DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-31 are rejected in the Instant Application.

Priority
Examiner acknowledges Applicant’s claim to priority benefits of provisional patent application 62/799704 filed 01/31/2019.


Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted on 07/07/2020 is/are in compliance 


Double Patenting
A rejection based on double patenting of the “same invention” type finds its support in the language of 35 U.S.C. 101 which states that “whoever invents or discovers any new and useful process... may obtain a patent therefor...” (Emphasis added). Thus, the term “same invention,” in this context, means an invention drawn to identical subject matter. See Miller v. Eagle Mfg. Co., 151 U.S. 186 (1894); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Ockert, 245 F.2d 467, 114 USPQ 330 (CCPA 1957).

A statutory type (35 U.S.C. 101) double patenting rejection can be overcome by canceling or amending the claims that are directed to the same invention so they are no longer coextensive in scope. The filing of a terminal disclaimer cannot overcome a double patenting rejection based upon 35 U.S.C. 101.

The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).

A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).

The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online 

Claims 1-31 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-29 of U.S. Patent No. US10708123B1. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims point to the same subject matter at hand and further utilize almost identical limitations which would read on one another. Examiner suggests filing a terminal disclaimer. 


Instant Application
U.S. Patent No. US10708123B1
Claim 1: A framework for security information and event management (SIEM), the framework comprising: 
A) a first data store; a data router; one or more parsing mechanisms;  10one or more correlation machines; and one or more workflow engines, 
B) wherein said framework performs SIEM on behalf of multiple subscribers to said framework, and 
C) wherein said first data store is constructed and adapted to store encrypted, 
D) wherein said data router is constructed and adapted to notify said one or more parsing mechanisms that encrypted, compressed log data are present on said first data store; and 
E) wherein said one or more parsing mechanisms are constructed and adapted 20to obtain encrypted, compressed log data from said first data store and to decrypt, decompress, and normalize said log data and to store decrypted, decompressed, and normalized log data in a second data store, and 
F) wherein said one or more parsing mechanisms are further constructed and adapted to notify said data router that decrypted, decompressed, and normalized 25log data are present in said second store, and - 20 – 
G)Docket No. 0672-US-C1 wherein said data router is further constructed and adapted to inform said one or more correlation machines that decrypted, 
H) wherein said one or more correlations machines are constructed and 5adapted: to obtain decrypted, decompressed, and normalized log data in said second store, and to apply one or more correlation rules to said decrypted, decompressed, and normalized log data obtained from said second data store to determine one or more correlations, and to put information about said one or more correlations on a correlations queue; and 
I) 10wherein said one or more workflow engines are constructed and adapted to obtain said information about said one or more correlations from said correlations queue and to determine ticket information based on said information about said one or more correlations, and to provide said ticket information to a subscriber of said multiple subscribers.  
Claim 9: 15 J) The framework of claim 1, wherein said data router informs said one or more correlation machines of decrypted, decompressed, and normalized log data present in said second store, based on subscriber-specific criteria.  


A) a first data store; a data router; one or more parsing mechanisms; one or more correlation machines; and one or more workflow engines, 
B) wherein said framework performs SIEM on behalf of multiple subscribers to said framework, and 

D) wherein said data router is constructed and adapted to notify said one or more parsing mechanisms that encrypted, compressed log data are present on said first data store; and
E) wherein said one or more parsing mechanisms are constructed and adapted to obtain encrypted, compressed log data from said first data store and to decrypt, decompress, and normalize said log data and to store decrypted, decompressed, and normalized log data in a second data store, and
F) wherein said one or more parsing mechanisms are further constructed and adapted to notify said data router that 
G) wherein said data router is further constructed and adapted to inform said one or more correlation machines that decrypted, decompressed, and normalized log data are present in said second store, and
H) wherein said one or more correlations machines are constructed and adapted: to obtain decrypted, decompressed, and normalized log data in said second store, and to apply one or more correlation rules to said decrypted, decompressed, and normalized log data obtained from said second data store to determine one or more correlations, and to put information about said one or more correlations on a correlations queue; and
I) wherein said one or more workflow engines are constructed and adapted to obtain said information about said one or more 
J) wherein said data router informs said one or more correlation machines of decrypted, decompressed, and normalized log data present in said second store, based on subscriber-specific criteria.

Claim 2: The framework of claim 1, wherein the data router notifies said one or more parsing mechanisms that data are present on said first data store by putting a message on a parse queue.  

2. The framework of claim 1, wherein the data router notifies said one or more parsing mechanisms that data are present on said first data store by putting a message on a parse queue.

20		 Claim 3: The framework of claim 2, wherein the message comprises a Simple Notification Service (SNS) message on the parse queue.  



Claim 4: The framework of claim 1, wherein the data router informs said one or more correlation machines that decrypted, decompressed, and normalized log 25data are present in said second store by putting a message on a parsed queue.  

4. The framework of claim 1, wherein the data router informs said one or more correlation machines that decrypted, decompressed, and normalized log data are present in said second store by putting a message on a parsed queue.

	Claim 5: The framework of claim 4, wherein the parsed message comprises a Simple Notification Service (SNS) message on the parsed queue.  

5. The framework of claim 4, wherein the parsed message comprises a Simple Notification Service (SNS) message on the parsed queue.

Claim 6: The framework of claim 1, wherein the first data obtains encrypted, 5compressed log data obtained from one or more log collection appliances (LCAs) associated with said multiple subscribers.  

6. The framework of claim 1, wherein the first data obtains encrypted, compressed log data obtained from one or more log collection appliances (LCAs) associated with said multiple subscribers.

Claim 7:  The framework of claim 6, wherein each particular LCA is associated with a corresponding particular subscriber of said multiple subscribers.  



Claim 8:  The framework of claim 1, wherein said first data store is constructed and adapted to store data for each subscriber separately from data from each other subscriber.  

8. The framework of claim 1, wherein said first data store is constructed and adapted to store data for each subscriber separately from data from each other subscriber.

Claim 10:  The framework of claim 1, wherein the one or more correlation 20machines include at least one subscriber-dedicated correlation machine.  

9. The framework of claim 1, wherein the one or more correlation machines include at least one subscriber-dedicated correlation machine.

Claim 11:  The framework of claim 1, wherein each subscriber has a corresponding correlation machine.  

10. The framework of claim 1, wherein each subscriber has a corresponding correlation machine.

Claim 12: 25The framework of claim 1, wherein the one or more workflow engines determine said ticket information based on said information about said one or more correlations, and on other information.  

11. The framework of claim 1, wherein the one or more workflow engines determine said ticket information based on said information about said one or more correlations, and on other information.

Claim 13: The framework of claim 12, wherein the other information comprises information from said second data store and/or information from one or more external systems.  

12. The framework of claim 11, wherein the other information comprises information from said second data store and/or information from one or more external systems.

Claim 14:  The framework of claim 1, wherein said ticket information is used to generate and/or cause automated intervention at the subscriber.  

13. The framework of claim 1, wherein said ticket information is used to generate and/or cause automated intervention at the subscriber.

Claim 15:  The framework of claim 14, wherein said intervention is provided 10using one or more APIs on devices on the subscriber's network.  

cause automated intervention at the subscriber.
14. The framework of claim 13, wherein said intervention is provided using one or more APIs on devices on the subscriber's network.

Claim 16:  A method operable in a framework for security information and event management (SIEM), said framework supporting SIEM on behalf of multiple subscribers to said framework, the framework having: a first data store; a 15data router; one or more parsing mechanisms; one or more 
wherein the method comprises: 
storing, in said first data, encrypted, compressed log data obtained from at least some of said multiple subscribers; 
20said data router notifying said one or more parsing mechanisms that encrypted, compressed log data are present on said first data store; 
said one or more parsing mechanisms obtaining encrypted, compressed log data from said first data store and decrypting, decompressing, and normalizing said log data and storing decrypted, decompressed, and normalized log data in a 25second data store, - 23 – 
said one or more parsing mechanisms notifying said data router that decrypted, decompressed, and normalized log data are present in said second store, and 
said data router informing said one or more correlation machines that 5decrypted, 
said one or more correlations machines: obtaining decrypted, decompressed, and normalized log data in said second store, and applying one or more correlation rules to said decrypted, decompressed, and normalized log data 10obtained from said second data store to determine one or more correlations, and putting information about said one or more correlations on a correlations queue; and 
said one or more workflow engines obtaining said information about said one or more correlations from said correlations queue and determining ticket 15information based on said information about said one or more correlations, and providing said ticket information to a subscriber of said multiple subscribers.  
Claim 24:  The method of claim 16, wherein said data router informs said one or more correlation machines of decrypted, 


wherein the method comprises:
storing, in said first data, encrypted, compressed log data obtained from at least some of said multiple subscribers;
said data router notifying said one or more parsing mechanisms that encrypted, compressed log data are present on said first data store;
said one or more parsing mechanisms obtaining encrypted, compressed log data from said first data store and decrypting, decompressing, and normalizing said log data and storing decrypted, decompressed, and normalized log data in a second data store,
said one or more parsing mechanisms notifying said data router that decrypted, decompressed, and normalized log data are present in said second store, and
said data router informing said one or more correlation machines that decrypted, decompressed, and normalized log data are present in said second store, and
said one or more correlations machines: obtaining decrypted, decompressed, and normalized log data in said second store, and applying one or more correlation rules to said decrypted, decompressed, and normalized log data obtained from said second data store to determine one or more correlations, and putting information about said one or more correlations on a correlations queue; and
said one or more workflow engines obtaining said information about said one or more correlations from said correlations queue and determining ticket information based on said information about said one or more correlations, and providing said ticket information to a subscriber of said multiple subscribers, and
wherein said data router informs said one or more correlation machines of decrypted, decompressed, and normalized log data present in said second store, based on subscriber-specific criteria.

Claim 17:  The method of claim 16, wherein the data router notifies said one or more parsing mechanisms that data are present on said first data store by putting a 20message on a parse queue.  

16. The method of claim 15, wherein the data router notifies said one or more parsing mechanisms that data are present on said first data store by putting a message on a parse queue.

Claim 18:  The method of claim 17, wherein the message comprises a Simple Notification Service (SNS) message on the parse queue.  

	17. The method of claim 16, wherein the message comprises a Simple Notification Service (SNS) message on the parse queue.

Claim 19: 25 The method of claim 16, wherein the data router informs said one or more correlation machines that decrypted, decompressed, and normalized log data are present in said second store by putting a message on a parsed queue.  

18. The method of claim 15, wherein the data router informs said one or more correlation machines that decrypted, decompressed, and normalized log data are present in said second store by putting a message on a parsed queue.


Claim 20:  The method of claim 19, wherein the parsed message comprises a Simple Notification Service (SNS) message on the parsed queue.  

19. The method of claim 18, wherein the parsed message comprises a Simple Notification Service (SNS) message on the parsed queue.

Claim 21: 5 The method of claim 16, wherein the first data obtains encrypted, compressed log data obtained from one or more log collection appliances (LCAs) associated with said multiple subscribers.  

20. The method of claim 15, wherein the first data obtains encrypted, compressed log data obtained from one or more log collection appliances (LCAs) associated with said multiple subscribers.

Claim 22:  The method of claim 21, wherein each particular LCA is associated 10with a corresponding particular subscriber of said multiple subscribers.  

21. The method of claim 20, wherein each particular LCA is associated with a corresponding particular subscriber of said multiple subscribers.

Claim 23:  The method of claim 16, wherein said first data store is constructed and adapted to store data for each subscriber separately from data from each other subscriber.  

22. The method of claim 15, wherein said first data store is constructed and adapted to store data for each subscriber separately from data from each other subscriber.

Claim 25: 20 The method of claim 16, wherein the one or more correlation machines include at least one subscriber-dedicated correlation machine.  

23. The method of claim 15, wherein the one or more correlation machines include at least one subscriber-dedicated correlation machine.
Claim 26:  The method of claim 16, wherein each subscriber has a corresponding correlation machine.  

24. The method of claim 15, wherein each subscriber has a corresponding correlation machine.

Claim 27:  The method of claim 16, wherein the one or more workflow engines determine said ticket information based on said information about said one or more correlations, and on other information.  

25. The method of claim 15, wherein the one or more workflow engines determine said ticket information based on said information about said one or more correlations, and on other information.

5	 Claim 28:  The method of claim 27, wherein the other information comprises information from said second data store and/or information from one or more external systems.  

26. The method of claim 25, wherein the other information comprises information from said second data store and/or information from one or more external systems.

Claim 29:  The method of claim 16, wherein said ticket information is used to 



Claim 30:  The method of claim 29, wherein said intervention is provided using one or more APIs on devices on the subscriber's network.  

28. The method of claim 27, wherein said intervention is provided using one or more APIs on devices on the subscriber's network.

15	 Claim 31:  A non-transitory computer-readable medium with one or more computer programs stored therein that, when executed by one or more processors of a device, cause the one or more processors to perform the operations of the method of claim 16. [See claim 16 mapping]

29. A non-transitory computer-readable medium with one or more computer programs stored therein that, when executed by one or more processors of a device, cause the one or more processors to perform the operations of a method operable in a framework for security information and event management (SIEM), said framework supporting SIEM on behalf of multiple subscribers to said framework, the framework having: a first data store; a data router; one or more parsing mechanisms; one or more correlation machines; and one or more workflow engines,
wherein the method comprises:
storing, in said first data, encrypted, compressed log data obtained from at least some of said multiple subscribers;
said data router notifying said one or more parsing mechanisms that encrypted, compressed log data are present on said first data store;
said one or more parsing mechanisms obtaining encrypted, compressed log data from said first data store and decrypting, decompressing, and normalizing said log data and storing decrypted, decompressed, and normalized log data in a second data store,
said one or more parsing mechanisms notifying said data router that decrypted, decompressed, and normalized log data are present in said second store, and
said data router informing said one or more correlation machines that decrypted, decompressed, and normalized log data are present in said second store, and
said one or more correlations machines: obtaining decrypted, decompressed, and normalized log data in said second store, and applying one or more correlation rules to said decrypted, decompressed, and normalized log data obtained from said second data store to determine one or more correlations, and putting information about said one or more correlations on a correlations queue; and
said one or more workflow engines obtaining said information about said one or more correlations from said correlations queue and determining ticket information based on said information about said one or more correlations, and providing said ticket information to a subscriber of said multiple subscribers, and
wherein said data router informs said one or more correlation machines of decrypted, decompressed, and normalized log data present in said second store, based on subscriber-specific criteria.



	



Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-15 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.
As per claim 1, the language is drawn to a computer program which is neither executed by a computer, nor stored on a physical structure.  
Claims not specifically mentioned are rejected by virtue of dependency and because they do not obviate the above-recited deficiencies.



Conclusion
References are cited not only for their quoted language but for all that they teach.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Atta Khan whose telephone number is 571-270-7364.  The examiner can normally be reached on M-F 09:00-6:00.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on (571) 272-7304.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






/ATTA KHAN/
Examiner, Art Unit 2449