DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Objections
Claim 1-7 are objected to because of the following informalities:
Claim 1 recites "non-transitory computer readable media", however, the Specification [00110] discloses a "non-transitory computer readable storage medium". The examiner suggests changing the claimed limitation “non-transitory computer-readable media” to --non-transitory computer readable storage medium -- to be consistent with the disclosure.
Appropriate correction is required.

Claims 2-6 depend on Claim 1 and recite “the media of Claim 1”. It is suggested to change “the media of Claim 1” to – the medium of Claim 1 – for the same reasons as the change suggested for Claim 1.

Claims 7 depend on Claim 6 and recites “the media of Claim 6”. It is suggested to change “the media of Claim 6” to – the medium of Claim 6 – for the same reason as the change suggested for Claim 1.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.



Claims 1-2, 8-9, 15-16, and 20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Brown et al. (U.S. Patent Application Publication No. US 2019/0340057 A1), hereinafter Brown.
With regard to Claim 1, Brown teaches one or more non-transitory computer-readable media storing instructions, which when executed by one or more hardware processors ([0092]), cause performance of operations comprising:
identifying a plurality of fields referenced by a composite rule comprising a first rule and a second rule ([0080], FIG. 19 teaches a two-stage process rule used by a log management server application with lists 1904, 1906, 1912, and 1914 of terms used in log fields), the first rule corresponding to log data generated during a first time window ([0080], FIG. 19, discloses first rule 1902 rule comprises two lists of terms 1904 and 1906 and a first stage interval denoted by [t.sub.i, t.sub.j] 1908, where t.sub.i is a begin time and t.sub.j is an end time for the first stage interval), the second rule corresponding to log data generated during a second time window, wherein the first time window is different than the second time window ([0080] In ;
analyzing a plurality of log records to identify a subset of log records that include values for fields referenced by at least one rule of the composite rule (FIG. 20 and FIG. 22 and associated paragraphs teach analysis of log-file 2016 for a two-stage process rule that searches for logs with terms for each stage where each stage is associated with a certain time window.
[0074] FIG. 18 shows an example of event-type analysis performed on the log message 1602. );
selecting a first set of log records and a second set of log records from the subset of log records for evaluating the composite rule, the first set of log records being associated with the first time window ([0081]-[0082], FIG. 20 teaches a system with log messages generated by various event sources and collected into a log-message file 2016 in a database in an applicance 2008. “The log management server searches a log-message file 2016 …for a log message that satisfies a first rule. Directional arrow 2018 represents a first stage interval with a begin time ti and an end time tj.”) and the second set of log records being associated with the second time window ([0083]-[0084], FIG. 22 teach creation of a second interval for the second stage of the rule ending at tk. The log management server then extends the search for log message that satisfies the second rule of the two-stage process rule.);
determining that the composite rule is triggered based on ([0076] teaches the user or system administrator may define a compound alert that corresponds to the multistage process rules):
determining that the first rule is triggered by the particular first set of log records associated with the first time window (In [0082], FIG. 20, directional arrow 2018 represents a first stage interval with a begin time t.sub.i and an end time t.sub.j. The log management server applies a series of computational operations 2020 to each log message with a time stamp in the first stage interval 2018. );
determining that the second rule is triggered by the particular second set of log records associated with the second time window ([0083], FIG. 22 discloses directional arrow 2202 representing a second stage interval that begins with the time stamp t.sub.1 of the log message identified as satisfying the first rule and ends at the stop time t.sub.k. The log management server applies a series of computational operations 2204 to each log message with a time stamp in the second stage interval 2202); and
generating a notification based on the triggering of the composite rule ([0084] where “a single compound alert is generated indicating that the startup process defined by the two-stage process rule in FIG. 19 completed and copies of the log messages 2036 and 2216 may be displayed or sent to the system administrator as confirmation that the process completed.”
[0077] “When both stages of the multistage process rule are satisfied, a compound alert may be generated indicating completion of the shutdown/startup process.” ).

With regard to Claim 2, Brown teaches the media of Claim 1, wherein the log data comprises first log data generated by a first application and second log data generated by a second application ([0089] FIGS. 26A-26B show an example of a search for log messages of a two-stage process rule, such as the two-stage process rule of FIG. 19, extended to multiple 

With regard to Claim 8, the method of Claim 8 performs the same steps as the media of Claim 1, and Claim 8 is therefore rejected using the same art and rationale set forth above in the rejection of Claim 1 by the teachings of Brown.

With regard to Claim 9, the method of Claim 9 performs the same steps as the media of Claim 2, and Claim 9 is therefore rejected using the same art and rationale set forth above in the rejection of Claim 2 by the teachings of Brown. 

With regard to Claim 15, the system of Claim 15 performs the same steps as the media of Claim 1, and Claim 15 is therefore rejected using the same art and rationale set forth above in the rejection of Claim 1 by the teachings of Brown. 

With regard to Claim 16, the system of Claim 16 performs the same steps as the media of Claim 2, and Claim 16 is therefore rejected using the same art and rationale set forth above in the rejection of Claim 16 by the teachings of Brown.

With regard to Claim 20, Brown teaches the system of Claim 15, further comprising transmitting the generated notification ([0093], FIG. 27 where in block 2709 for example, the system administrator may receive an email indicating that the multistage process is finished or be displayed in the dashboard of the GUI the system administrator uses to monitor the distributed computing system after the log messages satisfying the first rule and second rule of the composite rule have been found.).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 3, 10, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Brown as applied to claims 1, 8, and 15 respectively, and further in view of Peterson (U.S. Patent Application Publication No. US 2020/0125725 A1), hereinafter Peterson.
With regard to Claim 3, Brown teaches the media of Claim 1. 
 not explicitly teach, however Peterson teaches wherein the at least one application and the corresponding log data are associated with a single entity ([0007] teaches an email being sent that “causes a log message to be generated describing a source IP address (e.g., of device from which email originated), a destination IP address (e.g., of device designated to receive the email), an email address of the sender, an email address of the recipient, a time at which the transfer was initiated, a time at which the transfer completed, a size and type of the attached file, etc.” The email program is the application that causes the log data generation including the email address of the sender which is the single entity to which the log and the application are associated with.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Brown to incorporate the teachings of Peterson and perform log analysis using a single entity associated with an application and corresponding log data. Doing so would be combining prior art elements according to known methods to determine an identity profile using log data “thereby  leading to a more complete and thorough analysis with deeper consideration of the user (or other entity) associated with the triggering log message data”, (Peterson, [0010]).

With regard to Claim 10, the method of Claim 10 performs the same steps as the media of Claim 3, and Claim 10 is therefore rejected using the same art and rationale set forth above in the rejection of Claim 3 by the teachings of Brown further in view of Peterson. 

With regard to Claim 17, the system of Claim 17 performs the same steps as the media of Claim 3, and Claim 17 is therefore rejected using the same art and rationale set forth above in the rejection of Claim 3 by the teachings of Brown further in view of Peterson. 

Claims 4-5, 11-12, and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Brown as applied to claims 1, 8, and 15 respectively, and further in view of Lador et al. (U.S. Patent No. US 10885167 B1), hereinafter Lador.

With regard to Claim 4, Brown teaches the media of Claim 1.
Brown does not explicitly teach, however Lador teaches wherein the first time window and the second time window correspond to non-overlapping windows of a same size in a particular set of tumbling temporal windows (Col. 5, lines 29-42, FIG. 2 teaches Logging Engine 210 in Monitoring Service 200 that generate logs (212) recording access events associated with the data repository (120) of FIG. 1C. The logs (212) may include a timestamp for each access event, the IP address of the user associated with each access event, the software application that initiated the access request, the server that initiated the access request, etc. Col. 5, line 62-Col. 6, line 7 further teaches a time series engine (220) configured to generate one or more time series for access events by accessing the logs (212). “A time series is a set of time intervals…. The time intervals may be consecutive and non-overlapping.”
Col. 8, line 53 – Col. 9, line 6, FIG. 4 teaches in Step 404 generation of time series or bins from logs. Example is given of non-overlapping, 1 minute bins with counts of a particular event.).


With regard to Claim 11, the method of Claim 11 performs the same steps as the media of Claim 4, and Claim 11 is therefore rejected using the same art and rationale set forth above in the rejection of Claim 4 by the teachings of Brown further in view of Lador. 

With regard to Claim 18, the system of Claim 18 performs the same steps as the media of Claim 4, and Claim 18 is therefore rejected using the same art and rationale set forth above in the rejection of Claim 4 by the teachings of Brown further in view of Lador. 

With regard to Claim 5, Brown teaches the media of Claim 1.
Brown does not explicitly teach, however Lador teaches wherein the first time window and the second time window are adjacent time windows (Col. 5, lines 29-42, FIG. 2 teaches Logging Engine 210 in Monitoring Service 200 that generate logs (212) recording access events associated with the data repository (120) of FIG. 1C. The logs (212) may include a timestamp for 
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Brown to incorporate the teachings of Lador and perform log analysis using a time series analysis with log data events in adjascent windows. Doing so would be combining prior art elements according to known methods to capture different types of events using different time series or time windows hence the log data’s “unique characteristics are preserved and made available as inputs to predictive models” for analysis including to predict attacks on a computing system, (Lador, Col. 10, lines 25-36 and Col. 4, lines 10-32). 
 
With regard to Claim 12, the method of Claim 12 performs the same steps as the media of Claim 5, and Claim 12 is therefore rejected using the same art and rationale set forth above in the rejection of Claim 5 by the teachings of Brown further in view of Lador. 

With regard to Claim 19, the system of Claim 19 performs the same steps as the media of Claim 5, and Claim 19 is therefore rejected using the same art and rationale set forth above in the rejection of Claim 5 by the teachings of Brown further in view of Lador.

Claims 6-7 and 13-14 are rejected under 35 U.S.C. 103 as being unpatentable over Brown as applied to claims 1 and 8 respectively, and further in view of Martin et al. (U.S. Patent Application Publication No. US 2015/0101044 A1), hereinafter Martin.

With regard to Claim 6, Brown teaches the media of Claim 1, wherein determining that the composite rule is triggered further comprises (Brown [0089], FIG. 26A-26B show an example of a search for log messages of a two-stage process rule, such as the two-stage process rule of FIG. 19, extended to multiple event sources spread across multiple computer systems of a distributed computing system with log management agents that collect log messages generated by various event sources.   ):
identifying a first event in the first time window that triggers the first rule ([0090] FIG. 26A teaches a first stage counter of the number of log-message files 2612-2614 with a log message in a first stage interval and satisfies a first rule of a two-stage process rule.);
setting an accumulator to indicate that the first rule is triggered ([0090], FIG. 26A teaches log messages 2616-2618 that satisfy the first rule of the two-stage process rule are identified, counted, and written to a buffer 2620 in the data-storage appliance 2610. In the example of FIG. 26A, N log messages 2622 have been counted and recorded in the buffer. See details of the process in FIG. 20 and [0082]);
identifying a second event in the second time window that triggers the second rule ([0091] In the example of FIG. 26B, the log-message files 2612-2614 are each searched, as described above with reference to FIG. 22, for log messages in a second stage interval of a second rule of a two-stage process rule);
updating a counter to indicate that the second rule is triggered ([0091], FIG. 26B teach log messages 2624-2626 that satisfy the second rule of the two-stage process rule are identified, counted, and written to the buffer 2620. In the example of FIG. 26B, M log messages 2628 have been counted and recorded in the buffer. See details of the process in FIG. 22 and [0084]); and
generating the notification based on the updated accumulator (Brown [0089], FIG. 26A-26B teaches a compound alert is generated when the second stage counter M is less than the first stage counter N.).
While Brown discloses counting the times that each rule condition that builds toward a final rule condition is met by incrementing two accumulators associated with each rule specifying the condition, it does not disclose one accumulator that is updated by the second rule. However, Martin teaches accumulator ([0016], FIG. 1 teaches an event model which maintains states for system components responsive to events associated with the system components. [0021] teaches state representations may be associated with an accumulator 116 that may include a count of occurrences of an event and a threshold, and that the state 106 may be set or updated based on the value maintained by the accumulator 116. 
[0050]-[0055] teaches an example process where [0052] teaches receiving a first notification of a first event associated with a system component including a process, a file, or a thread. At 408, state representation may be updated , which as discussed above includes the accumulator.  At 412, a second event notification is received and at 418 state representations are updated again. [0055] teaches, “the accumulator may maintain a value that is updatable 
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Brown to incorporate the teachings of Martin and utilize an accumulator to keep a count of events that may trigger a state change in a system. Doing so would be combining prior art elements according to known methods to enhance system security by “monitoring events on a computing device, maintaining state about some or all of the events on a computing device, notifying a security service of one or more events on a computing device, or taking action responsive to a security exploit associated with one or more events on a computing device ”, (Martin, [0015]).

With regard to Claim 13, the method of Claim 13 performs the same steps as the media of Claim 6, and Claim 13 is therefore rejected using the same art and rationale set forth above in the rejection of Claim 6 by the teachings of Brown further in view of Martin. 

With regard to Claim 7, Brown in view of Martin teaches the media of Claim 6, further comprising transmitting the generated notification and including in the transmitted notification a description of the first event and a description of the second event (Brown [0084], FIG. 22 discloses a two-stage process. In step 2212 an alert is generated. [0084] teaches, “A single compound alert is generated indicating that the startup process defined by the two-stage process rule in FIG. 19 completed and copies of the log messages 2036 [sic] and 2216 may be displayed or sent to the system administrator as confirmation that the process completed.” . 
 
With regard to Claim 14, the method of Claim 14 performs the same steps as the media of Claim 7, and Claim 13 is therefore rejected using the same art and rationale set forth above in the rejection of Claim 7 by the teachings of Brown further in view of Martin.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Whitner et al. (U.S. Patent Application Publication No. US 2017/0180187 A1) teaches events generated by a variety of sources or components, including hardware and software. Events include messages that can indicate numerous activities, such as an application finishing a task or a server failure. An event management system collects and processes events generated by components. For example, an event management system may distribute events to network monitoring applications, assign events to an administrator, filter and consolidate events, etc. The event management system may also generate alarms based on processing received events.
Seigel (U.S. Patent Application Publication No. US 2017/0031741 A1) teaches systems and techniques for managing alert profiles, including creating the alert profiles and deactivating the alert profiles. Auditing software executing on a central server may receive an event log from a software agent. The event log may identify activities associated with a network element in a computer system. The auditing software may include a classifier trained using machine 

Handa et al. (U.S. Patent Application Publication No. US 2019/0079818 A1) teaches systems and methods for generating, managing, and processing of centralized logs containing diagnostic and log error messages. The components may write error messages to a centralized log instead of writing the error messages to local log files. These error messages may include exception messages and diagnostics messages. These various error messages in the centralized log can be read, identified, and organized. Furthermore, enrichments and/or analytics may be applied to the error messages based on information from a knowledge source or the application of one or more machine learning models. The organized error messages, enrichments, and analytics can be stored in an output log that can be easily retrieved and viewed through a graphical interface. The organized error messages, enrichments, and analytics may work together to allow for more effective diagnosing of execution errors.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to KUROSU ALTAF whose telephone number is (408)918-7543.  The examiner can normally be reached on Monday - Friday: 9:00 AM - 6:00 PM PT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/K.R.A./Examiner, Art Unit 2114                                                                                                                                                                                                        

/MATTHEW M KIM/Supervisory Patent Examiner, Art Unit 2114