DETAILED ACTION
This is a notice of allowance in response to Remarks filed on 08/30/2021.
Claims 1-20 are allowed.

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephonic interview with Attorney Michael Cofield (54630) on 09/09/2021.

Please Amend in the Claims as per the following:

7. (Currently Amended) A network traffic analysis system including a network based logging platform comprising one or more processors coupled to a memory device, the network traffic analysis system comprising: 
a transport module configured to collect one or more messages over a network, the one or more messages including one or more host event logs from the one or more remote hosts, respectively; 
wherein the network based logging platform is layered into: an event engine to reduce network traffic into a stream of network events; and 
a script interpreter to interpret the stream of network events, and 
the network traffic analysis system further comprises: a script configured to establish a communication link with the one or more processors; 
the script configured to receive data from the transport module in a predetermined format, the data based on the one or more host event logs; 
the script configured to extract key values from the received data and assign the key values to variables; 

the script interpreter further configured to: receive network events of the stream of network events directly from the event engine, wherein the stream of network events comprises a series of higher layer events reduced from an incoming packet analysis stream received by the network based logging host; 
and separately receive the generated host events from the event parser, wherein the host events are derived from the one or more host event logs generated by the one or more remote hosts and normalized for consumption by the script interpreter, 
wherein the transport module and the script are implemented by the one or more processors executing instructions stored by the memory device.

Allowable Subject Matter
Claims 1-20 are allowed. Independent claims 1, 7, and 16 have been amended to include subject matter from the specification that further narrows the scope of the claimed invention and is now considered allowable.

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: The prior arts of record (i.e. Zhang, Levi, Paxson, Lui, and Husak), individually or in combination, do not explicitly teach the totality of the independent claims when read in light of the specification. Although the prior arts of record are considered analogous references, the combination of these references would not be an obvious modification to the amended independent claims 1, 7, and 16.
In particular, the prior arts of record (i.e. Levi, Paxson, Lui, and Zhang) does not explicitly teach a network traffic analysis system including a network based logging host, wherein the network based logging host is layered into: an event engine to reduce network traffic into a stream of network events; and a script interpreter to interpret the stream of network events, the system including collecting, using a log transport module, one or more messages including one or more host event logs from the one or more 
Furthermore, the prior arts of record does not explicitly teach the event parser configured to: classify each message based on one of a plurality of predetermined event types; apply a rule of a plurality of predetermined rules to each event of the host event logs based on the classified event types to select content from the message; and extract the selected content and generate an event based on the extracted content and the corresponding rule; and exposing the generated host events to the script interpreter, wherein the script interpreter is arranged to: receive network events of the stream of network events directly from the event engine.
Moreover, the prior arts of record does not explicitly teach wherein the stream of network events comprises a series of higher layer events reduced from an incoming packet analysis stream received by the network based logging host; and separately receive the generated host events from the event parser, wherein the host events are derived from the one or more host event logs generated by the one or more remote hosts and normalized for consumption by the script interpreter.
The additional prior arts of record (i.e. Bhattacharya, Gao, Kieviet, Christensen, and Wiegand), although are analogous references, do not cure the deficiencies of the prior arts of record. Furthermore, all prior arts of record relate to event management systems and/or network traffic analysis. 
However, the prior arts of record do not explicitly disclose a script interpreter that receives events from an event parser that parses host logs to detect events from remote hosts and a network engine that detects events from network communications or sources in which allows the scripts to maintain state over time, enabling them to track and correlate the evolution of what they observe across connection and host boundaries. Therefore, the claimed invention considering all claim limitations as a whole is novel and considered patentable.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CLIFTON HOUSTON whose telephone number is (571)270-0616.  The examiner can normally be reached on Monday through Friday from 8:00 am until 5:00 pm eastern time.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kamal Divecha can be reached on (571)272-5863.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov.
Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/CLIFTON HOUSTON/             Examiner, Art Unit 2453   




 

/DHAIRYA A PATEL/             Primary Examiner, Art Unit 2453