DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Information Disclosure Statement
	An Information Disclosure Statement (IDS) has not been submitted as of the mailing of the last Office Action dated 22 June 2021. Applicant is reminded of the continuing obligation under 37 CFR 1.56 to timely apprise the Office of any information which is material to patentability of the claims under consideration in this application.


Introductory Remarks
	In response to communications filed on 22 September 2021, claims 1, 6-8, 11, 16, 18, and 20 are amended per Applicant's request. Claim 17 is cancelled. No claims were withdrawn. Claim 21 is new. Therefore, claims 1-16 and 18-21 are presently pending in the application, of which claims 1, 11, and 20 are presented in independent form.

The previously raised objections are withdrawn in view of the amendments to the claims.
The previously raised 103 rejection of the pending claims is withdrawn in view of the amendments to the claims. A new ground(s) of rejection has been issued.




Response to Arguments
Applicant’s arguments filed 22 September 2021 with respect to the rejection of the claims under 35 U.S.C. 103 have been fully considered but are not persuasive.
Applicant argues that “the processing of [cited] paragraph [0107], however, is provided by analysis module 318 of the forensics apparatus 104, not as part of filtering which events received using the monitoring hooks to pass for analysis” (emphasis added) (Remarks, p. 10).
The monitoring hooks were found to be disclosed by secondary reference, Nguyen, and thus Applicant’s arguments are directed to a reference that was not being used to reject the claimed limitation.
Applicant further argues “Hoog does not teach or suggest that the processing by analysis module 318, is used to filter events and, more particularly, does not teach or suggest outputting a forensic artifact filter output based on the results of an analysis by the analysis module 318” (Remarks, p. 10).
This is not what the claim language states. The claim language performs the forensic analysis based on the forensic artifact filter output (see the independent claims: “based on the forensic artifact filter output…apply a forensic analysis to the forensic artifact to generate a result”).
In short, Applicant is arguing [forensic analysis] → [forensic artifact filter output].
However, the claim states the reverse: [forensic artifact filter output] → [forensic analysis].
Applicant’s arguments on p. 11 regarding Hoog (the first two paragraphs) are unpersuasive for the same reasons above, i.e., Applicant has switched the order of the claimed steps.
Applicant’s arguments regarding Hoog and Nguyen not disclosing the amended limitation “based on the forensic artifact filter output, collect, at the computer, forensic metadata associated with the forensic artifact but not included in the forensic artifact filter output” (see Remarks, p. 11) is moot, as Hoog and Nguyen were not used to reject this particular claim feature. See the 103 rejection below for further detail.



Claim Objections
Claim 12 is objected to because of the following informalities: Claim 12 is missing a period at the end of the claim.  Appropriate correction is required.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-2, 6-8, 10-12, 16, and 18-21 are rejected under 35 U.S.C. 103 as being unpatentable over Hoog (“Hoog”) (US 2012/0191660 A1), in view of Nguyen et al. (“Nguyen”) (US 2020/0327225 A1), in further view of Kinder et al. (“Kinder”) (US 2017/0244754 A1).
	Regarding claim 1: Hoog teaches A computer program product comprising a non-transitory computer-readable medium storing a set of computer-readable instructions, the set of computer-readable instructions executable on a computer (Hoog, [0034-0036], where the disclosed system may be implemented as a computer program product comprising a non-transitory computer-readable medium storing computer-readable program instructions executable by a processor embodied in one or more computing devices) ... :
	provide a forensic artifact filter … (Hoog, [0047], where the monitoring module may monitor activity in accordance with predefined settings including one or more defined activities to monitor), the forensic artifact filter comprising code executable to:
	for the event received …, evaluate the event … to determine if the event represents a change to a forensic artifact (Hoog, [0047], where the monitoring module may monitor activity in accordance with predefined settings including one or more defined activities to monitor. See Hoog, [0107], where the forensic data may be subjected to differential comparison to identify new or changed data points (thus in this manner, events may represent a change to a forensic artifact, as claimed)); and
	based on a determination that the event represents the change to the forensic artifact, output a forensic artifact filter output that includes event information for the event, the event information including an indication of the forensic artifact (Hoog, [0051-0101], where the extracted forensic data, e.g., forensic artifacts (i.e., “forensic artifact filter output”), may include any number of forensic data types and may vary depending on the type of system and/or applications implemented on the monitored apparatus. The extracted forensic data may include a large variety of information (i.e., “event information for the event”) such as user profile info, deleted data, user activity data, and so forth (i.e., “the event information including an indication of the forensic artifact”). See also Hoog, [0114-0126], where the system may detect users being created/deleted (i.e., “change to the forensic artifact”));
	based on the forensic artifact filter output, collect, at the computer, forensic metadata associated with the forensic artifact … and apply a forensic analysis to the forensic artifact to generate a result that indicates a first activity with respect to the forensic artifact, the forensic metadata including a user identifier for a user of the operating system (Hoog, [0033], where a forensic analysis apparatus may comprise any computing device or plurality of computing devices configured to receive forensic data from a monitored apparatus (i.e., “collect, at the computer, forensic metadata”). See Hoog, [0051-0101], where extracted forensic data (i.e., “forensic artifact filter output”) includes user activity data, such as user profile information (i.e., “user identifier for a user of the operating system”). See also Hoog, [0129], where an aggregate report may provide forensic data for a given user (e.g., user activity data) (i.e., “generate a result that indicates a first activity with respect to the forensic artifact”) over a period of time (indicating that data may be aggregated on a user-by-user basis, implying some sort of user identification or identifier for distinguishing between users));
	generate in real-time, at the computer, a forensically interpreted activity for the event, the forensically interpreted activity comprising the forensic metadata, the result of the forensic analysis and a description of the first activity by the user with respect to the forensic artifact (Hoog, [0109], where an analysis module may calculate or otherwise generate key risk indicator (KRI) values (e.g., PASS/WARN/FAIL, a numeric score value, and/or the like) from processed forensic data (i.e., “the result of the forensic analysis”). For example, if no new user accounts are supposed to be created on a monitored system, then any new user account is a significant risk. During processing of received forensic data, if the forensic data contains an indication of a creation of a new user account (i.e., “activity by the user”) where the analysis module may set a KRI value for “New User Creation” (i.e., “a description of a first activity by the user with respect to the forensic artifact”) to “FAIL” (i.e., “the result of the forensic artifact”), where the analysis module may further flag data representing evidence of the created user account (i.e., “forensic metadata”). See Hoog, [0127], where a report (i.e., “forensically interpreted activity”) may be generated, including the output of the analysis, e.g., as seen in Hoog, [0109] above. See Hoog, [0028], where (rather than a forensic investigation being limited to the existing system state post-incident) the incident response analysis may include forensic data during and immediately post-incident (i.e., “generate in real-time…a forensically interpreted activity for the event”)); and
	store the forensically interpreted activity in a digital forensics store for the computer (Hoog, [0108], where a high level preliminary analysis of the processed forensic data may be performed, and values, data, and/or other information resulting from this analysis may be loaded into a forensic database. Although Hoog does not appear to explicitly state that the reports (i.e., “forensically interpreted activity”) are stored, but rather generally states that analysis of the processed forensic data may be stored in the forensic database, one of ordinary skill in the art would have found it obvious to have modified Hoog’s disclosure to also store the generated reports with the motivation of providing later retrieval in order to save processing time and resources from having to re-compute the analyses involved in the report generation).
	Hoog does not appear to explicitly teach [a computer] that has an operating system with a notification interface to: use a monitoring hook into the notification interface of the operating system to receive an event; [provide a forensic artifact filter] coupled to the monitoring hook[, the forensic artifact filter comprising code executable to: for the event received] using the monitoring hook[, evaluate the event] according to a forensic artifact definition; [and collect, at the computer, forensic metadata associated with the forensic artifact] but not included in the forensic artifact filter output.
	Nguyen teaches [a computer] that has an operating system with a notification interface to: use a monitoring hook into the notification interface of the operating system to receive an event (Nguyen, [0116], where a detection module can include a kernel-level security agent as part of the operating system, where the kernel-level security agent may be installed on the host computing device in the form of a driver, which may use hooks or filter drivers to monitor memory or log files); [and] 
[provide a forensic artifact filter] coupled to the monitoring hook[, the forensic artifact filter comprising code executable to: for the event received] using the monitoring hook[, evaluate the event] according to a forensic artifact definition (Nguyen, [0114], where the detection module can detect activity at a monitored computing device and determine corresponding event record(s), e.g., for the received event. See Nguyen, [0120], where each kind of activity or data may be associated with a different collector where the events observed by the collectors may be specified by a configuration of the detection module, i.e., specifying configurable filters for filtering and dispatching those events. The detection module may build and maintain a model (i.e., “artifact definition”) representing chains of execution activities and genealogies of processes, which may be used to track attributes, behaviors, or patterns of processes and can be used to determine whether to notify a security service cloud of the event. See Nguyen, [0119], where the steps may be applied to forensic data (i.e., “forensic artifacts”)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the teachings of Hoog and Nguyen (hereinafter “Hoog as modified”) with the motivation of ease of implementation (i.e., hooks are built into many operating system kernels, and may easily provide functions to drivers), and more granularly customizing types of events to be monitored (i.e., using the forensic artifact definition, which allows the system to more quickly classify certain types of events and determine whether to filter them or not).
	Hoog as modified does not appear to explicitly teach [collect, at the computer, forensic metadata associated with the forensic artifact] but not included in the forensic artifact filter output.
	Kinder teaches [collect, at the computer, forensic metadata associated with the forensic artifact] but not included in the forensic artifact filter output (Kinder, [0081-0084], where pipeline handlers (which analyze and process data from the process creation monitor, persistent process monitor, thread injection monitor, network monitor, inspector, etc.) can request annotators to look up additional information on a process (i.e., “collect…forensic metadata associated with the forensic artifact but not included in the forensic artifact filter output”) and store results. See also, e.g., Kinder, [0094], where unknown events can be correlated with other events identified by other endpoints to aid in understanding the nature of the event (i.e., “forensic metadata associated with the forensic artifact”)).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the teachings of Hoog as modified and Kinder (hereinafter “Hoog as modified”). Hoog suggests in [0106] that the extracted forensic data may be combined/synthesized with multiple received forensic data sets and/or sources into a combined forensic data set, and to derive additional forensic data values. Therefore, one of ordinary skill in the art would have combined Hoog as modified and Kinder with the motivation of providing additional context to alerts that may otherwise seem benign, but in the context of other correlated events has the context to perform a proper assessment (Kinder, [0092]). 

	Regarding claim 2: Hoog as modified teaches The computer program product of claim 1, wherein the set of computer-readable instructions are executable to implement a filter driver, the filter driver comprising the forensic artifact filter (Nguyen, [0116], where a detection module can include a kernel-level security agent as part of the operating system, where the kernel-level security agent may be installed on the host computing device in the form of a driver, which may use hooks or filter drivers to monitor memory or log files. See Nguyen, [0119], where forensic data associated with (filtered) events may be gathered, and an event record may be provided including the forensic data (thus in this manner, Nguyen’s filter driver corresponds to the claimed “forensic artifact filter”)).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the teachings of Hoog as modified and Nguyen with the motivation of allowing users to customize the type of information to be received via the use of a driver (i.e., the driver latches into the hook, which allows for custom configurations). 

	Regarding claim 6: Hoog as modified teaches The computer program product of claim 1, wherein:
	the monitoring hook is configured to receive registry key change notifications, the event specifies a registry key, the registry key located at a registry path location (Nguyen, [0120], where collectors may register with a hook or filter driver offered by the OS to receive notifications of file creates, reads, and writes. A collector may monitor locations in memory (indicating that file creates/reads/writes occur in files in particular memory locations, i.e., “the file located at a file path location”)); and
	evaluating the event according to the forensic artifact definition comprises determining that the event represents the change to the forensic artifact based on the registry path location of the registry key (Kinder, [0047-0048], where the system determines the execution target to understand the nature of an event, e.g., analyzing a file against an internal or third-party annotation service that may have additional context on the file (i.e., “evaluating the event according to the forensic artifact definition”). See Kinder, [0055], where the persistent process monitor can monitor for persistence events, such as monitoring changes in the persistence locations (i.e., “path location”). When persistence events are identified (i.e., “evaluating the event”), the persistent process monitor can log the persistence events. See Kinder, [0037], where the persistent process monitor can monitor windows registry. See also Kinder, [0052], where persistence locations can include registry entries (i.e., “registry path location of the registry key”)).
	Although Nguyen does not appear to explicitly state that the type of information pertains to registry keys as claimed, the claimed invention does not distinguish over the prior art because the only differences in the claim limitations and the prior art’s disclosure are only found in the nonfunctional descriptive material and are not functionally involved in the steps recited. The monitoring of event data would have been performed the same regardless of the specific data involved (i.e., a registry key as claimed, some other file system events as disclosed by Nguyen, or some other data). Thus, this descriptive material will not distinguish the claimed invention from the prior art in terms of patentability. See In re Gulack, 703 F.2d 1381, 1385, 217 USPQ2d 401, 404 (Fed. Cir. 1983); In re Lowry, 32 F.3d 1579, 32 USPQ2d 1031 (Fed. Cir. 1994). Therefore, it would have been obvious to one of ordinary skill in the art to have referred to Nguyen’s teachings in making the claimed invention, because such data does not functionally relate to the steps in the method claimed and because the subjective interpretation of the data does not patentably distinguish the claimed invention over the prior art.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the teachings of Hoog as modified and Kinder with the motivation of monitoring certain locations in memory for changes that may be suspicious in nature, which allows the system to ascertain more quickly based on path information whether such changes are “normal” or “suspicious”.

	Regarding claim 7: Hoog as modified teaches The computer program product of claim 1, wherein:
	the monitoring hook is configured to receive file change notifications, the event specifies a file, the file located at a file path location (Nguyen, [0120], where collectors may register with a hook or filter driver offered by the OS to receive notifications of file creates, reads, and writes. A collector may monitor locations in memory (indicating that file creates/reads/writes occur in files in particular memory locations, i.e., “the file located at a file path location”)); and
	evaluating the event according to the forensic artifact definition comprises determining that the event represents the change to the forensic artifact based on the file path location of the file (Kinder, [0047], where the system determines the execution target to understand the nature of an event. See Kinder, [0055], where the persistent process monitor can monitor for persistence events, such as monitoring changes in the persistence locations (i.e., “path location”). When persistence events are identified (i.e., “evaluating the event”), the persistent process monitor can log the persistence events. See Kinder, [0086], where persistence data may include files (i.e., “based on the file path location of the file”). See Kinder, [0048], where a file may be analyzed and have metadata and other file specific information collected, which may be used for analysis of the file against internal or third-party annotation services (i.e., ‘according to the forensic artifact definition”) that may have additional context on the file).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the teachings of Hoog as modified and Kinder with the motivation of monitoring certain locations in memory for changes that may be suspicious in nature, which allows the system to ascertain more quickly based on path information whether such changes are “normal” or “suspicious”.

	Regarding claim 8: Hoog as modified teaches The computer program product of claim 1, wherein the set of computer-readable instructions comprises a template activity description and said generating the forensically interpreted activity for the event comprises inserting the forensic metadata and the result into the template activity description (Hoog, [0109] and [0127], where the analysis module may generate one or more reports (i.e., “forensically interpreted activity for the event”) and the results of the analysis including, for example, setting a KRI value for “New User Creation” to “FAIL” (i.e., “result”). See Hoog, [0131], where a report may include a main dashboard that includes values for KRIs, where the dashboard may include a tabular representation with graphical indications of KRI values for a variety of forensic categories (i.e., thus in this manner, the disclosed dashboard corresponds to the claimed “template activity description”)). 

	Regarding claim 10: Hoog as modified teaches The computer program product of claim 1, wherein the change to the forensic artifact comprises at least one of a creation of the forensic artifact, an update to the forensic artifact or a deletion of the forensic artifact (Hoog, [0109], where the analysis module may calculate or otherwise generate a key risk indicator value from processed forensic data, where the processed forensic data may relate to the creation of a new user account (i.e., “creation of the forensic artifact”)).

	Regarding claim 11: Claim 11 recites substantially the same claim limitations as claim 1, and is rejected for the same reasons.

	Regarding claim 12: Claim 12 recites substantially the same claim limitations as claim 2, and is rejected for the same reasons.

	Regarding claim 16: Claim 16 recites substantially the same claim limitations as claim 6, and is rejected for the same reasons.

	Regarding claim 18: Claim 18 recites substantially the same claim limitations as claim 7, and is rejected for the same reasons.

	Regarding claim 19: Claim 19 recites substantially the same claim limitations as claim 10, and is rejected for the same reasons.

	Regarding claim 20: Claim 20 recites substantially the same claim limitations as claim 1, and is rejected for the same reasons.
	Note that Hoog discloses a “real-time forensic instrumentation” because (1) Hoog discloses a monitoring module that may monitor activity occurring in real time (Hoog, [0046]), and (2) Hoog discloses that, rather than a forensic investigation being limited to the existing system state post-incident, the incident response analysis may include forensic data during and immediately post-incident (Hoog, [0028]), i.e., in real-time.

	Regarding claim 21: Claim 21 recites substantially the same claim limitations as claim 7, and is rejected for the same reasons.


Claims 3 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Hoog (“Hoog”) (US 2012/0191660 A1), in view of Nguyen et al. (“Nguyen”) (US 2020/0327225 A1), in further view of Kinder et al. (“Kinder”) (US 2017/0244754 A1), in further view of Halcrow et al. (“Halcrow”) (US 2021/0012000 A1).
	Regarding claim 3: Hoog as modified teaches The computer program product of claim 1, wherein the set of computer-readable instructions comprises:
	a set of code libraries, each code library in the set of code libraries corresponding to a different type of forensic artifact (Hoog, [0105], where the processing procedure (i.e., “code library”) performed by the analysis module may be specific to each of a plurality of forensic data types (i.e., “corresponding to a different type of forensic artifact”));
	… [a] first code library executable to perform said applying the forensic analysis to the forensic artifact to generate the result and said creating the forensically interpreted activity and storing the forensically interpreted activity (Hoog, [0105], where the analysis module may process received forensic data based at least in part on the type of forensic data received, i.e., performing a processing procedure (i.e., equivalent to the claimed “code library”) specific to each of a plurality of forensic data types. See Hoog, [0108-0109] and [0127] with regards to “applying the forensic analysis to the forensic artifact to generate the result and said creating the forensically interpreted activity and storing the forensically interpreted activity” as seen in the independent claim above).
	Although Hoog does not appear to explicitly state that a “code library” is utilized, Hoog’s disclosed “processing procedure” are a series of computing instructions/steps/functions that are implemented in accordance with a particular event type (i.e., corresponding to analyzing that particular event type), and thus is equivalent to the claimed “code library”, which is also a series of computing instructions/steps/functions for analyzing certain event types.
	Hoog as modified does not appear to explicitly teach code executable to map the event information to a first code library from the set of code libraries.
	Halcrow teaches code executable to map the event information to a first code library from the set of code libraries (Halcrow, [0032-0034], where a plurality of detectors are used to determine whether certain events are indicative of a potential threat, e.g., each detector (i.e., “code library”) may be configured to determine whether events of a specific type of file are indicative of a potential threat, e.g., a first detector analyzes events involving executable binaries of a first type, whereas a second detector analyzes events involving executable binaries of a second type, i.e., where the claimed “[mapping] the event information to a first code library” occurred based on the type of executable binary).
	Although Halcrow does not appear to explicitly state that a “code library” is utilized, Halcrow’s disclosed “detectors” are a series of computing instructions/steps/functions that are implemented in accordance with a particular event type (i.e., corresponding to analyzing that particular event type), and thus is equivalent to the claimed “code library”, which is also a series of computing instructions/steps/functions for analyzing certain event types. Therefore, Halcrow is equivalent to the claimed invention and the claimed invention does not distinguish over the prior art.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the teachings of Hoog as modified and Halcrow with the motivation of allowing custom analysis steps/frameworks corresponding to different types to be utilized which has the advantages of better accuracy (i.e., certain event types may have different structures such as one has a series of events/paths that are followed, another may weigh more on simply just one dimension such as path information, etc.).

	Regarding claim 13: Claim 13 recites substantially the same claim limitations as claim 3, and is rejected for the same reasons.


Claims 4-5 and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Hoog (“Hoog”) (US 2012/0191660 A1), in view of Nguyen et al. (“Nguyen”) (US 2020/0327225 A1), in further view of Kinder et al. (“Kinder”) (US 2017/0244754 A1), in further view of Nair et al. (“Nair”) (US 2021/0042262 A1).
	Regarding claim 4: Hoog as modified teaches The computer program product of claim 1, but does not appear to explicitly teach wherein the set of computer-readable instructions comprises code executable to register a callback with the notification interface of the operating system.
	Nair teaches wherein the set of computer-readable instructions comprises code executable to register a callback with the notification interface of the operating system (Nair, [0031-0032], where a kernel space layer of an operating system controls access to requested files. The file protection engine is used to filter and classify I/O requests that may be provided by applications. The interception is accomplished by the file protection engine defining callback functions that are invoked whenever an activity of interest is recognized (note that one of ordinary skill in the art would have recognized that callback functions provide notifications1). The file protection engine filters I/O requests based on associated file system attributes for purposes of classifying the I/O requests and thereby recognizing the activity of interest).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the teachings of Hoog as modified and Nair (hereinafter “Hoog as modified”) with the motivation of avoiding performance degradation while also improving data security without affecting the performance of the endpoint device and without interfering with other software loaded on the endpoint device (since monitoring and analyzing activities on a device may require a large amount of resources)2.

	Regarding claim 5: Hoog as modified teaches The computer program product of claim 4, wherein the set of computer-readable instructions comprises a callback routine for the callback, the callback routine comprising the forensic artifact filter (Nair, [0031-0032], where a kernel space layer of an operating system controls access to requested files. The file protection engine is used to filter and classify I/O requests (i.e., “artifact filter”) that may be provided by applications. The interception is accomplished by the file protection engine defining callback functions that are invoked whenever an activity of interest is recognized. See Hoog, [0048], where the monitoring module extracts forensic data (i.e., “forensic artifact”) based in part on the monitored activity, including one or more defined activities to monitor. Note that it would have been obvious to have modified Nair’s disclosure such that Nair’s event filter is substituted with Hoog’s forensic artifact filter with predictably equivalent operating characteristics, which is that events are monitored for, filtered, and analyzed, regardless of whether the data pertains to forensic artifact data, as disclosed by Hoog and as claimed, or some other type of event-related data, as disclosed by Nair). 

	Regarding claim 14: Claim 14 recites substantially the same claim limitations as claim 4, and is rejected for the same reasons.

	Regarding claim 15: Claim 15 recites substantially the same claim limitations as claim 5, and is rejected for the same reasons.


Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Hoog (“Hoog”) (US 2012/0191660 A1), in view of Nguyen et al. (“Nguyen”) (US 2020/0327225 A1), in further view of Kinder et al. (“Kinder”) (US 2017/0244754 A1), in further view of Ponnuru et al. (“Ponnuru”) (US 2020/0351293 A1).
	Regarding claim 9: Hoog as modified teaches The computer program product of claim 1, but does not appear to explicitly teach wherein the forensic artifact filter outputs the forensic artifact filter output as an out-of-band output.
	Ponnuru teaches wherein the forensic artifact filter outputs the forensic artifact filter output as an out-of-band output (Ponnuru, [0053-0055], where the system collects firmware- or hardware-related activity from at least one out-of-band management controller, where the collected data (i.e., “out-of-band output”) is analyzed by comparing the collected data to one or more control state configuration profiles and applying at least one rule-based engine to the collected data. See Hoog, [0048], where the monitoring module extracts forensic data (i.e., “forensic artifact”) based in part on the monitored activity, including one or more defined activities to monitor.
Note that it would have been obvious to have modified Ponnuru’s disclosure such that Ponnuru’s event filter is substituted with Hoog’s forensic artifact filter with predictably equivalent operating characteristics, which is that events are monitored for, filtered, and analyzed, regardless of whether the data pertains to forensic artifact data, as disclosed by Hoog and as claimed, or some other type of event-related data, as disclosed by Ponnuru).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the teachings of Hoog and Ponnuru with the motivation of allowing the system to continue monitoring the devices regardless of the network connectivity status (e.g., online or offline) of the device (which is particularly important in cases, for example, where a device may be temporarily offline due to an attack).








Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to IRENE BAKER whose telephone number is (408)918-7601. The examiner can normally be reached M-F 8-5PM PT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, NEVEEN ABEL-JALIL can be reached on (571)270-0474. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/IRENE BAKER/Primary Examiner, Art Unit 2152                                                                                                                                                                                                        
18 November 2021




    
        
            
        
            
        
            
    

    
        1 See, e.g., Kostyushko et al. US Patent Publication No. 2020/0137085 A1 at [0041] (where events are collected via subscription mechanisms in operating systems that allow registering callback to receive notifications when an event occurs).
        2 Kostyuhsko et al. at [0003-0004].