DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The Amendment filed 02 February 2021 has been received and considered.
Claims 1-20 are pending.
This Action is Final.

Claim Rejections - 35 USC § 112
The rejection of claims 10 and 20 under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, is withdrawn based on the filed amendment.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3 and 11-13 are rejected under 35 U.S.C. 103 as being unpatentable over Stephan et al. (US 20160021139) in view of Trost et al.  (US 10902114).

identifying a plurality of log sources in a network; receiving log data from each of the plurality of log sources (see paragraphs [0084]-[0085] collecting data from different data sources which includes log files); 
for each log source, generating a log quality index value comprising: a first variable representing a measure of importance of the log data for the given log source on a basis and in relation to the other log sources comprising the plurality of log sources and a second variable based on the content of the log; and storing the log quality value index in a memory (see paragraphs [0089]-[0094] where the system creates a reliability rating or score, i.e. the log quality index value, which is based on success rates of the sources, i.e. the criticality value, and the time information, i.e. the measure of usefulness).
While the Stephan et al. system discloses the use of a quality values based on criticality values and usefulness measures, it fails to explicitly disclose a first variable representing a measure of importance of the log data for the given log source on an absolute basis and in relation to each of the other log sources comprising the plurality of log sources; a second variable representing a granular measure of usefulness of one or more individual event characteristics within the log data for the given log source, wherein the second variable is determined by applying an initial value of zero, performing a series of instructions that address a plurality of discrete characteristics from the log data, and summing the values resulting from the instructions as applied to each of the plurality of discrete characteristics; display, via the user interface, a visualization of the relative importance of each of the plurality of log sources to the security incident based on the log quality index value for each of the plurality of log sources.
However, Trost et al. teaches generating a log quality index value comprising: a first variable representing a measure of importance of the log data for the given log source on an absolute basis and 
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art, to include the quality score adjustments of Trost et al. as part of the score calculation of the Stephan et al. system.
Motivation, as recognized by one of ordinary skill in the art, to do so would have been that using additional data helps provide a more accurate quality score.
As per claims 2, 3, 12, and 13, the modified Stephan et al. and Trost et al. system discloses the measure of criticality comprises a plurality of criticality types, wherein a first criticality type represents sensitive data (see Stephan et al. paragraphs [0085], [0101], [0115], [0118]).
Claims 4-9 and 14-19 are rejected under 35 U.S.C. 103 as being unpatentable over the modified Stephan et al. and Trost et al. system as applied to claims 1, 3, 11, and 13 above, and further in view of Swackhamer (US 10735442).
As per claims 4 and 14, the modified Stephan et al. and Trost et al. system discloses the use of multiple criticality types including contextual information (see Trost et al. column 9 lines 1-26), but fails to explicitly disclose a second criticality type represents contextual data that enriches primary source data events.

At a time before the effective filing date of the invention, it would have been obvious to include the enrichment of Swackhamer in the modified Stephan et al. and Trost et al. system.
Motivation, as recognized by one of ordinary skill in the art, to do so would have been to allow for additional relevant information to be available to the reviewer of the data.
As per claims 5 and 15, the modified Stephan et al., Trost et al., and Swackhamer system discloses a third criticality type represents event data contained in other log sources (see Stephan et al. paragraphs [0084]-[0085] and Swackhamer column 7 lines 21-32).
As per claims 6 and 16, the modified Stephan et al., Trost et al., and Swackhamer system discloses the use of various types of data within different logs, but fails to explicitly disclose the use of debug logs. However, Official Notice is taken that at a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to include debug logs in the modified Stephan et al., Trost et al., and Swackhamer system because they are commonly used and well-known sources of data for detecting and preventing malware.
As per claims 7-9 and 17-19, the modified Stephan et al. and Trost et al. system discloses the inclusion of usefulness information and generally the use of contextual information (see Trost et al. column 9 lines 1-26), but fails to explicitly disclose the usefulness value represents where the event occurred, who/what performed the action, and data relevant to the action.
However, Swackhamer teaches including a usefulness value represents where the event occurred, who/what performed the action, and data relevant to the action (see column 15 lines 10-37).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to include the usefulness information of Swackhamer in the modified Stephan et al. and Trost et al. system.
.
Claims 10 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over the modified Stephan et al. and Trost et al. system as applied to claims 1 and 11 above, and further in view of Thomson et al. (US 9596256).
As per claims 10 and 20, the modified Stephan et al. and Trost et al. system generally disclose updating measurements, but fails to explicitly disclose a log index value is generated for each log source at three points comprising: (1) a default configuration of data log for the log source; (2) after implementation of one or more logging configuration recommendations for the log source, and (3) after data enrichment has been enabled.
However, Thomson et al. teaches taking measurements at three points comprising: (1) a default configuration of data log for the log source; (2) after implementation of one or more logging configuration recommendations for the log source, and (3) after data enrichment has been enabled (see column 8 line 54 through column 9 line 7 where source score information is originally displayed and modified based on user input or dynamically based on additional information).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to include the adjustments of Thomson et al. in the modified Stephan et al. and Trost et al. system.
Motivation to do so would have been to allow the user to update the scores (see Thomson et al. column 8 line 54 through column 9 line 7).

Response to Arguments
Applicant’s arguments with respect to claim(s) 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: the remaining references put forth on the PTO-892 form are related to quality scores for data sources.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL J PYZOCHA whose telephone number is (571)272-3875.  The examiner can normally be reached on Monday-Thursday 7:30am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hadi Armouche can be reached on (571) 270-3618.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.