DETAILED ACTION
	This office action is in response to the communication filed on December 24, 2018. Claims 1-22 are currently pending.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 12/27/18, 07/17/19, 02/04/21, and 05/10/21 have been considered by the examiner.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

s 1-22 is/are rejected under 35 U.S.C. 103 as being unpatentable over Watts (US Pub 2017/0230544) in view of Modi (US Pub 2019/0028557) and in further view of Golan (US Pub 2006/005492).

With respect to claim 1, Watts discloses a computer-executed method, comprising:
causing each system, of a plurality of systems involved in executing a particular operation instance of a particular type of multi-system operation, to generate log records that reflect work done by the respective system as part of executing a respective portion of the particular operation instance (Watts: Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module, audit logging determines specific parameters within the systems to log to an audit log, various reporting entities provide information such as session data and job identifier, using the provided information to retrieve additional information to generate audit log entries; Paragraphs 312 and 399 – various systems store event and information logs; Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job);
wherein the work done by each system of the plurality of systems includes storing, as part of its respective portion of the particular operation instance, a respective correlation context associated with the particular operation instance (Watts: Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module, audit ;
determining that one or more log records, generated by one or more of the plurality of systems, satisfy a particular audit log rule associated with a context attribute (Watts: Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module, audit logging determines specific parameters within the systems to log to an audit log, various reporting entities provide information such as session data and job identifier, using the provided information to retrieve additional information to generate audit log entries; Paragraphs 312 and 399 – various systems store event and information logs; Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; here Watts does not discloses determining satisfying a particular audit log rule associated with a context attribute, but the Golan reference discloses the feature, as discussed below);
in response to determining that the one or more log records satisfy the particular audit log rule (Watts: Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module, audit logging determines specific parameters within the systems to log to an audit log, various reporting entities provide information such as session data and job identifier, using the provided information to retrieve additional information to generate audit log entries; Paragraphs 312 and 399 – various systems store event and information logs; Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; here Watts does not discloses determining satisfying a particular audit log rule, but the Golan reference discloses the feature, as discussed below):
determining a particular value, for the context attribute, contained in the one or more log records (Watts: Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module, audit logging determines specific parameters within the systems to log to an audit log, various reporting entities provide information such as session data and job identifier, using the provided information to retrieve additional information to generate audit log entries; Paragraphs 400 and 405 – search audit logs using time range, date range, user range, and/or event type, timestamp and unique audit id created for audit log entries and stored in database table where audit log entries are stored; here Watts does not disclose context, but the Modi reference discloses the feature, as discussed below);
automatically storing the one or more log records into an audit log data store (Watts: Paragraphs 70, 91, and 398 – automated auditing system that logs all activities, automated operations; Paragraph 406 – audit log entry created and stored for event at issue),
identifying one or more additional log records that are associated with the particular value for the context attribute (Watts: Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module, audit logging determines specific parameters within the systems to log to an audit log, various reporting entities provide information such as session data and job identifier, using the provided information to retrieve additional information to generate audit log entries; Paragraphs 400 and 405 – search audit logs using time range, date range, user range, and/or event type, timestamp and unique audit id created for audit log entries and stored in database table where audit log entries are stored), and
automatically storing the one or more additional log records in the audit log data store (Watts: Paragraph 398 – automated auditing system that logs all activities; Paragraph 406 – audit log entry created and stored for event at issue);
receiving, from a user, a query over the audit log data store (Watts: Paragraph 400 – audit log retrieval provides user with search functionality using search parameters); and
returning query results for the query to the user (Watts: Paragraphs 496 and 498 – returning requested audit log entries by the user);
wherein the method is performed by one or more computing devices (Watts: Paragraphs 49-51 – performed by computing devices).
Watts discloses storing information related to a job/work event including respective correlation information, however, Watts does not explicitly disclose:
wherein the work done includes storing a respective correlation context;
The Modi reference discloses wherein the work done includes storing a respective correlation context (Modi: Paragraphs 18-20 and 86 – storing contextual data related to user interaction event and user identity, action, object involved in said event, and other data that is contextually relevant, identify additional parameters by referencing to contextual data, contextual data comprises identity data, job roles, profiles, ratings, patterns, permissibilities, and/or times and dates of events; Paragraphs 27 and 178 – stored data such as metadata, raw logs and/or extracted parameters used for auditing, contextual data such as information about user job role and work/usage patterns can be stored along with log files as audit logs);
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, having the teachings of Watts and Modi, to have combined Watts and Modi. The motivation to combine Watts and Modi would be to provide insights and assumptions to accurately make predictions by using contextual data (Modi: Paragraphs 1 and 19).
Watts discloses determining one or more log records and determining a value for an attribute contained in the one or more log records, however, Watts and Modi do not explicitly disclose:
determining that satisfy a particular audit log rule associated with a context attribute;
The Golan reference discloses determining that satisfies a particular audit log rule associated with a context attribute (Golan: Paragraphs 33 and 42 – policy containing rules that cause an audit, such as log an event, authorization based on policy or rule indicating whether auditing is enabled or whether to perform auditing, make entry in audit log if auditing enabled; Paragraphs 4, 18, and 48 – make entry of an authorized operation in the audit log, the entry indicating the request for the operation, authorization to perform the operation, information on the user requesting the authorization to perform operation, authorization associated with user’s context permission to access, authorization based on identity of the user).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, having the teachings of Watts, Modi, and Golan, to have combined Watts, Modi, and Golan. The motivation to combine Watts, Modi, and Golan would be to authorize performing actions by checking applicable rules that authorize the actions (Golan: Paragraph 41).

With respect to claim 2, Watts in view of Modi and in further view of Golan discloses the computer-executed method of claim 1, wherein:
the one or more log records were generated by a particular system of the plurality of systems (Watts: Paragraphs 6 and 94 – creating audit logs for different systems such as fax system and imaging system, different database storing data for different systems; Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module; Paragraphs 312 and 399 – various systems store event and information logs; Modi: Paragraph 168 – data store comprise a number of databases with different properties to suit various types of data); and
the one or more additional log records were generated from one or more other systems, of the plurality of systems, other than the particular system (Watts: Paragraphs 6 and 94 – creating audit logs for different systems such as fax system and imaging system, different database storing data for different systems; Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module; Paragraphs 312 and 399 – various systems store event and information logs; Modi: Paragraph 168 – data store comprise a number of databases with different properties to suit various types of data).

With respect to claim 3, Watts in view of Modi and in further view of Golan discloses the computer-executed method of claim 2, wherein:
the particular system maintains a database of a first type, and at least one of the one or more other systems maintains a database of a second type (Watts: Paragraphs 6 and 94 – creating audit logs for different systems such as fax system and imaging system, different database storing data for different systems; Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module; Paragraphs 312 and 399 – various systems store event and information logs; Modi: Paragraph 168 – data store comprise a number of databases with different properties to suit various types of data); and
the first type is different than the second type (Watts: Paragraphs 6 and 94 – creating audit logs for different systems such as fax system and imaging system, different database storing data for different systems; Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module; Paragraphs 312 and 399 – various systems store event and information logs; Modi: Paragraph 168 – data store comprise a number of databases with different properties to suit various types of data).

With respect to claim 4, Watts in view of Modi and in further view of Golan discloses the computer-executed method of claim 1, wherein:
the respective correlation context stored by each system of the plurality of systems includes at least a particular correlation identifier that uniquely identifies the particular operation instance (Watts: Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; Modi: Paragraphs 18-20 and 86 – storing contextual data related to user interaction event and user identity, action, object involved in said event, and other data that is contextually relevant, identify additional parameters by referencing to contextual data, contextual data comprises identity data, job roles, profiles, ratings, patterns, permissibilities, and/or times and dates of events; Paragraphs 93 and 178 – audit logs created by various systems recording events such as operations, storing event data and contextual data); and
the context attribute is one or more of: a common correlation identifier, a common user identifier, a common timestamp, a timestamp within a particular range of timestamps, or a common service identifier (Watts: Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; Modi: Paragraphs 18-20 and 86 – storing contextual data related to user interaction event and user identity, action, object involved in said event, and other data that is contextually relevant, identify additional parameters by referencing to contextual data, contextual data comprises identity data, job roles, profiles, ratings, patterns, permissibilities, and/or times and dates of events; Paragraphs 93 and 178 – audit logs created by various systems recording events such as operations, storing event data and contextual data).

With respect to claim 5, Watts in view of Modi and in further view of Golan discloses the computer-executed method of claim 1, further comprising:
automatically generating particular index data that associates the particular value of the context attribute with both of the one or more log records and the one or more additional log records (Watts: Paragraphs 400 and 405 – search audit logs using time range, date range, user range, and/or event type, timestamp and unique audit id created for audit log entries and stored in database table where audit log entries are stored; Paragraphs 496 and 498 – returning requested audit log entries; Modi: Paragraphs 26, 95, 199, and 205 – storing metadata and/or relevant parameters in an index/search-engine database, parameters extracted from log files and saved in index database, request data from index database and use it update data in response to queries); and
after receiving the query over the audit log data store, automatically generating the query results based on an index data structure that stores the particular index data (Watts: Paragraphs 400 and 405 – search audit logs using time range, date range, user range, and/or event type, timestamp and unique audit id created for audit log entries and stored in database table where audit log entries are stored; Paragraphs 496 and 498 – returning requested audit log entries; Modi: Paragraphs 26, 95, 199, and 205 – storing metadata and/or relevant parameters in an index/search-engine database, parameters extracted from log files and saved in index database, request data from index database and use it update data in response to queries).

With respect to claim 6, Watts in view of Modi and in further view of Golan discloses the method of claim 1, wherein:
the one or more log records are published in one or more event streams (Watts: Paragraphs 6 and 94 – creating audit logs for different systems such as fax system and imaging system, different database storing data for different systems; Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module; Paragraphs 312 and 399 – various systems store event and information logs; Modi: Paragraphs 18-20 and 86 – storing contextual data related to user interaction event and user identity, action, object involved in said event, and other data that is contextually relevant, identify additional parameters by referencing to contextual data, contextual data comprises identity data, job roles, profiles, ratings, patterns, permissibilities, and/or times and dates of events; Paragraph 168 – data store comprise a number of databases with different properties to suit various types of data; Paragraphs 26, 60, 95, 199, and 205 – storing metadata and/or relevant parameters in an index/search-engine database, parameters extracted from log files and saved in index database, request data from index database and use it update data in response to queries, extracting from a stream);
an auditor service detects event records from the one or more event streams (Watts: Paragraphs 6 and 94 – creating audit logs for different systems such as fax system and imaging system, different database storing data for different systems; Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module; Paragraphs 312 and 399 – various systems store event and information logs; Modi: Paragraphs 18-20 and 86 – storing contextual data related to user interaction event and user identity, action, object involved in said event, and other data that is contextually relevant, identify additional parameters by referencing to contextual data, contextual data comprises identity data, job roles, profiles, ratings, patterns, permissibilities, and/or times and dates of events; Paragraph 168 – data store comprise a number of databases with different properties to suit various types of data; Paragraphs 26, 60, 95, 199, and 205 – storing metadata and/or relevant parameters in an index/search-engine database, parameters extracted from log files and saved in index database, request data from index database and use it update data in response to queries, extracting from a stream); and
automatically storing the one or more log records into the audit log data store comprises: automatically detecting one or more event records containing the one or more log records (Watts: Paragraphs 6 and 94 – creating audit logs for different systems such as fax system and imaging system, different database storing data for different systems; Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module; Paragraphs 312 and 399 – various systems store event and information logs; Modi: Paragraphs 18-20 and 86 – storing contextual data related to user interaction event and user identity, action, object involved in said event, and other data that is contextually relevant, identify additional parameters by referencing to contextual data, contextual data comprises identity data, job roles, profiles, ratings, patterns, permissibilities, and/or times and dates of events; Paragraph 168 – data store comprise a number of databases with different properties to suit various types of data; Paragraphs 26, 60, 95, 199, and 205 – storing metadata and/or relevant parameters in an index/search-engine database, parameters extracted from log files and saved in index database, request data from index database and use it update data in response to queries, extracting from a stream), and
automatically extracting, from the one or more event records, information for the one or more log records (Watts: Paragraphs 6 and 94 – creating audit logs for different systems such as fax system and imaging system, different database storing data for different systems; Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module; Paragraphs 312 and 399 – various systems store event and information logs; Modi: Paragraphs 18-20 and 86 – storing contextual data related to user interaction event and user identity, action, object involved in said event, and other data that is contextually relevant, identify additional parameters by referencing to contextual data, contextual data comprises identity data, job roles, profiles, ratings, patterns, permissibilities, and/or times and dates of events; Paragraph 168 – data store comprise a number of databases with different properties to suit various types of data; Paragraphs 26, 60, 95, 199, and 205 – storing metadata and/or relevant parameters in an index/search-engine database, parameters extracted from log files and saved in index database, request data from index database and use it update data in response to queries, extracting from a stream); and
storing the one or more log records in the audit log data store based on the extracted information (Watts: Paragraphs 6 and 94 – creating audit logs for different systems such as fax system and imaging system, different database storing data for different systems; Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module; Paragraphs 312 and 399 – various systems store event and information logs; Modi: Paragraphs 18-20 and 86 – storing contextual data related to user interaction event and user identity, action, object involved in said event, and other data that is contextually relevant, identify additional parameters by referencing to contextual data, contextual data comprises identity data, job roles, profiles, ratings, patterns, permissibilities, and/or times and dates of events; Paragraph 168 – data store comprise a number of databases with different properties to suit various types of data; Paragraphs 26, 60, 95, 199, and 205 – storing metadata and/or relevant parameters in an index/search-engine database, parameters extracted from log files and saved in index database, request data from index database and use it update data in response to queries, extracting from a stream).

With respect to claim 7, Watts in view of Modi and in further view of Golan discloses the method of claim 1, wherein:
the respective correlation context stored by each system of the plurality of systems includes at least a particular correlation identifier that uniquely identifies the particular operation instance (Watts: Paragraphs 400 and 405 – search audit logs using time range, date range, user range, and/or event type, timestamp and unique audit id created for audit log entries and stored in database table where audit log entries are stored; Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; Paragraphs 496 and 498 – returning requested audit log entries; Modi: Paragraphs 18-20 and 86 – storing contextual data related to user interaction event and user identity, action, object involved in said event, and other data that is contextually relevant, identify additional parameters by referencing to contextual data, contextual data comprises identity data, job roles, profiles, ratings, patterns, permissibilities, and/or times and dates of events; Paragraphs 26, 95, 199, and 205 – storing metadata and/or relevant parameters in an index/search-engine database, parameters extracted from log files and saved in index database, request data from index database and use it update data in response to queries; Paragraphs 93 and 178 – audit logs created by various systems recording events such as operations, storing event data and contextual data);
the context attribute is a common correlation identifier (Watts: Paragraphs 400 and 405 – search audit logs using time range, date range, user range, and/or event type, timestamp and unique audit id created for audit log entries and stored in database table where audit log entries are stored; Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; Paragraphs 496 and 498 – returning requested audit log entries; Modi: Paragraphs 18-20 and 86 – storing contextual data related to user interaction event and user identity, action, object involved in said event, and other data that is contextually relevant, identify additional parameters by referencing to contextual data, contextual data comprises identity data, job roles, profiles, ratings, patterns, permissibilities, and/or times and dates of events; Paragraphs 26, 95, 199, and 205 – storing metadata and/or relevant parameters in an index/search-engine database, parameters extracted from log files and saved in index database, request data from index database and use it update data in response to queries; Paragraphs 93 and 178 – audit logs created by various systems recording events such as operations, storing event data and contextual data); and
the one or more log records record one or more changes were (a) caused by the particular operation instance, and (b) made to a particular database that is maintained by a particular system of the plurality of systems (Watts: Paragraphs 400 and 405 – search audit logs using time range, date range, user range, and/or event type, timestamp and unique audit id created for audit log entries and stored in database table where audit log entries are stored; Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; Paragraphs 496 and 498 – returning requested audit log entries; Modi: Paragraphs 18-20 and 86 – storing contextual data related to user interaction event and user identity, action, object involved in said event, and other data that is contextually relevant, identify additional parameters by referencing to contextual data, contextual data comprises identity data, job roles, profiles, ratings, patterns, permissibilities, and/or times and dates of events; Paragraphs 26, 95, 199, and 205 – storing metadata and/or relevant parameters in an index/search-engine database, parameters extracted from log files and saved in index database, request data from index database and use it update data in response to queries; Paragraphs 93 and 178 – audit logs created by various systems recording events such as operations, storing event data and contextual data);
the method further comprises:
identifying one or more associated log records, which record changes made to the particular database, and which are associated with the one or more log records (Watts: Paragraphs 400 and 405 – search audit logs using time range, date range, user range, and/or event type, timestamp and unique audit id created for audit log entries and stored in database table where audit log entries are stored; Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; Paragraphs 496 and 498 – returning requested audit log entries; Modi: Paragraphs 18-20 and 86 – storing contextual data related to user interaction event and user identity, action, object involved in said event, and other data that is contextually relevant, identify additional parameters by referencing to contextual data, contextual data comprises identity data, job roles, profiles, ratings, patterns, permissibilities, and/or times and dates of events; Paragraphs 26, 95, 199, and 205 – storing metadata and/or relevant parameters in an index/search-engine database, parameters extracted from log files and saved in index database, request data from index database and use it update data in response to queries; Paragraphs 93 and 178 – audit logs created by various systems recording events such as operations, storing event data and contextual data),
wherein the one or more associated log records include a particular correlation context for the particular operation instance (Watts: Paragraphs 400 and 405 – search audit logs using time range, date range, user range, and/or event type, timestamp and unique audit id created for audit log entries and stored in database table where audit log entries are stored; Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; Paragraphs 496 and 498 – returning requested audit log entries; Modi: Paragraphs 18-20 and 86 – storing contextual data related to user interaction event and user identity, action, object involved in said event, and other data that is contextually relevant, identify additional parameters by referencing to contextual data, contextual data comprises identity data, job roles, profiles, ratings, patterns, permissibilities, and/or times and dates of events; Paragraphs 26, 95, 199, and 205 – storing metadata and/or relevant parameters in an index/search-engine database, parameters extracted from log files and saved in index database, request data from index database and use it update data in response to queries; Paragraphs 93 and 178 – audit logs created by various systems recording events such as operations, storing event data and contextual data),
identifying the particular value for the context attribute based on the particular correlation identifier in the particular correlation context (Watts: Paragraphs 400 and 405 – search audit logs using time range, date range, user range, and/or event type, timestamp and unique audit id created for audit log entries and stored in database table where audit log entries are stored; Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; Paragraphs 496 and 498 – returning requested audit log entries; Modi: Paragraphs 18-20 and 86 – storing contextual data related to user interaction event and user identity, action, object involved in said event, and other data that is contextually relevant, identify additional parameters by referencing to contextual data, contextual data comprises identity data, job roles, profiles, ratings, patterns, permissibilities, and/or times and dates of events; Paragraphs 26, 95, 199, and 205 – storing metadata and/or relevant parameters in an index/search-engine database, parameters extracted from log files and saved in index database, request data from index database and use it update data in response to queries; Paragraphs 93 and 178 – audit logs created by various systems recording events such as operations, storing event data and contextual data).

With respect to claim 8, Watts in view of Modi and in further view of Golan discloses the method of claim 7 wherein the one or more associated log records are associated with the one or more log records based on a common transaction identifier (Watts: Paragraphs 400 and 405 – search audit logs using time range, date range, user range, and/or event type, timestamp and unique audit id created for audit log entries and stored in database table where audit log entries are stored; Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; Paragraphs 496 and 498 – returning requested audit log entries; Modi: Paragraphs 18-20 and 86 – storing contextual data related to user interaction event and user identity, action, object involved in said event, and other data that is contextually relevant, identify additional parameters by referencing to contextual data, contextual data comprises identity data, job roles, profiles, ratings, patterns, permissibilities, and/or times and dates of events; Paragraphs 26, 95, 199, and 205 – storing metadata and/or relevant parameters in an index/search-engine database, parameters extracted from log files and saved in index database, request data from index database and use it update data in response to queries; Paragraphs 93 and 178 – audit logs created by various systems recording events such as operations, storing event data and contextual data).

With respect to claim 9, Watts in view of Modi and in further view of Golan discloses the method of claim 1 wherein:
the audit log data store is maintained by a database management system (Watts: Paragraphs 400 and 405 – timestamp and unique audit id created for audit log entries and stored in database table where audit log entries are stored; Modi: Paragraphs 26, 95, 199, and 205 – storing metadata and/or relevant parameters in an index/search-engine database, parameters extracted from log files and saved in index database, request data from index database and use it update data in response to queries; Paragraphs 93 and 178 – audit logs created by various systems recording events such as operations, storing event data and contextual data; Golan: Paragraphs 33 and 42 – policy containing rules that cause an audit, such as log an event, authorization based on policy or rule indicating whether auditing is enabled or whether to perform auditing, make entry in audit log if auditing enabled; Paragraphs 26 and 37 and Claim 22 – data store containing policies, including rules in the policies, which can be revoked and set);
a set of rules for the audit log data store, which includes the particular audit log rule, is stored in a rules table maintained by the database management system (Watts: Paragraphs 400 and 405 – timestamp and unique audit id created for audit log entries and stored in database table where audit log entries are stored; Modi: Paragraphs 26, 95, 199, and 205 – storing metadata and/or relevant parameters in an index/search-engine database, parameters extracted from log files and saved in index database, request data from index database and use it update data in response to queries; Paragraphs 93 and 178 – audit logs created by various systems recording events such as operations, storing event data and contextual data; Golan: Paragraphs 33 and 42 – policy containing rules that cause an audit, such as log an event, authorization based on policy or rule indicating whether auditing is enabled or whether to perform auditing, make entry in audit log if auditing enabled; Paragraphs 26 and 37 and Claim 22 – data store containing policies, including rules in the policies, which can be revoked and set);
the method further comprises updating the set of rules for the audit log data store by causing the database management system to update the rules table (Watts: Paragraphs 400 and 405 – timestamp and unique audit id created for audit log entries and stored in database table where audit log entries are stored; Modi: Paragraphs 26, 95, 199, and 205 – storing metadata and/or relevant parameters in an index/search-engine database, parameters extracted from log files and saved in index database, request data from index database and use it update data in response to queries; Paragraphs 93 and 178 – audit logs created by various systems recording events such as operations, storing event data and contextual data; Golan: Paragraphs 33 and 42 – policy containing rules that cause an audit, such as log an event, authorization based on policy or rule indicating whether auditing is enabled or whether to perform auditing, make entry in audit log if auditing enabled; Paragraphs 26 and 37 and Claim 22 – data store containing policies, including rules in the policies, which can be revoked and set).

With respect to claim 10, Watts discloses a computer-executed method, comprising:
causing each system, of a plurality of systems involved in executing a particular operation instance of a particular type of multi-system operation, to generate log records that reflect work done by the respective system as part of executing a respective portion of the particular operation instance (Watts: Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module, audit logging determines specific parameters within the systems to log to an audit log, various reporting entities provide information such as session data and job identifier, using the provided information to retrieve additional information to generate audit log entries; Paragraphs 312 and 399 – various systems store event and information logs; Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job);
wherein the work done by each system of the plurality of systems includes storing, as part of its respective portion of the particular operation instance, a respective correlation context associated with the particular operation instance (Watts: Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module, audit logging determines specific parameters within the systems to log to an audit log, various reporting entities provide information such as session data and job identifier, using the provided information to retrieve additional information to generate audit log entries; Paragraphs 312 and 399 – various systems store event and information logs; Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; here Watts does not discloses storing context, but the Modi reference discloses the feature, as discussed below);
wherein the respective correlation context stored by each system of the plurality of systems includes at least a particular correlation identifier that uniquely identifies the particular operation instance (Watts: Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module, audit logging determines specific parameters within the systems to log to an audit log, various reporting entities provide information such as session data and job identifier, using the provided information to retrieve additional information to generate audit log entries; Paragraphs 312 and 399 – various systems store event and information logs; Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job);
determining that a set of operation log records, all of which are associated with the particular correlation identifier, satisfies a particular audit log rule based on the particular operation instance exhibiting anomalous behavior (Watts: Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module, audit logging determines specific parameters within the systems to log to an audit log, various reporting entities provide information such as session data and job identifier, using the provided information to retrieve additional information to generate audit log entries; Paragraphs 312 and 399 – various systems store event and information logs; Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; here Watts discloses determining );
in response to determining that the set of operation log records satisfies the particular audit log rule, automatically storing the set of operation log records into an audit log data store (Watts: Paragraphs 70, 91, and 398 – automated auditing system that logs all activities, automated operations; Paragraph 406 – audit log entry created and stored for event at issue);
receiving, from a user, a query over the audit log data store (Watts: Paragraph 400 – audit log retrieval provides user with search functionality using search parameters); and
returning query results for the query to the user  (Watts: Paragraphs 496 and 498 – returning requested audit log entries by the user);
wherein the method is performed by one or more computing devices (Watts: Paragraphs 49-51 – performed by computing devices).
Watts discloses storing information related to a job/work event including respective correlation information, however, Watts does not explicitly disclose:
wherein the work done includes storing a respective correlation context;
The Modi reference discloses wherein the work done includes storing a respective correlation context (Modi: Paragraphs 18-20 and 86 – storing contextual data related to user interaction event and user identity, action, object involved in said event, and other data that is contextually relevant, identify additional parameters by referencing to contextual data, contextual data comprises identity data, job roles, profiles, ratings, patterns, permissibilities, and/or times and dates of events; Paragraphs 27 and 178 – stored data such as metadata, raw logs and/or extracted parameters used for auditing, contextual data such as information about user job role and work/usage patterns can be stored along with log files as audit logs);
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, having the teachings of Watts and Modi, to have combined Watts and Modi. The motivation to combine Watts and Modi would be to provide insights and assumptions to accurately make predictions by using contextual data (Modi: Paragraphs 1 and 19).
Watts discloses determining one or more log records and determining a value for an attribute contained in the one or more log records, however, Watts and Modi do not explicitly disclose:
determining that satisfies a particular audit log rule based on the particular operation instance exhibiting anomalous behavior;
The Golan reference discloses determining that satisfies a particular audit log rule based on the particular operation instance exhibiting anomalous behavior (Golan: Paragraphs 4, 18, and 48 – make entry of an authorized operation in the audit log, the entry indicating the request for the operation, authorization to perform the operation, information on the user requesting the authorization to perform operation, authorization associated with user’s context permission to access, authorization based on identity of the user; Paragraphs 20, 48, and 65 – building a graph of calls and their parameters, detect anomalies based on abnormal patterns, analyses, or known signatures, audit dangerous operations and make entry in audit log, indicate an anomaly when unknown sequence of calls is encountered, analyzing events from logs to identify unusual activity, previously generated graph represents calls normally issued, detect anomalies from a comparison of current calls and the graph; Paragraphs 33 and 42 – policy containing rules that cause an audit, such as log an event, authorization based on policy or rule indicating whether auditing is enabled or whether to perform auditing, make entry in audit log if auditing enabled).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, having the teachings of Watts, Modi, and Golan, to have combined Watts, Modi, and Golan. The motivation to combine Watts, Modi, and Golan would be to authorize performing actions by checking applicable rules that authorize the actions (Golan: Paragraph 41).

With respect to claim 11, Watts in view of Modi and in further view of Golan discloses the computer-executed method of claim 10, further comprising determining whether the set of operation log records exhibit anomalous behavior by:
generating a call graph for the particular operation instance based, at least in part, on sequence numbers in the set of operation log records (Watts: Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; Modi: Paragraphs 93 and 178 – audit logs created by various systems recording events such as operations, event data and contextual data stored in a graph database; Golan: Paragraphs 20, 48, and 65 – building a graph of calls and their parameters, detect anomalies based on abnormal patterns, analyses, or known signatures, audit dangerous operations and make entry in audit log, indicate an anomaly when unknown sequence of calls is encountered, analyzing events from logs to identify unusual activity, previously generated graph represents calls normally issued, detect anomalies from a comparison of current calls and the graph); and
comparing the call graph for the particular operation instance to expected call graph features for the particular type of multi-system operation to determine whether the particular operation instance exhibits anomalous behavior (Watts: Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; Modi: Paragraphs 93 and 178 – audit logs created by various systems recording events such as operations, event data and contextual data stored in a graph database; Golan: Paragraphs 20, 48, and 65 – building a graph of calls and their parameters, detect anomalies based on abnormal patterns, analyses, or known signatures, audit dangerous operations and make entry in audit log, indicate an anomaly when unknown sequence of calls is encountered, analyzing events from logs to identify unusual activity, previously generated graph represents calls normally issued, detect anomalies from a comparison of current calls and the graph).

With respect to claim 12, Watts in view of Modi and in further view of Golan discloses the computer-executed method of claim 10, further comprising:
determining that the particular operation instance is ripe for analysis based, at least in part, on the particular type of the particular operation instance (Watts: Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; Modi: Paragraph 178 – audit logs created by various systems recording events such as operations; Golan: Paragraphs 20, 48, and 65 – detect anomalies based on abnormal patterns, analyses, or known signatures, audit dangerous operations and make entry in audit log, indicate an anomaly when unknown sequence of calls is encountered, analyzing events from logs to identify unusual activity, previously generated graph represents calls normally issued, detect anomalies from a comparison of current calls and the graph);
wherein determining that the set of operation log records satisfies the particular audit log rule is performed in response to determining that the particular operation instance is ripe for analysis (Watts: Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; Modi: Paragraph 178 – audit logs created by various systems recording events such as operations; Golan: Paragraphs 20, 48, and 65 – detect anomalies based on abnormal patterns, analyses, or known signatures, audit dangerous operations and make entry in audit log, indicate an anomaly when unknown sequence of calls is encountered, analyzing events from logs to identify unusual activity, previously generated graph represents calls normally issued, detect anomalies from a comparison of current calls and the graph; Paragraphs 33 and 42 – policy containing rules that cause an audit, such as log an event, authorization based on policy or rule indicating whether auditing is enabled or whether to perform auditing).

With respect to claim 13, Watts in view of Modi and in further view of Golan discloses the computer-executed method of claim 10, wherein:
the particular audit log rule is associated with a context attribute (Watts: Paragraphs 400 and 405 – search audit logs using time range, date range, user range, and/or event type, timestamp and unique audit id created for audit log entries and stored in database table where audit log entries are stored; Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; Paragraphs 496 and 498 – returning requested audit log entries; Modi: Paragraphs 18-20 and 86 – storing contextual data related to user interaction event and user identity, action, object involved in said event, and other data that is contextually relevant, identify additional parameters by referencing to contextual data, contextual data comprises identity data, job roles, profiles, ratings, patterns, permissibilities, and/or times and dates of events; Paragraphs 26, 95, 199, and 205 – storing metadata and/or relevant parameters in an index/search-engine database, parameters extracted from log files and saved in index database, request data from index database and use it update data in response to queries; Paragraphs 93 and 178 – audit logs created by various systems recording events such as operations, storing event data and contextual data);
the method further comprises: determining a particular value, for the context attribute, contained in the set of operation log records (Watts: Paragraphs 400 and 405 – search audit logs using time range, date range, user range, and/or event type, timestamp and unique audit id created for audit log entries and stored in database table where audit log entries are stored; Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; Paragraphs 496 and 498 – returning requested audit log entries; Modi: Paragraphs 18-20 and 86 – storing contextual data related to user interaction event and user identity, action, object involved in said event, and other data that is contextually relevant, identify additional parameters by referencing to contextual data, contextual data comprises identity data, job roles, profiles, ratings, patterns, permissibilities, and/or times and dates of events; Paragraphs 26, 95, 199, and 205 – storing metadata and/or relevant parameters in an index/search-engine database, parameters extracted from log files and saved in index database, request data from index database and use it update data in response to queries; Paragraphs 93 and 178 – audit logs created by various systems recording events such as operations, storing event data and contextual data), 
identifying one or more additional log records that are associated with the particular value for the context attribute (Watts: Paragraphs 400 and 405 – search audit logs using time range, date range, user range, and/or event type, timestamp and unique audit id created for audit log entries and stored in database table where audit log entries are stored; Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; Paragraphs 496 and 498 – returning requested audit log entries; Modi: Paragraphs 18-20 and 86 – storing contextual data related to user interaction event and user identity, action, object involved in said event, and other data that is contextually relevant, identify additional parameters by referencing to contextual data, contextual data comprises identity data, job roles, profiles, ratings, patterns, permissibilities, and/or times and dates of events; Paragraphs 26, 95, 199, and 205 – storing metadata and/or relevant parameters in an index/search-engine database, parameters extracted from log files and saved in index database, request data from index database and use it update data in response to queries; Paragraphs 93 and 178 – audit logs created by various systems recording events such as operations, storing event data and contextual data), and
automatically storing the one or more additional log records in the audit log data store (Watts: Paragraphs 400 and 405 – search audit logs using time range, date range, user range, and/or event type, timestamp and unique audit id created for audit log entries and stored in database table where audit log entries are stored; Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; Paragraphs 496 and 498 – returning requested audit log entries; Modi: Paragraphs 18-20 and 86 – storing contextual data related to user interaction event and user identity, action, object involved in said event, and other data that is contextually relevant, identify additional parameters by referencing to contextual data, contextual data comprises identity data, job roles, profiles, ratings, patterns, permissibilities, and/or times and dates of events; Paragraphs 26, 95, 199, and 205 – storing metadata and/or relevant parameters in an index/search-engine database, parameters extracted from log files and saved in index database, request data from index database and use it update data in response to queries; Paragraphs 93 and 178 – audit logs created by various systems recording events such as operations, storing event data and contextual data).

With respect to claim 14, Watts in view of Modi and in further view of Golan discloses the computer-executed method of claim 10, wherein the set of operation log records were generated by two or more systems of the plurality of systems (Watts: Paragraphs 6 and 94 – creating audit logs for different systems such as fax system and imaging system, different database storing data for different systems; Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module; Paragraphs 312 and 399 – various systems store event and information logs; Modi: Paragraph 168 – data store comprise a number of databases with different properties to suit various types of data).

With respect to claim 15, Watts discloses one or more non-transitory computer-readable media storing instructions which, when executed by one or more processors  (Watts: Paragraphs 49-51), cause:
causing each system, of a plurality of systems involved in executing a particular operation instance of a particular type of multi-system operation, to generate log records that reflect work done by the respective system as part of executing a respective portion of the particular operation instance (Watts: Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module, audit logging determines specific parameters within the systems to log to an audit log, various reporting entities provide information such as session data and job identifier, using the provided information to retrieve additional information to generate audit log entries; Paragraphs 312 and 399 – various systems store event and information logs; Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job);
wherein the work done by each system of the plurality of systems includes storing, as part of its respective portion of the particular operation instance, a respective correlation context associated with the particular operation instance (Watts: Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module, audit logging determines specific parameters within the systems to log to an audit log, various reporting entities provide information such as session data and job identifier, using the provided information to retrieve additional information to generate audit log entries; Paragraphs 312 and 399 – various systems store event and information logs; Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; here Watts does not disclose storing context, but the Modi reference discloses the feature, as discussed below);
determining that one or more log records, generated by one or more of the plurality of systems, satisfy a particular audit log rule associated with a context attribute (Watts: Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module, audit logging determines specific parameters within the systems to log to an audit log, various reporting entities provide information such as session data and job identifier, using the provided information to retrieve additional information to generate audit log entries; Paragraphs 312 and 399 – various systems store event and information logs; Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; here Watts does not discloses determining satisfying a particular audit log rule associated with a context attribute, but the Golan reference discloses the feature, as discussed below);
in response to determining that the one or more log records satisfy the particular audit log rule (Watts: Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module, audit logging determines specific parameters within the systems to log to an audit log, various reporting entities provide information such as session data and job identifier, using the provided information to retrieve additional information to generate audit log entries; Paragraphs 312 and 399 – various systems store event and information logs; Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; here Watts does not discloses determining satisfying a particular audit log rule, but the Golan reference discloses the feature, as discussed below):
determining a particular value, for the context attribute, contained in the one or more log records (Watts: Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module, audit logging determines specific parameters within the systems to log to an audit log, various reporting entities provide information such as session data and job identifier, using the provided information to retrieve additional information to generate audit log entries; Paragraphs 400 and 405 – search audit logs using time range, date range, user range, and/or event type, timestamp and unique audit id created for audit log entries and stored in database table where audit log entries are stored; here Watts does not disclose context, but the Modi reference discloses the feature, as discussed below);
automatically storing the one or more log records into an audit log data store (Watts: Paragraphs 70, 91, and 398 – automated auditing system that logs all activities, automated operations; Paragraph 406 – audit log entry created and stored for event at issue),
identifying one or more additional log records that are associated with the particular value for the context attribute (Watts: Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module, audit logging determines specific parameters within the systems to log to an audit log, various reporting entities provide information such as session data and job identifier, using the provided information to retrieve additional information to generate audit log entries; Paragraphs 400 and 405 – search audit logs using time range, date range, user range, and/or event type, timestamp and unique audit id created for audit log entries and stored in database table where audit log entries are stored), and
automatically storing the one or more additional log records in the audit log data store (Watts: Paragraph 398 – automated auditing system that logs all activities; Paragraph 406 – audit log entry created and stored for event at issue);
receiving, from a user, a query over the audit log data store (Watts: Paragraph 400 – audit log retrieval provides user with search functionality using search parameters); and
returning query results for the query to the user (Watts: Paragraphs 496 and 498 – returning requested audit log entries by the user).
Watts discloses storing information related to a job/work event including respective correlation information, however, Watts does not explicitly disclose:
wherein the work done includes storing a respective correlation context;
The Modi reference discloses wherein the work done includes storing a respective correlation context (Modi: Paragraphs 18-20 and 86 – storing contextual data related to user interaction event and user identity, action, object involved in said event, and other data that is contextually relevant, identify additional parameters by referencing to contextual data, contextual data comprises identity data, job roles, profiles, ratings, patterns, permissibilities, and/or times and dates of events; Paragraphs 27 and 178 – stored data such as metadata, raw logs and/or extracted parameters used for auditing, contextual data such as information about user job role and work/usage patterns can be stored along with log files as audit logs);
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, having the teachings of Watts and Modi, to have combined Watts and Modi. The motivation to combine Watts and Modi would be to provide insights and assumptions to accurately make predictions by using contextual data (Modi: Paragraphs 1 and 19).
Watts discloses determining one or more log records and determining a value for an attribute contained in the one or more log records, however, Watts and Modi do not explicitly disclose:
determining that satisfy a particular audit log rule associated with a context attribute;
The Golan reference discloses determining that satisfies a particular audit log rule associated with a context attribute (Golan: Paragraphs 33 and 42 – policy containing rules that cause an audit, such as log an event, authorization based on policy or rule indicating whether auditing is enabled or whether to perform auditing, make entry in audit log if auditing enabled; Paragraphs 4, 18, and 48 – make entry of an authorized operation in the audit log, the entry indicating the request for the operation, authorization to perform the operation, information on the user requesting the authorization to perform operation, authorization associated with user’s context permission to access, authorization based on identity of the user).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, having the teachings of Watts, Modi, and Golan, to have combined Watts, Modi, and Golan. The motivation to combine Watts, Modi, and Golan would be to authorize performing actions by checking applicable rules that authorize the actions (Golan: Paragraph 41).

With respect to claim 16, Watts in view of Modi and in further view of Golan discloses the non-transitory computer-readable media of claim 15, wherein:
the one or more log records were generated by a particular system of the plurality of systems (Watts: Paragraphs 6 and 94 – creating audit logs for different systems such as fax system and imaging system, different database storing data for different systems; Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module; Paragraphs 312 and 399 – various systems store event and information logs; Modi: Paragraph 168 – data store comprise a number of databases with different properties to suit various types of data); and
the one or more additional log records were generated from one or more other systems, of the plurality of systems, other than the particular system (Watts: Paragraphs 6 and 94 – creating audit logs for different systems such as fax system and imaging system, different database storing data for different systems; Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module; Paragraphs 312 and 399 – various systems store event and information logs; Modi: Paragraph 168 – data store comprise a number of databases with different properties to suit various types of data).

With respect to claim 17, Watts in view of Modi and in further view of Golan discloses the non-transitory computer-readable media of claim 16, wherein:
the particular system maintains a database of a first type, and at least one of the one or more other systems maintains a database of a second type (Watts: Paragraphs 6 and 94 – creating audit logs for different systems such as fax system and imaging system, different database storing data for different systems; Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module; Paragraphs 312 and 399 – various systems store event and information logs; Modi: Paragraph 168 – data store comprise a number of databases with different properties to suit various types of data); and
the first type is different than the second type (Watts: Paragraphs 6 and 94 – creating audit logs for different systems such as fax system and imaging system, different database storing data for different systems; Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module; Paragraphs 312 and 399 – various systems store event and information logs; Modi: Paragraph 168 – data store comprise a number of databases with different properties to suit various types of data).

With respect to claim 18, Watts in view of Modi and in further view of Golan discloses the non-transitory computer-readable media of claim 15, wherein:
the respective correlation context stored by each system of the plurality of systems includes at least a particular correlation identifier that uniquely identifies the particular operation instance (Watts: Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; Modi: Paragraphs 18-20 and 86 – storing contextual data related to user interaction event and user identity, action, object involved in said event, and other data that is contextually relevant, identify additional parameters by referencing to contextual data, contextual data comprises identity data, job roles, profiles, ratings, patterns, permissibilities, and/or times and dates of events; Paragraphs 93 and 178 – audit logs created by various systems recording events such as operations, storing event data and contextual data); and
the context attribute is one or more of: a common correlation identifier, a common user identifier, a common timestamp, a timestamp within a particular range of timestamps, or a common service identifier (Watts: Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; Modi: Paragraphs 18-20 and 86 – storing contextual data related to user interaction event and user identity, action, object involved in said event, and other data that is contextually relevant, identify additional parameters by referencing to contextual data, contextual data comprises identity data, job roles, profiles, ratings, patterns, permissibilities, and/or times and dates of events; Paragraphs 93 and 178 – audit logs created by various systems recording events such as operations, storing event data and contextual data).

With respect to claim 19, Watts in view of Modi and in further view of Golan discloses the non-transitory computer-readable media of claim 15, wherein the instructions further comprise instructions which, when executed by one or more processors, cause:
automatically generating particular index data that associates the particular value of the context attribute with both of the one or more log records and the one or more additional log records (Watts: Paragraphs 400 and 405 – search audit logs using time range, date range, user range, and/or event type, timestamp and unique audit id created for audit log entries and stored in database table where audit log entries are stored; Paragraphs 496 and 498 – returning requested audit log entries; Modi: Paragraphs 26, 95, 199, and 205 – storing metadata and/or relevant parameters in an index/search-engine database, parameters extracted from log files and saved in index database, request data from index database and use it update data in response to queries); and
after receiving the query over the audit log data store, automatically generating the query results based on an index data structure that stores the particular index data (Watts: Paragraphs 400 and 405 – search audit logs using time range, date range, user range, and/or event type, timestamp and unique audit id created for audit log entries and stored in database table where audit log entries are stored; Paragraphs 496 and 498 – returning requested audit log entries; Modi: Paragraphs 26, 95, 199, and 205 – storing metadata and/or relevant parameters in an index/search-engine database, parameters extracted from log files and saved in index database, request data from index database and use it update data in response to queries).

With respect to claim 20, Watts discloses one or more non-transitory computer-readable media storing instructions which, when executed by one or more processors  (Watts: Paragraphs 49-51 – performed by computing devices), cause:
causing each system, of a plurality of systems involved in executing a particular operation instance of a particular type of multi-system operation, to generate log records that reflect work done by the respective system as part of executing a respective portion of the particular operation instance (Watts: Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module, audit logging determines specific parameters within the systems to log to an audit log, various reporting entities provide information such as session data and job identifier, using the provided information to retrieve additional information to generate audit log entries; Paragraphs 312 and 399 – various systems store event and information logs; Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job);
wherein the work done by each system of the plurality of systems includes storing, as part of its respective portion of the particular operation instance, a respective correlation context associated with the particular operation instance (Watts: Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module, audit logging determines specific parameters within the systems to log to an audit log, various reporting entities provide information such as session data and job identifier, using the provided information to retrieve additional information to generate audit log entries; Paragraphs 312 and 399 – various systems store event and information logs; Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; here Watts does not discloses storing context, but the Modi reference discloses the feature, as discussed below);
wherein the respective correlation context stored by each system of the plurality of systems includes at least a particular correlation identifier that uniquely identifies the particular operation instance (Watts: Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module, audit logging determines specific parameters within the systems to log to an audit log, various reporting entities provide information such as session data and job identifier, using the provided information to retrieve additional information to generate audit log entries; Paragraphs 312 and 399 – various systems store event and information logs; Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job);
determining that a set of operation log records, all of which are associated with the particular correlation identifier, satisfies a particular audit log rule based on the particular operation instance exhibiting anomalous behavior (Watts: Paragraphs 8 and 45 – information regarding events associated with various types of systems is logged and is received by a centralized audit logging module, audit logging determines specific parameters within the systems to log to an audit log, various reporting entities provide information such as session data and job identifier, using the provided information to retrieve additional information to generate audit log entries; Paragraphs 312 and 399 – various systems store event and information logs; Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; here Watts discloses determining );
in response to determining that the set of operation log records satisfies the particular audit log rule, automatically storing the set of operation log records into an audit log data store (Watts: Paragraphs 70, 91, and 398 – automated auditing system that logs all activities, automated operations; Paragraph 406 – audit log entry created and stored for event at issue);
receiving, from a user, a query over the audit log data store (Watts: Paragraph 400 – audit log retrieval provides user with search functionality using search parameters); and
returning query results for the query to the user  (Watts: Paragraphs 496 and 498 – returning requested audit log entries by the user).
Watts discloses storing information related to a job/work event including respective correlation information, however, Watts does not explicitly disclose:
wherein the work done includes storing a respective correlation context;
The Modi reference discloses wherein the work done includes storing a respective correlation context (Modi: Paragraphs 18-20 and 86 – storing contextual data related to user interaction event and user identity, action, object involved in said event, and other data that is contextually relevant, identify additional parameters by referencing to contextual data, contextual data comprises identity data, job roles, profiles, ratings, patterns, permissibilities, and/or times and dates of events; Paragraphs 27 and 178 – stored data such as metadata, raw logs and/or extracted parameters used for auditing, contextual data such as information about user job role and work/usage patterns can be stored along with log files as audit logs);
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, having the teachings of Watts and Modi, to have combined Watts and Modi. The motivation to combine Watts and Modi would be to provide insights and assumptions to accurately make predictions by using contextual data (Modi: Paragraphs 1 and 19).
Watts discloses determining one or more log records and determining a value for an attribute contained in the one or more log records, however, Watts and Modi do not explicitly disclose:
determining that satisfies a particular audit log rule based on the particular operation instance exhibiting anomalous behavior;
The Golan reference discloses determining that satisfies a particular audit log rule based on the particular operation instance exhibiting anomalous behavior (Golan: Paragraphs 4, 18, and 48 – make entry of an authorized operation in the audit log, the entry indicating the request for the operation, authorization to perform the operation, information on the user requesting the authorization to perform operation, authorization associated with user’s context permission to access, authorization based on identity of the user; Paragraphs 20, 48, and 65 – building a graph of calls and their parameters, detect anomalies based on abnormal patterns, analyses, or known signatures, audit dangerous operations and make entry in audit log, indicate an anomaly when unknown sequence of calls is encountered, analyzing events from logs to identify unusual activity, previously generated graph represents calls normally issued, detect anomalies from a comparison of current calls and the graph; Paragraphs 33 and 42 – policy containing rules that cause an audit, such as log an event, authorization based on policy or rule indicating whether auditing is enabled or whether to perform auditing, make entry in audit log if auditing enabled).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, having the teachings of Watts, Modi, and Golan, to have combined Watts, Modi, and Golan. The motivation to combine Watts, Modi, and Golan would be to authorize performing actions by checking applicable rules that authorize the actions (Golan: Paragraph 41).

With respect to claim 21, Watts in view of Modi and in further view of Golan discloses the non-transitory computer-readable media of claim 20, wherein the instructions further comprise instructions which, when executed by one or more processors, cause determining whether the set of operation log records exhibit anomalous behavior by:
generating a call graph for the particular operation instance based, at least in part, on sequence numbers in the set of operation log records (Watts: Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; Modi: Paragraphs 93 and 178 – audit logs created by various systems recording events such as operations, event data and contextual data stored in a graph database; Golan: Paragraphs 20, 48, and 65 – building a graph of calls and their parameters, detect anomalies based on abnormal patterns, analyses, or known signatures, audit dangerous operations and make entry in audit log, indicate an anomaly when unknown sequence of calls is encountered, analyzing events from logs to identify unusual activity, previously generated graph represents calls normally issued, detect anomalies from a comparison of current calls and the graph); and
comparing the call graph for the particular operation instance to expected call graph features for the particular type of multi-system operation to determine whether the particular operation instance exhibits anomalous behavior (Watts: Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; Modi: Paragraphs 93 and 178 – audit logs created by various systems recording events such as operations, event data and contextual data stored in a graph database; Golan: Paragraphs 20, 48, and 65 – building a graph of calls and their parameters, detect anomalies based on abnormal patterns, analyses, or known signatures, audit dangerous operations and make entry in audit log, indicate an anomaly when unknown sequence of calls is encountered, analyzing events from logs to identify unusual activity, previously generated graph represents calls normally issued, detect anomalies from a comparison of current calls and the graph).

With respect to claim 22, Watts in view of Modi and in further view of Golan discloses the non-transitory computer-readable media of claim 20, wherein the instructions further comprise instructions which, when executed by one or more processors, cause:
determining that the particular operation instance is ripe for analysis based, at least in part, on the particular type of the particular operation instance (Watts: Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; Modi: Paragraphs 93 and 178 – audit logs created by various systems recording events such as operations, event data and contextual data stored in a graph database; Golan: Paragraphs 20, 48,  and 65 – detect anomalies based on abnormal patterns, analyses, or known signatures, audit dangerous operations and make entry in audit log, indicate an anomaly when unknown sequence of calls is encountered, analyzing events from logs to identify unusual activity, previously generated graph represents calls normally issued, detect anomalies from a comparison of current calls and the graph);
wherein determining that the set of operation log records satisfies the particular audit log rule is performed in response to determining that the particular operation instance is ripe for analysis (Watts: Paragraphs 403 and 508 – event logging by determining operation id of event being logged, audit log entries include information on operation and job; Modi: Paragraphs 93 and 178 – audit logs created by various systems recording events such as operations, event data and contextual data stored in a graph database; Golan: Paragraphs 20, 48, and 65 – detect anomalies based on abnormal patterns, analyses, or known signatures, audit dangerous operations and make entry in audit log, indicate an anomaly when unknown sequence of calls is encountered, analyzing events from logs to identify unusual activity, previously generated graph represents calls normally issued, detect anomalies from a comparison of current calls and the graph; Paragraphs 33 and 42 – policy containing rules that cause an audit, such as log an event, authorization based on policy or rule indicating whether auditing is enabled or whether to perform auditing).

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to REZWANUL MAHMOOD whose telephone number is (571)272-5625.  The examiner can normally be reached on M-F 8:30-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashish Thomas can be reached on 571-272-0631.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/R.M/Examiner, Art Unit 2164                                                                                                                                                                                                        
August 13, 2021

/ASHISH THOMAS/Supervisory Patent Examiner, Art Unit 2164