Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

1.        Claims 23 - 42 are pending.  Claims 1 - 22 have been canceled.  Claims 23, 31, 39 are independent.   
2.        This action is responding to application papers filed on 11-21-2019.  

Claim Rejections - 35 USC § 102  

3.        The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless -
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

4.        Claims 23 - 26, 28, 30 - 34, 36, 38 - 42 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Sakamoto et al. (US PGPUB No. 20050203881).     	

Regarding Claims 23, 31, 39, Sakamoto discloses a method and an apparatus and a tangible, non-transitory, computer-readable medium storing program instructions that cause a device in communication with an enterprise computing environment to execute a process comprising the following, the method, the apparatus, and the tangible, non-transitory, computer-readable medium comprising:

b)  determining, by the UBA module, that one or more events in the event log data satisfy a policy, the policy indicative of behavior of at least one user in the enterprise computing environment; (see Sakamoto paragraph [0006], lines 17-20: suspicious activities that deviate from the normal usage pattern are detected; paragraph [0029], lines 1-6: determine if the new set of data violates a rules-based policy; if rules-based policy is violated then the new data set represents anomalous activity) and
c)  applying, by the UBA module, a response action in the enterprise computing environment based on the event log data satisfying the policy. (see Sakamoto paragraph [0006], lines 17-20: suspicious activities that deviate from the normal usage pattern are detected and targeted operations such as an alert, generating reports, and/or email alerts are performed)    

Furthermore for Claim 31, Sakamoto discloses wherein one or more network interfaces to communicate with an enterprise computing environment; a processor 

Regarding Claims 24, 32, 40, Sakamoto discloses the method of claim 23 and the apparatus of claim 31 and the tangible, non-transitory, computer-readable medium of claim 39, further comprising: enriching, by the UBA module, the event log data by adding additional layers of data on raw data collected in data streams. (see Sakamoto paragraph [0042], lines 11-14: based upon a comparison of new data with a behavioral patterns determined from historical data determining whether new data represents anomalous activity; paragraph [0044], lines 13-24: data collector reads audit trail (i.e. log event data) and obtains dynamic performance views as historical data; (adding historical data to newly collected log event data))    

Regarding Claims 25, 33, 41, Sakamoto discloses the method of claim 23 and the apparatus of claim 31 and the tangible, non-transitory, computer-readable medium of claim 39, wherein the event log data comprises an event log source, information indicating a frequency as to when the event log data is collected, an indicator as to whether or not and for how long the event log data is to be retained at the source of the event log data, an event log level of detail, a data volume, or an event type. (see 

Regarding Claims 26, 34, 42, Sakamoto discloses the method of claim 23 and the apparatus of claim 31 and the tangible, non-transitory, computer-readable medium of claim 39, wherein the policy is configured to detect at least one of a new location, activity from a new device, activity from irregular locations, anomalies in sequences of events, anomalies in event frequency, or access from suspicious internet protocol (IP) addresses in the event log data. (see Sakamoto paragraph [0095], lines 9-11: rules indicate that user WANI can only access object HR.EMP from location WLINUX (user can access system object only from a particular location); (selected: detecting at least one of a new location; activity from irregular locations))    

Regarding Claims 28, 36, Sakamoto discloses the method of claim 23 and the apparatus of claim 31, wherein the policy is configured to identify access of at least one account associated with the enterprise computing environment as bot and/or malware access. (see Sakamoto paragraph [0006], lines 17-20: suspicious activities that deviate from normal usage pattern are detected, targeted operation such as generating an alert, generating reports, and/or generating email alerts are performed)     

Regarding Claims 30, 38, Sakamoto discloses the method of claim 23 and the apparatus of claim 31, further comprising: providing, by the UBA module, a threat     

Claim Rejections - 35 USC § 103  

5.        The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

6.        Claims 27, 29, 35, 37 are rejected under 35 U.S.C. 103 as being unpatentable over Sakamoto in view of Mahaffey et al. (US PGPUB No. 20150128205).     

Regarding Claims 27, 35, Sakamoto discloses the method of claim 23 and the apparatus of claim 31.  
Sakamoto does not specifically disclose policy configured to identify information in event log data as sensitive content of an organization. 
However, Mahaffey discloses wherein the policy is configured to identify information in the event log data as sensitive content of an organization associated with the enterprise computing environment. (see Mahaffey paragraph [0182], lines 1-7: if user is accessing 
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Sakamoto for policy configured to identify information in event log data as sensitive content of an organization as taught by Mahaffey.  One of ordinary skill in the art would have been motivated to employ the teachings of Mahaffey for the benefits achieved from a system that has the capability to make a network connection more secure or have an associated level of security required for content data associated with the particular network connection. (see Mahaffey paragraph [0005], lines 5-10)  

Regarding Claims 29, 37, Sakamoto discloses the method of claim 23 and the apparatus of claim 31. 
Sakamoto does not specifically disclose response action comprises at least one of password reset action, disable user access action, or end user compromise validation. 
However, Mahaffey discloses wherein the response action comprises at least one of password reset action, disable user access action, or end user compromise validation. (see Sakamoto paragraph [0260], lines 4-10: in response to detecting attempting to connect to a malicious computing system, user of mobile computing device is informed that all connections (i.e. network connections) have been stopped or disabled; (selected: disable user access action))   
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Sakamoto for response action comprises 

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CARLTON JOHNSON whose telephone number is (571)270-1032.  The examiner can normally be reached on Work: 12-9PM (most days).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  






/CJ/
August 16, 2021

/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436