DETAILED ACTION
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This Office Action is in response to the amendment filed on 6/8/2021.
Claims 4 and 12 have been canceled.
Claims 1, 5, 7-9 and 17 have been amended.
Claims 1-3, 5-11 and 13-22 are pending for consideration.

Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 7/9/2021 has been entered.

Response to Arguments
Applicant’s arguments, filed on 6/8/2021, with respect to claims 1-3, 5-11 and 13-22 have been fully considered and are persuasive.  The 103 rejection of claims 1-3, 5-11 and 13-22 has been withdrawn. 

Allowable Subject Matter
Claims 1-3, 5-11 and 13-22 are allowed.
The following is an examiner’s statement of reasons for allowance:
Independent Claims 1, 9 and 17 are allowed for the reasons argued by
Applicants on pages 7-10 of the Remarks filed on 6/8/2021 which are persuasive.
Although, the prior art of record Goswami (US 20080134214) discloses "a method and apparatus for tracking data associated with an event across multiple files includes generating a particular value upon occurrence of a particular event during a first process spawned from a first module. The particular value is unique among all events during processes spawned from all modules" and Mezack (US 20080148398) discloses “a network security analysis tool and related systems and methods are disclosed. The disclosed invention can accept user input to define network security threat models. The system can collect event data from one or more network devices and analyze that data for the existence of activity matching the defined threat models. The collected data can be translated into a common format for storage in a database of the invented system. The system can create threat models to track network threats found in the collected data that both partially and completely match one or more threat model definitions”,

Claim 1: A computer security method comprising: detecting an event, associated with a process, occurring in a computing system, wherein detecting the event comprises intercepting an operation at a layer of an operating system of the computing system; generating, by a processor, an event identifier for the event, wherein the event identifier uniquely identifies the event in the computing system; generating a record for the event, the record comprising the event identifier and details that describe the event; generating a global identifier for the record based on the event identifier and attributes of the computing system on which the event occurred, wherein the global identifier uniquely identifies the computing system that is associated with the record among a plurality of computing systems including the computing system; identifying a security breach in the computing system; based at least on the security breach, retrieving, using the global identifier, the record associated with the computing system from a plurality of records associated with the plurality of computing systems; and determining that the retrieved record associated with the computing system relates to the security breach associated with the computing system, contents of the retrieved record  being indicative of an event relating to the security breach.
Claim 9: A non-transitory computer readable storage medium comprising instructions that cause a processor to perform a method 
Claim 17: A method for computer security, the method comprising: receiving an event record for an event associated with a process executing on a computing system, the event being detected by intercepting an operation at a layer of an operating system of the computing system, wherein the event record comprises details of the 
The closest prior art made of record and cited consisted of the following references.  
King (US 8839435 B1) disclosed “event-based attack detection is described. In some implementations, an attack on a computing device can be detected by identifying unusual events, or unusual sequences of events, that occurred on the computing device. A computing device can log events that occur on the computing device. In some implementations, 
Small (US 8640232 B2) discloses “automated file system event tracking and reporting techniques are described in which file system events requested by a user application are intercepted and recorded prior to the request being permitted to pass to the file system for execution. Similarly, file system responses to a prior captured file system event are also intercepted and recorded. Predefined patterns of file system event may be aggregated and reported as a single event”.
Apostolescu (US 20130055339 A1) discloses “apparatus, systems, and methods may operate to include transforming subsequent unmarked contexts into additional tainted contexts in response to identifying a tainted event as a link between a prior tainted context and the subsequent unmarked contexts. Further operations may include publishing an event horizon to a display. The event horizon may include the tainted event and all other events associated with a linked chain of contexts that include the prior tainted context and the additional tainted contexts, where the tainted event and the other events share the taint in common. In this way, a taint associated with malicious behavior can be propagated and tracked as it moves between contexts”.
Van Vleet (US 20090276407 A1) discloses “an event history server system stores event data descriptive of user-specific events that occur in 
However, the prior art of record, taken by itself or in any combination, do not anticipate or make obvious the invention of the present application and in particular the claim features listed above.
Claims 2-3, 5-8, 10-11, 13-16 and 18-22 depend upon respective independent claims above and are therefore allowed by virtue of their dependencies.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.” 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRANG T DOAN whose telephone number is (571)272-0740.  The examiner can normally be reached on Monday-Friday 7-4 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D Feild can be reached on (571)272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/TRANG T DOAN/Primary Examiner, Art Unit 2431