DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 3/1/2021 has been entered.

Information Disclosure Statement
The 3/4/2021 and 3/25/2021 IDS documents have been considered by the examiner.

Double Patenting
Regarding the Double Patenting rejection:
	Responsive to the terminal disclaimer approved 2/26/2021, the rejection has been withdrawn. 

Regarding claims rejected under 35 USC 103:
Applicant’s arguments with respect to claim(s) have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

 Claim Rejections - 35 USC § 103

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-15 and 17-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Allen (US 9,727,726 B1) in view of Altman (US 10,078,571 B2) and Chen (US 2009/0300166 A1).

Regarding claim 1, Allen discloses: A computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of: 
instrumenting an endpoint managed by a threat management facility with a local agent  (e.g., computing system and monitoring device as per at least FIG. 4 of Allen) to detect a plurality of types of changes to a plurality of computing objects; 
Refer to at least Col. 1, Ll. 65-Col. 2, Ll. 25 of Allen with respect to the monitoring device and associated monitoring.
creating an event stream from the local agent including each type of change to each of the plurality of computing objects detected on the endpoint; 
Refer to at least Col. 2, Ll. 49-60, Col. 4, Ll. 38-44, and Col. 11, Ll. 2-6 of Allen with respect to creating an event stream associated with the monitoring.
storing the event stream in a data recorder on the endpoint; 
Refer to at least Col. 8, Ll. 21-23 of Allen with respect to explicitly storing the events for later publishing. However, it is noted that any recorded events are necessarily stored as part of being published. 
processing the event stream with a filter at the endpoint to provide a filtered event stream including a subset of the types of changes to a subset of the plurality of computing objects; 
Refer to at least Col. 8, Ll. 2-12 and Col. 11, Ll. 2-11 of Allen with respect to additional information about the events being appended to the event stream transmission. 
transmitting the filtered event stream to the threat management facility; 
Refer to at least Col. 2, Ll. 58-60 and Col. 4, Ll. 41-43 of Allen with respect to publishing the event stream to an administrative service. 
processing the filtered event stream at the threat management facility to evaluate a security state of the endpoint; and 
in response to a predetermined security state detected by the threat management facility, transmitting an adjustment to the endpoint for at least one of the types of changes or computing objects used by the filter to process the event stream.
Refer to at least the abstract, Col. 3, Ll. 3-22, Col. 4, Ll. 48-59, Col. 8, Ll. 13-52, and Col. 13, Ll. 25-50 of Allen with respect to the administrative service performing analysis of the received event stream and remedial actions resultant therefrom. 
Allen does not specify: managed by a threat management facility for a user associated with an enterprise network; transmitting a second adjustment to one or more other endpoints managed by the threat management facility for one or more other users associated with the enterprise network for the at least one of the types of changes or computing objects used by one or more other filters on the one or more other endpoints for selecting events for the event stream to facilitate detection by the threat management facility of the predetermined security state on the one or more other endpoints based on similar types of changes to computing objects. However, Allen in view of Altman discloses: managed by a threat management facility for a user associated with an enterprise network;
Col. 1, Ll. 10-30 of Altman with respect to performance monitoring and associated dynamic monitoring level adjustment associated with an enterprise-level distributed system and its users.
Allen-Altman in view of Chen further discloses: transmitting a second adjustment to one or more other endpoints managed by the threat management facility for one or more other users associated with the enterprise network for the at least one of the types of changes or computing objects used by one or more other filters on the one or more other endpoints for selecting events for the event stream to facilitate detection by the threat management facility of the predetermined security state on the one or more other endpoints based on similar types of changes to computing objects.
Refer to at least FIG. 2 and [0030]-[0034] of Chen with respect to adjusting the monitoring behavior of agents responsive to analysis of filtered data collected from said agents. 
The teachings of Allen, Altman, and Chen concern event monitoring and analysis, and are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Allen to further include support for enterprise-level networks with multiple users because design incentives or market forces provided a reason to make an adaptation, and the invention resulted from application of the prior knowledge in a predictable manner (i.e., applying the monitoring to additional types of computing systems; additionally see at least Col. 1, Ll. 5-24 of Allen with respect to support for distributed systems). It further would have been obvious to modify the teachings to include adjusting the monitoring behavior of agents responsive to analysis of filtered data collected from said agents for at least the purpose of increasing monitoring efficiency (e.g., [0010] of Chen).



Regarding claim 5, Allen-Altman-Chen discloses: The computer program product of claim 1 wherein the plurality of computing objects includes at least one of an electronic communication, a registry of system settings, and a secure kernel cache.
Refer to at least Col. 2, Ll. 2-25 of Allen with respect to monitoring communications. 

Regarding independent claim 19, it is substantially similar to elements of independent claim 1 above, and is therefore likewise rejected for substantially the same reasons (i.e., the citations and obviousness rationale). 

Regarding claim 20, it is substantially similar to elements of claim 1 above (i.e., concerning remediation), and is therefore likewise rejected. 

Regarding claim 6, it is substantially similar to elements of claim 1 above (i.e., concerning remediation), and is therefore likewise rejected. 

Regarding claim 7, it is rejected for substantially the same reasons as claims 2-4 above.

Regarding claim 8, it is rejected for substantially the same reasons as claim 5 above.

Regarding claim 9, Allen-Altman-Chen discloses: The method of claim 6 further comprising correlating the filtered event stream to a malware event on the endpoint and searching for the malware event on one or more other endpoints coupled to the enterprise network based on a pattern of events in the filtered event stream.
Refer to at least Col. 13, Ll. 26-29, FIG. 4, and Col. 8, Ll. 13-53 of Allen with respect to comparison to malware and with respect to multiple monitored computing systems 406 which may continue to be monitored as part of remediation. 

Regarding claim 10, it is rejected for substantially the same reasons as claim 6 above (i.e., receiving the event stream at the administrative service).

Regarding claims 11-12, they are rejected for substantially the same reasons as claim 6 above (e.g., [0031]-[0034] of Chen).

Regarding claims 13-14, they are rejected for substantially the same reasons as claim 9 above (i.e., monitoring computing systems as part of remediation).

Regarding claim 15, it is rejected for substantially the same reasons as claim 6 above (i.e., remedial actions).

Regarding claims 17-18, they are rejected for substantially the same reasons as claims 11-12 above. 

Claim 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Allen-Altman-Chen as applied to claims 1-15 and 17-20 above, and further in view of Curtiss (US 8,779,921 B1).

wherein processing the filtered event stream includes securely verifying a status of the endpoint. However, Allen-Altman-Chen in view of Curtiss discloses: wherein processing the filtered event stream includes securely verifying a status of the endpoint.
Refer to at least Col. 10, Ll. 26-35 and Col. 28, Ll. 44-Col. 29, Ll. 4 of Curtiss with respect to node statuses transmitted to a control system. Further refer to at least Col. 30, Ll. 1-14 of Curtiss with respect to diagnostics.
The teachings of Allen-Altman-Chen and Curtiss concern event monitoring and analysis, and are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Allen-Altman-Chen to further include support for node status information and diagnostics for at least the purpose of identifying malfunctioning nodes for repair such that monitoring runs as intended. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751.  The examiner can normally be reached on 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        




/V.S/      Examiner, Art Unit 2432