DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
	This Office Action has been issued in response to Applicant’s Communication of amended application S/N 15/902,856 filed on September 22, 2021.  After thorough search and examination of the present application and in light of the prior art made of record, claims 1 to 5, 7 to 15, and 17 to 20 are allowed.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given by Applicant’s Representative, Levi S. Brown, Reg. No. 72,533, during an interview held on January 20, 2022.
Please amend the claims, which were filed on September 22, 2021 with new versions as follows:
	1.	(Currently Amended) A computing system configured to facilitate an improvement in computer security by identifying computer security threats upstream from a database
one or more processors; and

access a store query that is structured in accordance with a store query language, wherein the store query is configured to query a database that stores events received from a data stream, and the store query is verified as being known to return results that potentially correspond to security threats when queried against the events after the events are stored in the database;
create a syntax graph of the store query; 
access a set of rules of the store query language of the store query;
use at least the syntax graph and the set of rules of the store query language to convert the store query into a standing query; 
deploy a first instance of the standing query into a first intermediary computing system and deploy a second instance of the standing query into a second intermediary computing system, wherein:
the first intermediary computing system is situated between a first event source and the database, and the second intermediary computing system is situated between a second event source and the database[[,]];
the first intermediary computing system is configured to gather new events originating from the first event source, and the second intermediary computing system is configured to gather new events originating from the second event source[[,]];
a plurality of nodes are , and each node in the plurality of nodes bookmarks which new events the ;
the first intermediary system is further configured to receive events from the first event source using a transmission control protocol (TCP) such that the first instance of the standing query operates on TCP-based events[[,]]; and
the second intermediary system is configured to receive events from the second event source using a user datagram protocol (UDP) such that the second instance of the standing query operates on UDP-based events; and
 execute the first instance and the second instance of the standing query against the new events that are uploaded in the data stream and that originate from the first and the second event sources,wherein the standing query, including any instances thereof, is configured to identify specific events that correspond to potential computer security threats and to generate alerts for the specific events.

2.	(Previously Presented) The computing system in accordance with Claim 1, further comprising:
flowing events into the standing query to generate a plurality of matching events that match the standing query, wherein the standing query is a dataflow graph.

3.	(Previously Presented) The computing system in accordance with Claim 2, wherein accessing the store query comprises:

4.	(Original) The computing system in accordance with Claim 3, the flowed events being events streamed from at least some of the plurality of event sources.

5.	(Previously Presented) The computing system in accordance with Claim 4, further comprising:
deploying the standing query into at least one of the at least some of the plurality of event sources.

6.	(Cancelled). 

7.	(Currently Amended) The computing system in accordance with Claim 2, the plurality of matching events corresponding to events that would be returned if the store query was issued against a store that included the flowed events.

8.	(Original) The computing system in accordance with Claim 1, the syntax graph comprising an abstract syntax tree of the store query.

9.	(Original) The computing system in accordance with Claim 1, the creating of the syntax graph comprising:
creating an initial syntax graph based on the store query; and
rewriting the initial syntax graph.

10.	(Previously Presented) The computing system in accordance with Claim 1, wherein accessing the store query comprises:
accessing a particular store query that is structured in accordance with the store query language and that was tested against a store in which a plurality of events is gathered from a plurality of event sources.

11.	(Currently Amended) A method for converting a store query into a standing query, the standing query being configured to facilitate an improvement in computer security by identifying computer security threats upstream from a database
accessing a store query that is structured in accordance with a store query language, wherein the store query is configured to query a database that stores events received from a data stream, and the store query is verified as being known to return results that potentially correspond to security threats when queried against the events after the events are stored in the database;
creating a syntax graph of the store query; 
accessing a set of rules of the store query language of the store query; 
using at least the syntax graph and the set of rules of the store query language to convert the store query into a standing query; 
deploying a first instance of the standing query into a first intermediary computing system and deploy a second instance of the standing query into a second intermediary computing system, wherein:
;
the first intermediary computing system is configured to gather new events originating from the first event source, and the second intermediary computing system is configured to gather new events originating from the second event source[[,]];
a plurality of nodes are , and each node in the plurality of nodes bookmarks which new events the first intermediary computing system and/or the second intermediary system has received[[,]];
the first intermediary system is further configured to receive events from the first event source using a transmission control protocol (TCP) such that the first instance of the standing query operates on TCP-based events[[,]]; and
the second intermediary system is configured to receive events from the second event source using a user datagram protocol (UDP) such that the second instance of the standing query operates on UDP-based events; and
executing the first instance of the standing query and the second instance of the standing query against the new events that are uploaded in the data stream and that originate from the first and the second event sources, wherein the standing query, including any instances thereof, is configured to identify specific events that correspond to potential computer security threats and to generate alerts for the specific events. 


flowing events into the standing query to generate a plurality of matching events that match the standing query.

13.	(Previously Presented) The method in accordance with Claim 12, the accessing of the store query comprising:
accessing a particular store query that is structured in accordance with the store query language and that was tested against an event store in which a plurality of events is gathered from a plurality of event sources.

14.	(Original) The method in accordance with Claim 13, the flowed events being events streamed from at least some of the plurality of event sources.

15.	(Previously Presented) The method in accordance with Claim 14, further comprising:
deploying the standing query into at least one of the at least some of the plurality of event sources.

16.	(Cancelled).

17.	(Currently Amended) The method in accordance with Claim 12, the plurality of matching events corresponding to events that would be returned if the store query was issued against a store that included the flowed events.


19.	(Previously Presented) The method in accordance with Claim 11, the accessing of the store query comprising:
accessing a store query that is structured in accordance with the store query language and that was tested against a store in which a plurality of events is gathered from a plurality of event sources.

20.	(Currently Amended) One or more computer-readable hardware storage devices comprising physical memory that store computer executable instructions that are executable by one or more processors of a computing system to at least: 
access a store query that is structured in accordance with a store query language, wherein the store query is configured to query a database that stores events received from a data stream, and the store query is verified as being known to return results that potentially correspond to security threats when queried against the events after the events are stored in the database;
create a syntax graph of the store query;
access a set of rules of the store query language of the store query;
use at least the syntax graph and the set of rules of the store query language to convert the store query into a standing query; 
deploy a first instance of the standing query into a first intermediary computing system and deploy a second instance of the standing query into a second intermediary computing system, wherein:
;
the first intermediary computing system is configured to gather new events originating from the first event source, and the second intermediary computing system is configured to gather new events originating from the second event source[[,]];
a plurality of nodes are , and each node in the plurality of nodes bookmarks which new events the first intermediary computing system and/or the second intermediary system has received[[,]];
the first intermediary system is further configured to receive events from the first event source using a transmission control protocol (TCP) such that the first instance of the standing query operates on TCP-based events[[,]]; and
the second intermediary system is configured to receive events from the second event source using a user datagram protocol (UDP) such that the second instance of the standing query operates on UDP-based events; and
execute the first instance of the standing query and the second instance of the standing query against the new events that are uploaded in the data stream and that originate from the first and the second event sources, wherein the standing query, including any instances thereof, is configured to identify specific events that correspond to potential computer security threats and to generate alerts for the specific events.

REASONS FOR ALLOWANCE
The following is an examiner’s statement of reasons for allowance:
The prior art made of record neither render obvious nor anticipates the combination of claimed elements, as recited in independent claims 1, 11, and 20.
More specifically, the prior art of record does not specifically suggest the combination of “accessing a store query, where the store query is verified as being known to return results that potentially correspond to security threats when queried against events after the events are stored in a database, create a syntax graph of the store query; access a set of rules of the store query language of the store query; use at least the syntax graph and the set of rules of the store query language to convert the store query into a standing query; deploy a first instance of the standing query into a first intermediary computing system and deploy a second instance of the standing query into a second intermediary computing system, wherein: the first intermediary computing system is situated between a first event source and the database, and the second intermediary computing system is situated between a second event source and the database, the first instance of the standing query operates on TCP-based events, the second instance of the standing query operates on UDP-based events; wherein the standing query, including any instances thereof, is configured to identify specific events that correspond to potential computer security threats and to generate alerts for the specific events” and all the other limitations recited in independent claims 1, 11, and 20.
These features together with other limitations of the independent claims are novel and non-obvious over the prior art of record; therefore claims 1, 11, and 20 are allowed.  The dependent claims 2 to 5, 7 to 10, 12 to 15, and 17 to 19, being definite, enabled by the specification, and further limiting the independent claims, are also allowed.




Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RAQUEL PEREZ-ARROYO whose telephone number is (571)272-8969. The examiner can normally be reached Monday - Friday, 8:00am - 5:30pm, Alt Friday, EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Usmaan Saeed can be reached on 571-272-4046. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/RAQUEL PEREZ-ARROYO/Examiner, Art Unit 2169