DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on November 30, 2020 has been entered.
 
Response to Amendment
	This Office Action has been issued in response to Applicant’s Communication of amended application S/N 15/902,856 filed on November 30, 2020.  Claims 1 to 5, 7 to 15, and 17 to 20 are currently pending with the application.
	
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled 

Claims 1 to 5, 7 to 15, and 17 to 20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.  Claims 1, 11, and 20, recite the limitation “prevent the specific events that correspond to the potential computer security threats from being stored in the database by filtering the specific events” in line 3 and page 3, line 12, line 4 and page 6, line 7, and page 9, line 4, respectively.  It is not clear where in the specification this subject matter is described.  After reviewing the paragraphs of the specification cited in the remarks as disclosing the claim elements, it was not found the description of such elements.  Paragraphs [0055] and [0056] describe “events 410A and 410C are thus a filtered set of output events”, where “an extractor 420 the extracts the requested fields from the filtered events”, therefore, the events matching the standing query are the ‘filtered events’, which are further passed, or maintained for further processing and extraction of information.  However, it is not clear where the “preventing the specific events from being stored in the database” is being performed.  Paragraph [0062] describes “standing queries provide much faster notification when similar events have been found in the future by applying the same logic that was within the store query with the standing queries”, which indicates the generation of a notification upon finding events matching the query logic, and which is further described in paragraph [0066], which reads “the gathering system 621 has a standing query 660 deployed there, which allows for alerts 661 to be sent to an alert processing system 670; a similar standing query 660 may be deployed in the second gathering system 622, to thereby create alerts 662 to also be sent to 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 to 5, 7, 8, 10 to 15, and 17 to 20 are rejected under 35 U.S.C. 103 as being unpatentable over Herwadkar et al. (U.S. Publication No. 2014/0095541) hereinafter Herwadkar, in view of Hsiao et al. (U.S. Publication No. 2016/0154855) hereinafter Hsiao, in view of Jacob et al. (U.S. Publication No. 2017/0364694) hereinafter Jacob, and further in view of Chakravarty et al. (U.S. Publication No. 2008/0114873) hereinafter Chakravarty.
As to claim 1:
Herwadkar discloses:
A computing system configured to facilitate an improvement in computer security by identifying computer security threats upstream from a database and filtering out the computer security threats to prevent the computer security threats from being stored in the database [Paragraph 0050 teaches measuring risk levels of business operations to provide an early , said computing system comprising: one or more processors; and one or more computer-readable hardware storage devices that store computer-executable instructions that are executable by the one or more processors to cause the computing system to at least: 
access a store query that is structured in accordance with a store query language, wherein the store query is configured to query a database that stores events received from a data stream, and return results that potentially correspond to security threats [Paragraph 0118 teaches receiving a tactical query (SQL query); Paragraph 0119 teaches receiving a tactical query configured based at least in part on a logical request from a business intelligence server; Paragraph 0056 teaches databases may be relational databases, SQL servers, etc., and may receive or store data provided by the streaming data sources, e.g. event streams, therefore, the SQL queries the databases containing events received from the data streams; Paragraph 0050 teaches risk level of a business operation, identifying events that may harm the existing processes, therefore, the events include potential security threats as represented by events that may harm the processes; Paragraph 0089 teaches identifying events that may harm the existing processes]; 
access a set of rules of the store query language of the store query [Paragraph 0099 teaches continuous queries are based upon SQL queries with added constructs that support the processing of streaming events, therefore, accessing the SQL instructions to be able to create the continuous query; Paragraph 0118 teaches receiving a logical request, which is a tactical query (SQL query), to further translate the tactical query into a continuous query, therefore, accessing of the rules or query instructions must be performed]; and 
use at least the set of rules of the store query language to convert the store query into a standing query [Paragraph 0066 teaches translating logical requests (tactical SQL queries) into continuous queries; Paragraph 0118 teaches converting a tactical query into a continuous query; Paragraph 0119 teaches generating a continuous query based on an SQL query, therefore, using the query instructions of the SQL query];
deploy a first instance of the standing query into a first intermediary computing system and deploy a second instance of the standing query into a second intermediary computing system [Paragraph 0095 teaches an event processing application may be configured to listen to multiple input streams received from one or more event sources, select event from the monitored streams, and output the selected events to one or more event sinks, where the same query can be associated with more than one event sink and with different types of event sinks, therefore, deploying a first instance and a second instance of the query into a first and second intermediary systems], wherein: 
the first intermediary computing system is situated between a first event source and the database, and the second intermediary computing system is situated between a second event source and the database [Paragraph 0092 teaches event sources 204, 206, and 208 generate event streams that are received by one or more event processing applications 220, 222, and 224, which listen and process the input event streams and that selects one or more events from the input stream as notable events, which are then sent to one or more event sinks 210, 212, where event sources, event processing applications, and event sinks can be decoupled from each other, therefore, first and second intermediary systems situated between the event sources and the database; Paragraph 0100 teaches an event processing application is composed of several component types, including one or more adapters that interface directly to the input and output stream, and relation , 
the first intermediary computing system is configured to gather new events originating from the first event source, and the second intermediary computing system is configured to gather new events originating from the second event source [Paragraph 0092 teaches event sources 204, 206, and 208 generate event streams that are received by one or more event processing applications 220, 222, and 224, which are configured to listen and process the input event streams and to select one or more events from the input stream as notable events, therefore, gathering new events originating from the event sources], 
the first intermediary system is further configured to receive events from the first event source such that the first instance of the standing query operates on events [Paragraph 0094 an event processing application is configured to listen to input event streams, execute logic (e.g., a query) for selecting one or more notable events from the input streams, and output the selected notable events to the event sink, where event sources include a variety of source types; Paragraph 0095 teaches receiving input stream from many event sources, where the same query can be associated with more than one event sink and with different types of event sinks, therefore, the query operates on a first type of events; Paragraph 0100 teaches adapters in the event processing application (intermediary system) are configured to understand the input and output stream protocol, and may be defined for a variety of data sources and sinks, therefore, including a first intermediary system configured to receive, and operate on events from first event source using a specific protocol], and 
the second intermediary system is configured to receive events from the second event source such that the second instance of the standing query operates on events [Paragraph 0094 an event processing application is configured to listen to input event streams, execute logic ; and
execute the instances of the standing query against the new events originating from the first and second event sources, which new events are flowing in the data stream, the standing query, including any instances thereof, being configured to identify specific events that correspond to potential computer security threats and to prevent the specific events that correspond to the potential computer security threats from being stored in the database by filtering the specific events upstream from the database [Paragraph 0118 teaches querying the event stream with the generated continuous query; Paragraph 0119 teaches querying a stream with the continuous query, to provide results of the continuous query to an event sink of the BI server, therefore, identifying specific events upstream from the database, and not storing the events in the database, but sending the events to an event sink; Paragraph 0092 teaches processing events received via the one or more event stream sources 206, 208, into the one or more event processing applications 220, 222, and 224, by selecting one or more events from the input event streams as notable events, and sending the matching events to an event sink; Paragraph 0097 teaches processing input streams by using a continuous query that comprises instructions that identify what events are to be selected as notable events, including performing filtering to discover and extract the .
Herwadkar does not appear to expressly disclose the store query is verified as being known to return results when queried against the events after the events are stored in the database; create a syntax graph of the store query; use at least the syntax graph and the set of rules of the store query, to convert the store query; receive events using a transmission control protocol (TCP), the query operating on TCP-based events; receive events using a user datagram protocol (UDP), the query operates on UDP-based events.
Hsiao discloses:
the store query is verified as being known to return results when queried against the events after the events are stored in the database [Paragraph 0058 teaches a user may be able to view real-time changes happening to the data of the original business view's query, by changing the view from static to active in order to activate a visualization of the changes occurring on the data, where a tactical query (data delivered once) is converted into a continuous query (continuous, incremental computation) to account for real-time data changes, in other words, the store query has been verified as known to return desired results from events stored in the database; Paragraph 0069 teaches converting a tactical (SQL) query into a continuous query may be performed at runtime, enabling the user to visualize the active data while viewing static data from an SQL query, in other words, the store query has been tested or executed in an event store, and verified as returning the type of result that is intended to obtain].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teachings of the cited references and modify the invention as taught by Herwadkar, by incorporating a store query that is verified as being known to return results when queried against the events after the events are stored in the database, as taught by Hsiao 
Neither Herwadkar nor Hsiao appear to expressly disclose create a syntax graph of the store query; use at least the syntax graph and the set of rules of the store query, to convert the store query; receive events using a transmission control protocol (TCP), the query operating on TCP-based events; receive events using a user datagram protocol (UDP), the query operates on UDP-based events.
Jacob discloses:
create a syntax graph of the store query [Paragraph 0028 teaches parsing the SQL query into a data structure such as an abstract syntax tree, where the abstract syntax tree that maps the received query, may be used to determine how to map the statements from its native language into a comparable statement in another language]; and 
use at least the syntax graph and the set of rules of the store query, to convert the store query [Paragraph 0028 teaches using the abstract syntax tree of the query and attributes inferred from, or stated in the original query statement, to generate a query in a different structure, format, or language; Paragraph 0035 teaches rewriting a query, i.e. an SQL query, into different types, formats, structures, and data schemas for various database, including graph databases].

Neither Herwadkar, nor Hsiao, nor Jacob appear to expressly disclose receive events using a transmission control protocol (TCP), the query operating on TCP-based events; receive events using a user datagram protocol (UDP), the query operates on UDP-based events.
Chakravarty discloses:
receive events using a transmission control protocol (TCP), the query operating on TCP-based events [Paragraph 0054 teaches one or more collectors listen for connections from data sources on respective local ports, where the collectors can listen on a TCP port, and data sources will connect via this port, where filters can be applied to limit the data sent to an agent, therefore, operating on TCP-based events]; 
receive events using a user datagram protocol (UDP), the query operates on UDP-based events [Paragraph 0054 teaches one or more collectors listen for connections from data sources on respective local ports, where the collectors can listen on an UDP port, and data sources will connect via this port, where filters can be applied to limit the data sent to an agent, therefore, operating on UDP events].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teachings of the cited references and modify the invention as taught by Herwadkar, by receiving events using a transmission control protocol (TCP), the query operating on TCP-based events, and receiving events using a user datagram protocol (UDP), the query operates on UDP-based events, as taught by Chakravarty [Paragraph 0054], because the applications are directed to management and collection of event data from multiple sources, and Herwadkar’s ability to collect and manage different kinds of event data and protocols could have been modified to include TCP and UDP; incorporating TCP and UDP event sources is a simple substitution of one known element for another to obtain predictable results.
	
As to claim 2:
	Herwadkar discloses:
flowing events into the standing query to generate a plurality of matching events that match the standing query, wherein the standing query is a dataflow graph [Paragraph 0092 teaches processing events received via the one or more event stream sources by selecting one or more events from the input event streams as notable events, therefore, analogous to a dataflow graph that stands to receive events against which the standing query is executed and the result is the events that match the query; Paragraph 0097 teaches processing input streams by using a continuous query that comprises instructions that identify what events are to be selected as notable events, .

As to claim 3:
	The combination of Herwadkar and Hsiao discloses:
accessing a particular store query that is structured in accordance with the store query language and that was tested against an event store in which a plurality of events is gathered from a plurality of event sources [Hsiao – Paragraph 0057 teaches converting from a tactical query, e.g. SQL, to a real-time query, e.g. CQL or other type of continuous query language, including changing from a data pull model to a data push model; Paragraph 0069 teaches converting a tactical (SQL) query into a continuous query may be performed at runtime, enabling the user to visualize the active data while viewing static data from an SQL query, in other words, the store query has been tested or executed in an event store; Paragraph 0075 teaches a tactical query may retrieve data from database 112, Fig. 1, while the continuous query is set up to retrieve or collect events from an event stream, where the events may be received from the streaming data source computers 110, or from other sources and/or streams, in other words, the tactical or store query is executed against an event store (database 112); Paragraph 0060 teaches databases 112 may receive or store data provided by the streaming data source computers 110].

As to claim 4:
	The combination of Herwadkar and Hsiao discloses:
the flowed events being events streamed from at least some of the plurality of event sources [Hsiao - Paragraph 0060 teaches streaming event data can be obtained from the streaming .

As to claim 5:
	The combination of Herwadkar and Hsiao discloses:
deploying the standing query into at least one of the at least some of the plurality of event sources [Hsiao – Paragraph 0075 teaches the continuous query is set up to collect events from an event stream, where the events may be received from the streaming data source computers 110; Paragraph 0085 teaches queries may be configured to retrieve streaming event data (data being received in real time from the event processors)].

As to claim 7:
	Herwadkar as modified by Hsiao discloses:
the plurality of matching events being the same events that would be returned if the store query was issued against a store that included the flowed events [Hsiao – Paragraph 0058 teaches a user may be able to view real-time changes happening to the data of the original business view's query, by changing the view from static to active in order to activate a visualization of the changes occurring on the data, where a tactical query (data delivered once) is converted into a continuous query (continuous, incremental computation) to account for real-time data changes, in other words, the queries include the same selection criteria].

As to claim 8:
	Herwadkar as modified by Jacob discloses:
the syntax graph comprising an abstract syntax tree of the store query [Jacob - Paragraph 0028 teaches parsing the SQL query into a data structure such as an abstract syntax tree].
As to claim 10:
	Herwadkar as modified by Hsiao discloses:
accessing a particular store query that is structured in accordance with the store query language and that was tested against a store in which a plurality of events is gathered from a plurality of event sources [Hsiao – Paragraph 0057 teaches converting from a tactical query, e.g. SQL, to a real-time query, e.g. CQL or other type of continuous query language, including changing from a data pull model to a data push model; Paragraph 0069 teaches converting a tactical (SQL) query into a continuous query may be performed at runtime, enabling the user to visualize the active data while viewing static data from an SQL query, in other words, the store query has been tested or executed in an event store; Paragraph 0075 teaches a tactical query may retrieve data from database 112, Fig. 1, while the continuous query is set up to retrieve or collect events from an event stream, where the events may be received from the streaming data source computers 110, or from other sources and/or streams, in other words, the tactical or store query is executed first against an event store (database 112); Paragraph 0060 teaches databases 112 may receive or store data provided by the streaming data source computers 110].

As to claim 11:
Herwadkar discloses:
A method for converting a store query into a standing query, the standing query being configured to facilitate an improvement in computer security by identifying computer security threats upstream from a database and by filtering out the computer security threats to prevent the computer security threats from being stored in the database [Paragraph 0050 teaches measuring risk levels of business operations to provide an early warning sign to identify events that may harm the existing processes; Paragraph 0095 teaches selecting events from monitored data streams and output the selected events to one or more event sinks, therefore, not storing the matching events in the database], the method comprising: 
accessing a store query that is structured in accordance with a store query language, wherein the store query is configured to query a database that stores events received from a data stream, and return results that potentially correspond to security threats [Paragraph 0118 teaches receiving a tactical query (SQL query); Paragraph 0119 teaches receiving a tactical query configured based at least in part on a logical request from a business intelligence server; Paragraph 0056 teaches databases may be relational databases, SQL servers, etc., and may receive or store data provided by the streaming data sources, e.g. event streams, therefore, the SQL queries the databases containing events received from the data streams; Paragraph 0050 teaches risk level of a business operation, identifying events that may harm the existing processes, therefore, the events include potential security threats as represented by events that may harm the processes; Paragraph 0089 teaches identifying events that may harm the existing processes]; 
accessing a set of rules of the store query language of the store query [Paragraph 0099 teaches continuous queries are based upon SQL queries with added constructs that support the processing of streaming events, therefore, accessing the SQL instructions to be able to create the continuous query; Paragraph 0118 teaches receiving a logical request, which is a tactical query (SQL query), to further translate the tactical query into a continuous query, therefore, accessing of the rules or query instructions must be performed]; and 
using at least the set of rules of the store query language to convert the store query into a standing query [Paragraph 0066 teaches translating logical requests (tactical SQL queries) ;
deploying a first instance of the standing query into a first intermediary computing system and deploy a second instance of the standing query into a second intermediary computing system [Paragraph 0095 teaches an event processing application may be configured to listen to multiple input streams received from one or more event sources, select event from the monitored streams, and output the selected events to one or more event sinks, where the same query can be associated with more than one event sink and with different types of event sinks, therefore, deploying a first instance and a second instance of the query into a first and second intermediary systems], wherein: 
the first intermediary computing system is situated between a first event source and the database, and the second intermediary computing system is situated between a second event source and the database [Paragraph 0092 teaches event sources 204, 206, and 208 generate event streams that are received by one or more event processing applications 220, 222, and 224, which listen and process the input event streams and that selects one or more events from the input stream as notable events, which are then sent to one or more event sinks 210, 212, where event sources, event processing applications, and event sinks can be decoupled from each other, therefore, first and second intermediary systems situated between the event sources and the database; Paragraph 0100 teaches an event processing application is composed of several component types, including one or more adapters that interface directly to the input and output stream, and relation sources and sinks, which are configured to understand the input and output stream protocol, and may be defined for a variety of data sources and sinks], 
the first intermediary computing system is configured to gather new events originating from the first event source, and the second intermediary computing system is configured to gather new events originating from the second event source [Paragraph 0092 teaches event sources 204, 206, and 208 generate event streams that are received by one or more event processing applications 220, 222, and 224, which are configured to listen and process the input event streams and to select one or more events from the input stream as notable events, therefore, gathering new events originating from the event sources], 
the first intermediary system is further configured to receive events from the first event source such that the first instance of the standing query operates on events [Paragraph 0094 an event processing application is configured to listen to input event streams, execute logic (e.g., a query) for selecting one or more notable events from the input streams, and output the selected notable events to the event sink, where event sources include a variety of source types; Paragraph 0095 teaches receiving input stream from many event sources, where the same query can be associated with more than one event sink and with different types of event sinks, therefore, the query operates on a first type of events; Paragraph 0100 teaches adapters in the event processing application (intermediary system) are configured to understand the input and output stream protocol, and may be defined for a variety of data sources and sinks, therefore, including a first intermediary system configured to receive, and operate on events from first event source using a specific protocol], and 
the second intermediary system is configured to receive events from the second event source such that the second instance of the standing query operates on events [Paragraph 0094 an event processing application is configured to listen to input event streams, execute logic (e.g., a query) for selecting one or more notable events from the input streams, and output the selected notable events to the event sink, where event sources include a variety of source types; ; and
executing the instances of the standing query against the new events originating from the first and second event sources, which new events are flowing in the data stream, the standing query, including any instances thereof, being configured to identify specific events that correspond to potential computer security threats and to prevent the specific events that correspond to the potential computer security threats from being stored in the database by filtering the specific events upstream from the database [Paragraph 0118 teaches querying the event stream with the generated continuous query; Paragraph 0119 teaches querying a stream with the continuous query, to provide results of the continuous query to an event sink of the BI server, therefore, identifying specific events upstream from the database, and not storing the events in the database, but sending the events to an event sink; Paragraph 0092 teaches processing events received via the one or more event stream sources 206, 208, into the one or more event processing applications 220, 222, and 224, by selecting one or more events from the input event streams as notable events, and sending the matching events to an event sink; Paragraph 0097 teaches processing input streams by using a continuous query that comprises instructions that identify what events are to be selected as notable events, including performing filtering to discover and extract the notable events from the input streams, and return the matching events; Paragraph 0089 teaches identifying events that may harm the existing processes].

Hsiao discloses:
the store query is verified as being known to return results when queried against the events after the events are stored in the database [Paragraph 0058 teaches a user may be able to view real-time changes happening to the data of the original business view's query, by changing the view from static to active in order to activate a visualization of the changes occurring on the data, where a tactical query (data delivered once) is converted into a continuous query (continuous, incremental computation) to account for real-time data changes, in other words, the store query has been verified as known to return desired results from events stored in the database; Paragraph 0069 teaches converting a tactical (SQL) query into a continuous query may be performed at runtime, enabling the user to visualize the active data while viewing static data from an SQL query, in other words, the store query has been tested or executed in an event store, and verified as returning the type of result that is intended to obtain].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teachings of the cited references and modify the invention as taught by Herwadkar, by incorporating a store query that is verified as being known to return results when queried against the events after the events are stored in the database, as taught by Hsiao [Paragraphs 0058, 0069], because the applications are directed to management of database queries, and enabling the conversion of queries from a first format or language into a different format or 
Neither Herwadkar nor Hsiao appear to expressly disclose create a syntax graph of the store query; use at least the syntax graph and the set of rules of the store query, to convert the store query; receive events using a transmission control protocol (TCP), the query operating on TCP-based events; receive events using a user datagram protocol (UDP), the query operates on UDP-based events.
Jacob discloses:
creating a syntax graph of the store query [Paragraph 0028 teaches parsing the SQL query into a data structure such as an abstract syntax tree, where the abstract syntax tree that maps the received query, may be used to determine how to map the statements from its native language into a comparable statement in another language]; and 
using at least the syntax graph and the set of rules of the store query, to convert the store query [Paragraph 0028 teaches using the abstract syntax tree of the query and attributes inferred from, or stated in the original query statement, to generate a query in a different structure, format, or language; Paragraph 0035 teaches rewriting a query, i.e. an SQL query, into different types, formats, structures, and data schemas for various database, including graph databases].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teachings of the cited references and modify the invention as taught by Herwadkar, by creating a syntax graph of the store query; and use at least the syntax 
Neither Herwadkar, nor Hsiao, nor Jacob appear to expressly disclose receive events using a transmission control protocol (TCP), the query operating on TCP-based events; receive events using a user datagram protocol (UDP), the query operates on UDP-based events.
Chakravarty discloses:
receiving events using a transmission control protocol (TCP), the query operating on TCP-based events [Paragraph 0054 teaches one or more collectors listen for connections from data sources on respective local ports, where the collectors can listen on a TCP port, and data sources will connect via this port, where filters can be applied to limit the data sent to an agent, therefore, operating on TCP-based events]; 
receiving events using a user datagram protocol (UDP), the query operates on UDP-based events [Paragraph 0054 teaches one or more collectors listen for connections from data sources on respective local ports, where the collectors can listen on an UDP port, and data sources .
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teachings of the cited references and modify the invention as taught by Herwadkar, by receiving events using a transmission control protocol (TCP), the query operating on TCP-based events, and receiving events using a user datagram protocol (UDP), the query operates on UDP-based events, as taught by Chakravarty [Paragraph 0054], because the applications are directed to management and collection of event data from multiple sources, and Herwadkar’s ability to collect and manage different kinds of event data and protocols could have been modified to include TCP and UDP; incorporating TCP and UDP event sources is a simple substitution of one known element for another to obtain predictable results.

As to claim 12:
	Herwadkar discloses:
flowing events into the standing query to generate a plurality of matching events that match the standing query [Paragraph 0092 teaches processing events received via the one or more event stream sources by selecting one or more events from the input event streams as notable events; Paragraph 0097 teaches processing input streams by using a continuous query that comprises instructions that identify what events are to be selected as notable events, including performing filtering to discover and extract the notable events from the input streams, and return the matching events].

As to claim 13:
	The combination of Herwadkar and Hsiao discloses:
accessing a particular store query that is structured in accordance with the store query language and that was tested against an event store in which a plurality of events is gathered from a plurality of event sources [Hsiao – Paragraph 0057 teaches converting from a tactical query, e.g. SQL, to a real-time query, e.g. CQL or other type of continuous query language, including changing from a data pull model to a data push model; Paragraph 0069 teaches converting a tactical (SQL) query into a continuous query may be performed at runtime, enabling the user to visualize the active data while viewing static data from an SQL query, in other words, the store query has been tested or executed in an event store; Paragraph 0075 teaches a tactical query may retrieve data from database 112, Fig. 1, while the continuous query is set up to retrieve or collect events from an event stream, where the events may be received from the streaming data source computers 110, or from other sources and/or streams, in other words, the tactical or store query is executed against an event store (database 112); Paragraph 0060 teaches databases 112 may receive or store data provided by the streaming data source computers 110].

As to claim 14:
	The combination of Herwadkar and Hsiao discloses:
the flowed events being events streamed from at least some of the plurality of event sources [Hsiao - Paragraph 0060 teaches streaming event data can be obtained from the streaming data source computers; Paragraph 0075 teaches the continuous query is set up to collect events from an event stream, where the events may be received from the streaming data source computers 110].

As to claim 15:
	The combination of Herwadkar and Hsiao discloses:
deploying the standing query into at least one of the at least some of the plurality of event sources [Hsiao – Paragraph 0075 teaches the continuous query is set up to collect events from an event stream, where the events may be received from the streaming data source computers 110; Paragraph 0085 teaches queries may be configured to retrieve streaming event data (data being received in real time from the event processors)].

As to claim 17:
	Herwadkar as modified by Hsiao discloses:
the plurality of matching events being the same events that would be returned if the store query was issued against a store that included the flowed events [Hsiao – Paragraph 0058 teaches a user may be able to view real-time changes happening to the data of the original business view's query, by changing the view from static to active in order to activate a visualization of the changes occurring on the data, where a tactical query (data delivered once) is converted into a continuous query (continuous, incremental computation) to account for real-time data changes, in other words, the queries include the same selection criteria].

As to claim 18:
	Herwadkar as modified by Jacob discloses:
the syntax graph comprising an abstract syntax tree of the store query [Jacob - Paragraph 0028 teaches parsing the SQL query into a data structure such as an abstract syntax tree].
As to claim 19:
	Herwadkar as modified by Hsiao discloses:
accessing a particular store query that is structured in accordance with the store query language and that was tested against a store in which a plurality of events is gathered from a plurality of event sources [Hsiao – Paragraph 0057 teaches converting from a tactical query, e.g. SQL, to a real-time query, e.g. CQL or other type of continuous query language, including changing from a data pull model to a data push model; Paragraph 0069 teaches converting a tactical (SQL) query into a continuous query may be performed at runtime, enabling the user to visualize the active data while viewing static data from an SQL query, in other words, the store query has been tested or executed in an event store; Paragraph 0075 teaches a tactical query may retrieve data from database 112, Fig. 1, while the continuous query is set up to retrieve or collect events from an event stream, where the events may be received from the streaming data source computers 110, or from other sources and/or streams, in other words, the tactical or store query is executed first against an event store (database 112); Paragraph 0060 teaches databases 112 may receive or store data provided by the streaming data source computers 110].

As to claim 20:
Herwadkar discloses:
One or more computer-readable hardware storage devices comprising physical memory that store  computer executable instructions that are executable by one or more processors of a computing system to at least: 
access a store query that is structured in accordance with a store query language, wherein the store query is configured to query a database that stores events received from a data stream, and return results that potentially correspond to security threats [Paragraph 0118 teaches receiving a tactical query (SQL query); Paragraph 0119 teaches receiving a tactical query configured based at least in part on a logical request from a business intelligence server; Paragraph ; 
access a set of rules of the store query language of the store query [Paragraph 0099 teaches continuous queries are based upon SQL queries with added constructs that support the processing of streaming events, therefore, accessing the SQL instructions to be able to create the continuous query; Paragraph 0118 teaches receiving a logical request, which is a tactical query (SQL query), to further translate the tactical query into a continuous query, therefore, accessing of the rules or query instructions must be performed]; and 
use at least the set of rules of the store query language to convert the store query into a standing query [Paragraph 0066 teaches translating logical requests (tactical SQL queries) into continuous queries; Paragraph 0118 teaches converting a tactical query into a continuous query; Paragraph 0119 teaches generating a continuous query based on an SQL query, therefore, using the query instructions of the SQL query];
deploy a first instance of the standing query into a first intermediary computing system and deploy a second instance of the standing query into a second intermediary computing system [Paragraph 0095 teaches an event processing application may be configured to listen to multiple input streams received from one or more event sources, select event from the monitored streams, and output the selected events to one or more event sinks, where the same query can be associated with more than one event sink and with different types of event sinks, , wherein: 
the first intermediary computing system is situated between a first event source and the database, and the second intermediary computing system is situated between a second event source and the database [Paragraph 0092 teaches event sources 204, 206, and 208 generate event streams that are received by one or more event processing applications 220, 222, and 224, which listen and process the input event streams and that selects one or more events from the input stream as notable events, which are then sent to one or more event sinks 210, 212, where event sources, event processing applications, and event sinks can be decoupled from each other, therefore, first and second intermediary systems situated between the event sources and the database; Paragraph 0100 teaches an event processing application is composed of several component types, including one or more adapters that interface directly to the input and output stream, and relation sources and sinks, which are configured to understand the input and output stream protocol, and may be defined for a variety of data sources and sinks], 
the first intermediary computing system is configured to gather new events originating from the first event source, and the second intermediary computing system is configured to gather new events originating from the second event source [Paragraph 0092 teaches event sources 204, 206, and 208 generate event streams that are received by one or more event processing applications 220, 222, and 224, which are configured to listen and process the input event streams and to select one or more events from the input stream as notable events, therefore, gathering new events originating from the event sources], 
the first intermediary system is further configured to receive events from the first event source such that the first instance of the standing query operates on events [Paragraph 0094 an event processing application is configured to listen to input event streams, execute logic , and 
the second intermediary system is configured to receive events from the second event source such that the second instance of the standing query operates on events [Paragraph 0094 an event processing application is configured to listen to input event streams, execute logic (e.g., a query) for selecting one or more notable events from the input streams, and output the selected notable events to the event sink, where event sources include a variety of source types; Paragraph 0095 teaches receiving input stream from many event sources, where the same query can be associated with more than one event sink and with different types of event sinks, therefore, the query operates on a second type of events; Paragraph 0100 teaches adapters in the event processing application (intermediary system) are configured to understand the input and output stream protocol, and may be defined for a variety of data sources and sinks, therefore, including a second intermediary system configured to receive, and operate on events from second event source using a specific protocol]; and
execute the instances of the standing query against the new events originating from the first and second event sources, which new events are flowing in the data stream, the standing query, including any instances thereof, being configured to identify specific events that correspond to potential computer security threats and to prevent the specific events that correspond to the potential computer security threats from being stored in the database by filtering the specific events upstream from the database [Paragraph 0118 teaches querying the event stream with the generated continuous query; Paragraph 0119 teaches querying a stream with the continuous query, to provide results of the continuous query to an event sink of the BI server, therefore, identifying specific events upstream from the database, and not storing the events in the database, but sending the events to an event sink; Paragraph 0092 teaches processing events received via the one or more event stream sources 206, 208, into the one or more event processing applications 220, 222, and 224, by selecting one or more events from the input event streams as notable events, and sending the matching events to an event sink; Paragraph 0097 teaches processing input streams by using a continuous query that comprises instructions that identify what events are to be selected as notable events, including performing filtering to discover and extract the notable events from the input streams, and return the matching events; Paragraph 0089 teaches identifying events that may harm the existing processes].
Herwadkar does not appear to expressly disclose the store query is verified as being known to return results when queried against the events after the events are stored in the database; create a syntax graph of the store query; use at least the syntax graph and the set of rules of the store query, to convert the store query; receive events using a transmission control protocol (TCP), the query operating on TCP-based events; receive events using a user datagram protocol (UDP), the query operates on UDP-based events.
Hsiao discloses:
the store query is verified as being known to return results when queried against the events after the events are stored in the database [Paragraph 0058 teaches a user may be able to view real-time changes happening to the data of the original business view's query, by changing the .
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teachings of the cited references and modify the invention as taught by Herwadkar, by incorporating a store query that is verified as being known to return results when queried against the events after the events are stored in the database, as taught by Hsiao [Paragraphs 0058, 0069], because the applications are directed to management of database queries, and enabling the conversion of queries from a first format or language into a different format or language; by providing the access of store queries that were verified as returning results when queried against the events after the events are stored in the database, non-developer users are able to implement the combination of historical data with real-time data on the fly, enables the integration of activity monitoring, with complex event processing and real-time set of operational information, providing real-time visibility of business processes and workflows, and enabling the user to take corrective actions right away (See Hsiao Paras [0051], [0054], [0055]).
Neither Herwadkar nor Hsiao appear to expressly disclose create a syntax graph of the store query; use at least the syntax graph and the set of rules of the store query, to convert the store query; receive events using a transmission control protocol (TCP), the query operating on TCP-based 
Jacob discloses:
create a syntax graph of the store query [Paragraph 0028 teaches parsing the SQL query into a data structure such as an abstract syntax tree, where the abstract syntax tree that maps the received query, may be used to determine how to map the statements from its native language into a comparable statement in another language]; and 
use at least the syntax graph and the set of rules of the store query, to convert the store query [Paragraph 0028 teaches using the abstract syntax tree of the query and attributes inferred from, or stated in the original query statement, to generate a query in a different structure, format, or language; Paragraph 0035 teaches rewriting a query, i.e. an SQL query, into different types, formats, structures, and data schemas for various database, including graph databases].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teachings of the cited references and modify the invention as taught by Herwadkar, by creating a syntax graph of the store query; and use at least the syntax graph and the set of rules of the store query, to convert the store query, to generate the dataflow graph, as taught by Jacob [Paragraphs 0028, 0035], because both applications are directed to management of database queries, and enabling the conversion of a queries from a first format or language into a different format or language; creating and using a syntax graph of the store query and the set of rules to rewrite the query into another language, structure, schema, or format associated with another database, enables the creation of a query graph or data model, which may be further used to discover and return additional data that could be valuable to the user, regardless of the data source type, schema, or format, and enables the user to generate a request using a query language that can be parsed, analyzed, converted, and rewritten in order to support different types, 
Neither Herwadkar, nor Hsiao, nor Jacob appear to expressly disclose receive events using a transmission control protocol (TCP), the query operating on TCP-based events; receive events using a user datagram protocol (UDP), the query operates on UDP-based events.
Chakravarty discloses:
receive events using a transmission control protocol (TCP), the query operating on TCP-based events [Paragraph 0054 teaches one or more collectors listen for connections from data sources on respective local ports, where the collectors can listen on a TCP port, and data sources will connect via this port, where filters can be applied to limit the data sent to an agent, therefore, operating on TCP-based events]; 
receive events using a user datagram protocol (UDP), the query operates on UDP-based events [Paragraph 0054 teaches one or more collectors listen for connections from data sources on respective local ports, where the collectors can listen on an UDP port, and data sources will connect via this port, where filters can be applied to limit the data sent to an agent, therefore, operating on UDP events].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teachings of the cited references and modify the invention as taught by Herwadkar, by receiving events using a transmission control protocol (TCP), the query operating on TCP-based events, and receiving events using a user datagram protocol (UDP), the query operates on UDP-based events, as taught by Chakravarty [Paragraph 0054], because the applications are directed to management and collection of event data from multiple sources, and Herwadkar’s ability to collect and manage different kinds of event data and protocols could have .

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Herwadkar et al. (U.S. Publication No. 2014/0095541) hereinafter Herwadkar, in view of Hsiao et al. (U.S. Publication No. 2016/0154855) hereinafter Hsiao, in view of Jacob et al. (U.S. Publication No. 2017/0364694) hereinafter Jacob, in view of Chakravarty et al. (U.S. Publication No. 2008/0114873) hereinafter Chakravarty, as applied to claim 1 above, and further in view of Burke et al. (U.S. Publication No. 2013/0097114) hereinafter Burke.
As to claim 9:
	The combination of Herwadkar and Jacob discloses:	
	creating an initial syntax graph based on the store query [Jacob - Paragraph 0028 teaches parsing the SQL query into a data structure such as an abstract syntax tree].	
	Neither Herwadkar nor Jacob appear to expressly disclose rewriting the initial syntax graph.
	Burke discloses:
rewriting the initial syntax graph [Paragraph 0011 teaches parsing an input query, generating an abstract syntax tree based on the parse tree, and further restructuring the abstract syntax tree based on evaluation of the query; Paragraph 0043 teaches generating an abstract syntax tree, and restructuring the abstract syntax tree producing a restructured abstract syntax tree, which will be provided to query execution engine for execution].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teachings of the cited references and modify the invention as taught by Herwadkar as modified by Jacob, by rewriting the initial syntax graph, as taught by Burke [Paragraphs 0011, 0043], because the applications are directed to management of database 

Response to Arguments
	The following is in response to arguments filed on November 30, 2020.  Applicant’s arguments have been fully and respectfully considered.
Claim Rejections - 35 USC § 112
	Applicant’s arguments have been carefully and respectfully considered, but are not persuasive.
	In regards to claim 1, Applicant argues that “Applicant’s disclosure (i.e. written description and the figures) adequately described the claims for the following reasons”, and more specifically, that “the claims state that the embodiments “filter the specific events upstream from the database”, where one potential result of “filtering” data is that the filtered data is no longer available for further consideration, and in this regard, the embodiments are able “to prevent the specific events that correspond to the potential computer security threats from being stored in the database” as a result of performing the filtering operation; accordingly, it is respectfully submitted that a person of ordinary skill in the art would understand that performing a "filtering" operation would also lead to a scenario in which certain data is prevented from reaching an end destination as a 
result of imposing the filter.”
	In response to the preceding argument, Examiner respectfully disagrees, and respectfully points out that, although one potential result of “filtering” data is indeed that the filtered data is no filtered set of output events.  In other words, the specification defines “filtered” data as a set of output events that match the standing query, and not as “filtered data that is no longer available for further consideration”.  Paragraph [0056] further describes that an extractor 420 then extracts the requested fields from the filtered events, therefore, the “filtered” data is indeed available and used for further consideration.
	
	In regards to claim 1, Applicant further argues that “para [0005], [0018], and [0055] illustrates a scenario in which certain events have been “discarded” as a result of the filtering process, where as a result of discarding events, the embodiments actively prevent those events from reaching the database, and as such, it is respectfully submitted that the filtering operation recited in the claims at least inherently or inferentially supports the “prevention” also mentioned in the claims”.
	In response to the preceding argument, Examiner respectfully disagrees, and respectfully submits that if the filtering operation is performing the “prevention” by “discarding” events as a result of the filtering process, then the events that would be prevented from reaching the database are the events that do not match the standing query, and therefore, not the events that correspond 
Paragraph [0060] of the specification describes that an evaluator might be trying to determine a security threat or operational problem that is occurring across the event sources, which are the events of interest, and paragraph [0061] further describes that once the events of interest are found using store queries, the evaluator might want to deploy a standing query within an intermediary computing system that helps to gather events into an event store, where the query is satisfactory to find such events of interest, and thus generating a standing query with identical logic to the store query.  In other words, the events of interest that are identified with the queries are the events of interest corresponding to security threats, and events that match the standing query.  Finally, paragraph [0062] describes that the evaluator may quickly generate a standing query that may be deployed upstream of the store, which can provide much faster notification when similar events have been found in the future.  Therefore, the matching events of interest, which are the events corresponding to the security threats are not the events being discarded, and are not being prevented to reach the database; the events of interest are the events identified as matching the standing query, to thereby create alerts to be sent to an alert processing system upon identification of the events of interest, and hence, nowhere it is disclosed that the events matching the standing query and corresponding to security threats are being discarded, nor prevented from reaching the database.  Claim rejections under 35 USC § 112 are hereby sustained.

Claim Rejections - 35 USC § 103
	Applicant’s arguments have been carefully and respectfully considered, but are moot in view of new grounds of rejections as necessitated by the amendments.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RAQUEL PEREZ-ARROYO whose telephone number is (571)272-8969.  The examiner can normally be reached on Monday - Friday, 8:00am - 5:30pm, Alt Friday, EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Usmaan Saeed can be reached on 571-272-4046.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/RAQUEL PEREZ-ARROYO/Examiner, Art Unit 2169