DETAILED ACTION
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This Office Action is in response to the amendment filed on 1/6/2021.
Claims 4 and 12 have been canceled.
Claims 1-2, 5, 9 and 17 have been amended.
Claims 1-3, 5-11 and 13-22 are pending for consideration.

Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

Response to Arguments
The rejection under 35 U.S.C. 112(b) of claims 1-3, 5-11 and 13-22 has been withdrawn as the claims have been amended to remove the indefiniteness issue.
Applicant's arguments filed on 1/6/2021 have been fully considered but they are not persuasive. 
Applicant argues on page 9 of the Remarks that the combination of Goswami in view of Mezack fails to teach “this limitation” on page 6 of the Office Action.  Applicant did not explicitly point out on page 9 of the Remarks which determining that at least one of the retrieved one or more records relates to a security breach associated with the computing system, the at least one of the retrieved one or more records being indicative of the event relating to the security breach”.  Examiner respectfully disagrees.  Mezack does teach “determining that at least one of the retrieved one or more records relates to a security breach associated with the computing system, the at least one of the retrieved one or more records being indicative of the event relating to the security breach” (Mezack: paragraphs 0020, 0092 and 0156, “The threat model analysis engine can monitor the common event data for additional threat model instance related activity corresponding to the identified targets. In addition, the threat model analysis engine can monitor activity volume for a given step to determine if that step has occurred and/or is still occurring. Each threat model instance generated can include a unique identifier.”… “If it is determined that assessment has been performed on the identified source, the process can continue on to retrieve all vulnerability data information from persistent storage associated with the source at block 1335. The process may then continue on to compare retrieved Security Attributes about the common data events provided for corroboration to security attributes associated with vulnerabilities retrieved for the target of impact”).  The common event data recited in Mezack reference is mapped to the at least one or more records.  The common event data is monitored and analyzed by the threat model analysis .
Applicant's arguments on pages 10-12 of the Remarks fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.

Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

Claims 1-3, 5-11 and 13-22 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Goswami et al. (US20080134214) (hereinafter Goswami) in view of Mezack et al. (US20080148389) (hereinafter Mezack).
Regarding claim 1, Goswami discloses a computer security method for tracking activity on a computing system, the method comprising: detecting an event, associated with a process, occurring in a computing system, wherein detecting the event comprises intercepting an operation at a layer of an operating system of the computing system (Goswami: paragraphs 0036 and 0046, “Upon occurrence of a particular event during a first process spawned from a first module” … “indications of one or more various events, such as reaching certain milestones in the processing of data, encountering particular user actions, invoking separate processes, receiving results from separate processes, invocation by separate processes, returning results to separate processes, and encountering an error or interruption in processing”); generating, by a processor, an event identifier for the event, wherein the event identifier uniquely identifies the event in the computing system (Goswami: see figure 2; and paragraph 0050 and 0067, “the local event ID field 254 for an error encountered by process” … “stores the error number "X101" in the local event ID field”, {the local event ID/error number is interpreted as the event identifier}); generating a record for the event, the record comprising the event identifier and details that describe the event (Goswami: see figure 2; and paragraph 0050 , “the event information 250, 260, 270 includes an event identification field established for the individual process ("local event ID") fields 254, 264, 274, respectively. For example, the local event ID field 254 for an error encountered by process”); generating a global identifier for the record based on the event identifier and attributes of the computing system on which the event occurred, wherein the global identifier uniquely identifies computing system that is associated with the record among a plurality of computing systems including the computing system (Goswami: paragraphs 0051 and 0056, “each log file includes event context identification ("event context ID") fields 252, 262, 272. A value for the event context ID field is unique for each event among all events for all the processes spawned from all the modules used by the application program”, {event context ID is broadly interpreted as the global identifier}); retrieving, using the global identifier, one or more records associated with the computing system from a plurality record associated with the plurality of computing system (Goswami: paragraphs 0056-0057, 0077 and 0080, “a user tracks an event leading to error Z321 across log files using the values in the context ID field.” … “According to the illustrated embodiment, the user only need determine from Log File 222 that the event has the context ID of "2001:1:3:03:00:00.000000:Module-C:MAC-C" and then find that same value in one of the other log files, e.g., Log File 242 to find additional information associated with the same event”).
Goswami does not explicitly disclose the following limitation which is disclosed by Mezack, determining that at least one of the retrieved one or more records relates to a security breach associated with the computing system, the at least one of the retrieved one or more records being indicative of the event relating to the security breach (Mezack: paragraphs 0020, 0092 and 0156, “The threat model analysis engine can monitor the common event data for additional threat model instance related activity corresponding to the identified targets. In addition, the threat model analysis engine can 
Regarding claim 9, claim 9 discloses a medium claim that is substantially equivalent to the method of claim 1.  Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 9 and rejected for the same reasons.
Regarding claim 17, claim 17 discloses a method claim that is substantially equivalent to the method of claim 1.  Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 17 and rejected for the same reasons.
Regarding claims 2, 10 and 18, the combination of Goswami and Mezack discloses the method of claims 1, 9 and 17.  
Furthermore, Goswami teaches wherein generating the event identifier comprises (Goswami: see figure 2; and paragraph 0050 and 0067, “the local event ID field 254 for an error encountered by process” … “stores the error number "X101" in the local event ID field”, {the local event ID/error number is interpreted as the event identifier}):
Goswami thus far does not explicitly teach performing a hash operation on information associated with the event to generate the event identifier.
However, Goswami discloses generating an id using a hash operation (Goswami: paragraph 0058, “ID is generated by applying a hash function”).
Goswami and Mezack are analogous art because they are from the same field of endeavor, event detection.  Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Goswami and Mezack before him or her, to modify the combined teachings of Goswami and Mezack to generate the event identifier using the hash operation on the information associated with the event.  Doing so would result in aforementioned claimed limitation. The suggestion/motivation for doing so would give a unique id for the event data.
Regarding claims 3 and 11, Goswami as modified discloses the method of claims 2 and 10.  Goswami further discloses wherein the information comprises at least one of the following: details of the event, the process, and a time the event occurred (Goswami: paragraph 0058, “applying a hash function to the date-time, module name, and MAC address, so that the value is expressed in a given number of 
Regarding claims 5 and 13, Goswami as modified discloses the method of claims 1 and 9.  Goswami discloses analyzing the retrieved one or more records associated with the computing system, wherein the retrieved one or more records are retrieved from the central repository storing the plurality of records associated with the plurality of computing systems (Goswami: paragraphs 0056-0057, 0077 and 0080, “a user tracks an event leading to error Z321 across log files using the values in the context ID field.” … “According to the illustrated embodiment, the user only need determine from Log File 222 that the event has the context ID of "2001:1:3:03:00:00.000000:Module-C:MAC-C" and then find that same value in one of the other log files, e.g., Log File 242 to find additional information associated with the same event”).  Goswami thus far does not explicitly disclose providing the record and the global identifier to a central repository for storage with the global identifier.
However, Mezack discloses providing the record and the global identifier to a central repository for storage with the global identifier (Mezack: paragraph 0081, “The Common Data Event Database 42 is further connected to a Threat Model Analysis Engine 41, Corroboration Job Processor 45, providing a central data source to these components and can further comprise knowledgebases for their processing. Data collected from the data sources by the Activity Processor 44 is shown occurring during the course of a worm security threat event”).  Goswami and Mezack are analogous art because they are from the same field of endeavor, event detection.  Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Goswami and Mezack before him or her, to modify the system of Goswami to include sending the record and global identifier of Mezack for storage. The suggestion/motivation for doing so would have been to enable large amounts of data generated to be managed, replicated and achieved.
Regarding claims 6, 14 and 19, Goswami as modified discloses the method of claim 1, 9 and 17.  Goswami further discloses wherein generating the global identifier comprises: performing a hash operation on the attributes associated with the computing system and the event identifier to generate the global identifier (Goswami: paragraphs 0057-0058, “the value of the event context ID is generated by applying a hash function to the date-time, module name, and MAC address, so that the value is expressed in a given number of bits of data regardless of the number of characters in the name of the module or MAC address”).
Regarding claims 7 and 15, Goswami as modified discloses the method of claims 1 and 9.  Goswami further discloses wherein the event comprises at least one of the following: initiation of the process, a request to start a new process, a request to create a file, a request to modify a file, a request to delete a file, request to create a registry key, a request to delete a registry key, a request to modify a registry key, a request to establish a network connection, and a request to load a binary (Goswami: paragraphs 0036 and 0046, “indications of one or more various events, such 
Regarding claims 8 and 16, Goswami as modified discloses the method of claims 1 and 9.  Goswami further discloses wherein the attributes associated with the computing system include at least one of the following: a type of the computing system, a name of the computing system, a configuration of the computing system, a network address of the computing system, a media access control (MAC) address of the computing system, information about a user of the computing system, and a telephone number associated with the computing system (Goswami: paragraphs 0057-0058, “the value of the event context ID is generated by applying a hash function to the date-time, module name, and MAC address, so that the value is expressed in a given number of bits of data regardless of the number of characters in the name of the module or MAC address”).
Regarding claims 20-22, Goswami as modified discloses the method of claims 1, 9 and 17.  Mezack further discloses searching event records of at least another one of the plurality of computing systems for at least one event record related to the security breach associated with the computing system (Mezack: paragraphs 0020 and 0154, “The threat model analysis engine can monitor the common event data for additional threat model instance related activity corresponding to the identified targets. In addition, the threat model analysis engine can monitor activity volume for a given step to determine if that step has occurred and/or is still occurring. Each threat model .

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed on the enclosed PTO-892 form.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRANG T DOAN whose telephone number is (571)272-0740.  The examiner can normally be reached on Monday-Friday 7-4 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D Feild can be reached on (571)272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.