wherein the 2instructions upon execution cause the system to implement a countermeasure that 3resolves the issue. (Sharifi, e.g. col. 3, ll. 22-26, 33-39, col. 17, ll. 41-50).

Claim 3, Sharifi-Marquardt discloses The non-transitory machine-readable storage medium of claim 1, wherein 2the graphical representation comprises a graph of nodes that 3represent respective events of the plurality of events, and  4wherein the information based on the issue indications are added to the 5graph of nodes. (Sharifi, e.g. figs. 7, 9, col. 2, ll. 21-31, col. 9, ll. 37-59, col. 12, ll. 21-22, col. 15, ll. 15-17)

Claim 4, Sharifi-Marquardt discloses The non-transitory machine-readable storage medium of claim 1, wherein the 2issue indications comprise scores derived based on features from the event data, each score of the scores representing a likelihood in the computing environment. (Sharifi, e.g. fig. 10, col. 16, ll. 38-48).
Although Sharifi discloses the 2issue indications comprise scores derived based on features from the event data, each score of the scores representing a likelihood in the computing environment (see above),  Sharifi does not appear to explicitly disclose but Marquardt discloses anomaly scores derived based on features from the event data, each anomaly score of the anomaly scores representing a likelihood of an anomaly in the computing environment. (e.g. fig. 9, ¶51, 55: anomaly scores)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Marquardt into the invention of Sharifi for the purpose of providing information about anomalies in the form of scores to provide better understanding about the anomalies.

Claim 6, Sharifi-Marquardt discloses The non-transitory machine-readable storage medium of claim 1, wherein 2add the information based on the issue indications to the representation to form 3the enriched representation comprises: 4associate the information based on the issue indications with nodes in the 5representation, (Marquardt, e.g. fig. 9, ¶54-55) the nodes representing respective events of the plurality of events. (Sharifi, e.g. figs. 7, 9, col. 2, ll. 21-31, col. 9, ll. 37-59, col. 12, ll. 21-22, col. 15, ll. 15-25).  Same motivation as in claim 1 would apply.

1Claim 7, Sharifi-Marquardt discloses The non-transitory machine-readable storage medium of claim 1, wherein 2search the representation to find the chain of events representing the 3issue comprises: 4identify a node, in the representation, that represents an event 5associated with an issue indication that indicates likely presence of a potential issue; and 6identify a path from the identified node to other nodes in the 7representation, the other nodes representing events having a specified relationship 8with the event represented by the identified node, wherein the chain of events 9includes the events represented by the nodes connected by the identified path.  (Sharifi, e.g. fig. 7, 10, col. 3, ll. 4-21, col. 13, ll. 19-39, col. 16, ll. 11-22)
Although Sharifi discloses the representation (see above), Sharifi does not appear to explicitly disclose but Marquardt discloses the enriched 7representation (e.g. fig. 9, ¶53-55).  Same motivation as in claim 1 would apply.

1Claim 8, Sharifi-Marquardt discloses The non-transitory machine-readable storage medium of claim 7, wherein the 2specified relationship comprises a temporal relationship. (Sharifi, e.g. col. 2, ll. 21-31, col. 9, ll. 49-55, col. 12, ll. 64-col. 13, ll. 4) 

1Claim 9, Sharifi-Marquardt discloses The non-transitory machine-readable storage medium of claim 7, wherein the 2instructions upon execution cause the system to: 3compute an aggregate issue indication for the identified path based on aggregating 4issue indications associated with the events represented by the nodes connected by 5the identified path; and identify the events connected by the identified path as being part of the chain of events in response to the aggregate issue indication.  (Sharifi, e.g. fig. 10, col. 3, ll. 4-21, col. 13, ll. 19-39, col. 16, ll. 11-22)

Claim 13, Sharifi discloses A system, comprising: 
a processor; and a non-transitory storage medium comprising instructions executable on the processor to: (e.g. col. 22, ll. 60-67)
electronically collect event data, wherein the event data is in a form of a least one of electronic network event data, electronic host event data and electronic application event data from at least one of a plurality of entities in a computing environment; (e.g. figs. 1, 3, col. 2, ll. 8-12, col. 8, ll. 38-col. 9, ll. 9: acquiring event logs, trace logs, diagnostic logs or information, operational logs, operational history)
construct, based on the event data representing a plurality of events in the computing environment, a representation of the plurality of events, the representation including links relating the plurality of events, wherein the representation includes a graphical representation of the plurality of events and the links include temporal links relating the plurality of events; (e.g. figs. 7, 9, col. 2, ll. 21-31, col. 9, ll. 37-59, col. 12, ll. 21-22, col. 15, ll. 15-17: based on the acquired data, generating a graph of event records where individual event records are represented by individual nodes of the graph and each edge of the graph links a pair of event records by a matching attribute)
compute scores corresponding to potential issues in the computing environment; (e.g. fig. 10, col. 16, ll. 38-48: computing threat scores for the event records) and 
search the representation to find a chain of events representing an issue in the computing environment, (e.g. fig. 10, col. 3, ll. 4-21, col. 13, ll. 19-39, col. 16, ll. 11-22: using the graph to determine various connections between events to detect potential system compromises that are comprised of events originating from different streams of diagnostic information)
wherein each event of the plurality of events represents an activity of the at least one of the plurality of entities. (e.g. figs. 7, 9, col. 2, ll. 21-31, col. 9, ll. 37-59, col. 12, ll. 21-22, col. 15, ll. 15-25: generating a graph of event records)
Although Sharifi discloses searching the representation to find a chain of events representing an issue in the computing environment (see above), Sharifi does not appear to explicitly disclose but Marquardt discloses:
add information based on the scores to the representation to form an enriched representation; and (e.g. fig. 9, ¶54-55: As shown in FIG. 9, the interface 900 may respond with more detailed alert information 902, including data type, analysis type, anomaly score, explanation, history, and other information. The GUI generation circuitry 120 may additionally create a full-screen list of alerts for review)
search the enriched representation to find a chain of events representing an issue in the computing environment (e.g. fig. 9, ¶53-55: The operator may interact with the interface 700 to zoom, rotate in three dimensions, and scroll horizontally and vertically to focus on any given area of the interface 700. The operator may select a node for review, or the interface 700 may automatically highlight nodes implicated in an anomalous event. In FIG. 7, the interface 700 has highlighted a particular path, including path segment 726, through the network in connection with the review of the internal node 720).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Marquardt into the invention of Sharifi for the purpose of providing the graph with more detailed information to further aid in the analysis of the graph.

Claim 14, Sharifi-Marquardt discloses The system of claim 13,  2wherein the instructions are executable on the processor to: 3extract features from the event data; and  4compute the scores for the features. (Sharifi, e.g. fig. 10, col. 16, ll. 38-48).
Although Sharifi discloses extract features from the event data; and  4compute the scores for the features (see above), Sharifi does not appear to explicitly disclose but Marquardt discloses wherein the scores comprise anomaly scores, and  24compute the anomaly scores for the features.  (Marquardt, e.g. fig. 9, ¶51, 55)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Marquardt into the invention of Sharifi for the purpose of providing information about anomalies in the form of scores to provide better understanding about the anomalies.

Claim 15, Sharifi-Marquardt discloses The system of claim 13, wherein the scores comprise threat scores representing threats in the computing environment. (Sharifi, e.g. fig. 10, col. 16, ll. 38-48).

Claim 16, Sharifi-Marquardt discloses The system of claim 13, wherein add the information based on the scores to the representation to form the enriched representation comprises: associate the information based on the scores with nodes in the representation, (Marquardt, e.g. fig. 9, ¶54-55) the nodes representing respective events of the plurality of events. (Sharifi, e.g. figs. 7, 9, col. 2, ll. 21-31, col. 9, ll. 37-59, col. 12, ll. 21-22, col. 15, ll. 15-25).  Same motivation as in claim 1 would apply.

Claim 19, Sharifi discloses A method performed by a system comprising a hardware processor, (e.g. col. 22, ll. 60-67) comprising: 
electronically collecting event data, wherein the event data is in a form of a least one of electronic network event data, electronic host event data and electronic application event data from at least one of a plurality of entities in a computing environment; (e.g. figs. 1, 3, col. 2, ll. 8-12, col. 8, ll. 38-col. 9, ll. 9: acquiring event logs, trace logs, diagnostic logs or information, operational logs, operational history)
constructing, based on the event data representing a plurality of events in the computing environment, a graph including nodes representing events of the plurality of events and temporal links relating the plurality of events; (e.g. figs. 7, 9, col. 2, ll. 21-31, col. 9, ll. 37-59, col. 12, ll. 21-22, col. 15, ll. 15-17: based on the acquired data, generating a graph of event records where individual event records are represented by individual nodes of the graph and each edge of the graph links a pair of event records by a matching attribute)
computing issue indications corresponding to potential issues in the computing environment; (e.g. fig. 10, col. 16, ll. 38-48: computing threat scores for the event records) 
searching the graph to find a chain of events representing an issue in the computing environment and (e.g. fig. 10, col. 3, ll. 4-21, col. 13, ll. 19-39, col. 16, ll. 11-22: using the graph to determine various connections between events to detect potential system compromises that are comprised of events originating from different streams of diagnostic information)
performing a countermeasure to resolve the issue, (e.g. coll. 3, ll. 22-26, 33-39, col. 17, ll. 41-50: producing an action to counteract a detected anomaly, revoking the credential or reducing the permissions associated with the credential to secure the customer network)
wherein each event of the plurality of events represents an activity of the at least one of the plurality of entities. (e.g. figs. 7, 9, col. 2, ll. 21-31, col. 9, ll. 37-59, col. 12, ll. 21-22, col. 15, ll. 15-25: generating a graph of event records)
Although Sharifi discloses searching the graph to find a chain of events representing an issue in the computing environment (see above), Sharifi does not appear to explicitly disclose but Marquardt discloses:
adding information based on the issue indications to the graph to form an enriched graph; and (e.g. fig. 9, ¶54-55: As shown in FIG. 9, the interface 900 may respond with more detailed alert information 902, including data type, analysis type, anomaly score, explanation, history, and other information. The GUI generation circuitry 120 may additionally create a full-screen list of alerts for review)
searching the enriched graph to find a chain of events representing an issue in the computing environment (e.g. fig. 9, ¶53-55: The operator may interact with the interface 700 to zoom, rotate in three dimensions, and scroll horizontally and vertically to focus on any given area of the interface 700. The operator may select a node for review, or the interface 700 may automatically highlight nodes implicated in an anomalous event. In FIG. 7, the interface 700 has highlighted a particular path, including path segment 726, through the network in connection with the review of the internal node 720).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Marquardt into the invention of Sharifi for the purpose of providing the graph with more detailed information to further aid in the analysis of the graph.

Claim 20, Sharifi-Marquardt discloses The method of claim 19, wherein computing the issue indications comprises computing scores, and/or computing threat scores of threats. (Sharifi, e.g. fig. 10, col. 16, ll. 38-48)
Although Sharifi discloses computing scores, and/or computing threat scores of threats (see above), Sharifi does not appear to explicitly disclose but Marquardt discloses anomaly scores of anomalies, and/or computing threat scores of threats based on the anomalies. (e.g. fig. 9, ¶51, 55) 
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Marquardt into the invention of Sharifi for the purpose of providing information about anomalies in the form of scores to provide better understanding about the anomalies.

Claims 5, 10, 17, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Sharifi (US 10521584) in view of Marquardt (US 20180034840) and further in view of Lefebvre (US 20150341379).

Claim 5, Sharifi-Marquardt discloses he non-transitory machine-readable storage medium of claim 4, wherein the issue indications further comprise threat scores, each threat score of the threat scores representing a likelihood of a threat in the computing environment. (Sharifi, e.g. fig. 10, col. 16, ll. 38-48)
Although Sharifi discloses threat scores (see above), Sharifi does not appear to explicitly disclose but Lefebvre discloses threat scores derived based on the anomaly scores (e.g. ¶61: Each of the nodes 304a-g includes a representation of a node anomaly score, such as a low node anomaly score or a high node anomaly score. The node anomaly scores may be represented by numerical values for the nodes, e.g., below the corresponding IP addresses, text labels for the nodes, the colors of the nodes, or the shading of the nodes in the node map 302a. For instance, a diagonal cross hatch for a node may indicate that the corresponding node has a high probability of an active threat based on a high node anomaly score or a node anomaly score that is not low. In some examples, the colors may include red, yellow, and green, that indicate the probability of anomalous activity of the corresponding node based on multiple threshold values, e.g., specified by an operator of the user interface 300).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Lefebvre into the invention of Sharifi-Marquardt for the purpose of indicating a high probability of an active threat (Lefebvre, ¶61).

Claim 10, Sharifi-Marquardt discloses The non-transitory machine-readable storage medium of claim 9, (see above) and does not explicitly disclose but Lefebvre discloses wherein the 2aggregate issue indication is further based on penalizing a value of the aggregate 3issue indication for a length of the identified path. (e.g. ¶27: The monitoring device 102 may aggregate the edge anomaly scores for all of the edges connected to a particular device to determine a node anomaly score for the particular device. For instance, when the monitoring device 102 determines a node anomaly score for a desktop device 106d, the monitoring device 102 aggregates the edge anomaly scores for the edges 108d-g. In this example, all of the edges representing connections with the desktop device 106d are expected connections, represented by the solid lines of the edges, and the desktop device 106d receives a low node anomaly score)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Lefebvre into the invention of Sharifi-Marquardt for the purpose of assigning a low node anomaly score when all of the edges representing connections with the node are expected connections (Lefebvre, ¶27).

1Claim 17, Sharifi-Marquardt discloses The system of claim 13, wherein search the representation 2to find the chain of events representing the issue comprises: 3identify a node, in the representation, that represents an event 4; and 5identify a path from the identified node to other nodes in the 6representation, the other nodes representing events having a specified relationship 7with the event represented by the identified node, wherein the chain of events 8includes the events represented by the nodes connected by the identified path.  (Sharifi, e.g. fig. 7, 10, col. 3, ll. 4-21, col. 13, ll. 19-39, col. 16, ll. 11-22)
Although Sharifi disclose the representation (see above), Sharifi does not appear to explicitly disclose but Marquardt discloses the enriched representation (e.g. fig. 9, ¶53-55).  Same motivation as in claim 1 would apply.
Although Sharifi-Marquardt discloses identifying a node, in the enriched representation, that represents an event (see above), Sharifi-Marquardt does not explicitly disclose but Lefebvre discloses an event 4associated with a score that exceeds a threshold (e.g. fig. 3B, ¶8, 61, 69: The other node map 302b provides details of the selected node 304b, such as the edges used to calculate the node anomaly score for the selected node 304b. The other node map 302b may include the edge anomaly scores above the corresponding edges. For instance, when the selected node 304b has a high node anomaly score and an active threat outcome, the other node map 302b may highlight edges 306m-n as having anomalous activity while not highlighting edges 306a and 306i-k).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Lefebvre into the invention of Sharifi-Marquardt for the purpose of highlighting edges having anomalous activity (Lefebvre, ¶69).

Claim 18, Sharifi-Marquardt-Lefebvre discloses The system of claim 17, wherein the instructions are executable on the 2processor to: 3compute an aggregate score for the path based on aggregating scores 4associated with the events represented by the nodes connected by the identified 5path; and  6identify the events connected by the identified path as being part of the chain 7of events in response to the aggregate score.  (Lefebvre, e.g. ¶3, 8, 27-28, 69).  Same motivation would apply.

Claims 11-12 are rejected under 35 U.S.C. 103 as being unpatentable over Sharifi (US 10521584) in view of Marquardt (US 20180034840) and further in view of Repasi (US 20080022407).

1Claim 11, Sharifi-Marquardt discloses The non-transitory machine-readable storage medium of claim 7, (see above) and does not explicitly disclose but Repasi discloses wherein the 2instructions that upon execution cause the system to: 3compare a collection of the events connected by the identified path to a library 4including template chains of events representing respective issues; and 5identify the collection of the events connected by the identified path as the 6chain of events representing the issue in response to a match between the collection 7of the events and a chain of events in the library.  (e.g. ¶27: In one embodiment, the analysis module comprises a list of activity sequences indicative of malicious activity, wherein analysing the suspicious activity comprises comparing the suspicious activity and at least one of one or more activities which occurred prior to the suspicious activity and one or more activities which occurred after the suspicious activity to the list of activity sequences, wherein in response to a positive comparison, the activity is determined to be associated with malicious activity.)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Repasi into the invention of Sharifi-Marquardt for the purpose of determining that the activity is associated with malicious activity (Repasi, ¶27).

Claim 12, Sharifi-Marquardt-Repasi discloses The non-transitory machine-readable storage medium of claim 11, wherein 2the instructions that upon execution cause the system to: 3compute an aggregate issue indication for the chain of events representing 4the issue based on issue indications associated with the events represented by the 5nodes connected by the identified path, and a similarity indication indicating a similarity between the collection of the events connected by the identified path and a matching template chain of events in the library. (Repasi, e.g. ¶27).  Same motivation would apply.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 

US 20190124104 discloses a graph-based network security analytic framework to combine multiple sources of information and security knowledge in order to detect risky behaviors and potential threats.

US 9225730 discloses graph-based analysis of event data in a computing environment.


Applicant’s amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRONG NGUYEN whose telephone number is (571)270-7312.  The examiner can normally be reached on Monday through Thursday 9:30 AM - 5:00 PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GELAGAY SHEWAYE can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/TRONG H NGUYEN/Primary Examiner, Art Unit 2436