DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office action is in response to the RCE/information disclosure statement(s), filed on 10/20/2021, in which claim(s) 1-20 is/are presented for further examination.
Claim(s) 1-20 is/are allowed.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission, filed on 10/20/2021, has been entered.

Information Disclosure Statement
The information disclosure statement(s) (IDS), submitted on 10/20/2020 (6), 10/21/2021, 11/1/2021 and 11/8/2021, is/are in compliance with the provisions of 37 CFR 1.97.  However, the German reference, designated EP 1 607 824 A2, was/were not considered because an English translation was not provided.  However, the examiner is considering the rest of the information disclosure statement(s).

EXAMINER’S AMENDMENT
As presented in the Notice of Allowance, dated 10/20/2021, an examiner’s amendment to the record appears below.  Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312.  To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
On 10/7/2021, the examiner had a telephone interview with applicant’s representative at (512) 338-9100 to discuss clarifying amendments to the claims to obviate potential objections/rejections as well as distinguish applicant’s invention from the cited prior art.
Authorization for this examiner’s amendment was given by Stephen Terrile, Registration No. 32,946, on 10/7/2021.
Please amend the claims, filed on 5/13/2021, as follows:
1.	(Currently Amended) A computer-implementable method for resolving an identity of an entity, comprising:
receiving a stream of events from a protected endpoint, the stream of events comprising a plurality of events, the protected endpoint comprising an endpoint agent executing on an endpoint device, the endpoint agent requiring the endpoint device to comply with particular criteria before being granted access to network resources, the protected endpoint providing a policy-based approach to network security;
parsing entity identifier information associated with the entity from the stream of events to provide an entity identifier element, the entity identifier information comprising temporal information;
classifying the entity identifier element by type to provide a classified entity identifier element, the classified entity identifier element comprising an entity identifier element type, the 
normalizing the classified entity identifier element to provide a classified and normalized entity identifier element, the classified and normalized entity identifier element comprising a type-dependent normalized entity identifier element;
associating the classified and normalized entity identifier element and the temporal information with the entity in real time to resolve the identity of the entity at a particular point in time, the associating determining whether the classified and normalized entity identifier element matches a known entity identifier element type for the particular point in time in a repository of resolved entity identifier data; [[and,]]
storing the resolved identity of the entity in the repository of resolved entity identifier data;
performing a security analysis operation, the security analysis operation using the resolved identity of the entity at the particular point in time to assess a risk associated with the entity; and,
responding with an associated response based on the accessed risk associated with the entity.
7.	(Currently Amended) A system comprising:
a processor;
a data bus coupled to the processor; and
a non-transitory, computer-readable storage medium embodying computer program code for resolving an identity of an entity, the non-transitory, computer-readable storage medium 
receiving a stream of events from a protected endpoint, the stream of events comprising a plurality of events, the protected endpoint comprising an endpoint agent executing on an endpoint device, the endpoint agent requiring the endpoint device to comply with particular criteria before being granted access to network resources, the protected endpoint providing a policy-based approach to network security;
parsing entity identifier information associated with the entity from the stream of events to provide an entity identifier element, the entity identifier information comprising temporal information;
classifying the entity identifier element by type to provide a classified entity identifier element, the classified entity identifier element comprising an entity identifier element type, the entity identifier element type providing a representation of a particular attribute associated with the entity identifier element;
normalizing the classified entity identifier element to provide a classified and normalized entity identifier element, the classified and normalized entity identifier element comprising a type-dependent normalized entity identifier element;
associating the classified and normalized entity identifier element and the temporal information with the entity in real time to resolve the identity of the entity at a particular point in time, the associating determining whether the classified and normalized entity identifier element matches a known entity identifier element type for the particular point in time in a repository of resolved entity identifier data; [[and,]]
storing the resolved identity of the entity in the repository of resolved entity identifier data;
performing a security analysis operation, the security analysis operation using the resolved identity of the entity at the particular point in time to assess a risk associated with the entity; and,
responding with an associated response based on the accessed risk associated with the entity.
13.	(Currently Amended) A non-transitory, computer-readable storage medium embodying computer program code for resolving an identity of an entity, the computer program code comprising computer executable instructions configured for:
receiving a stream of events from a protected endpoint, the stream of events comprising a plurality of events, the protected endpoint comprising an endpoint agent executing on an endpoint device, the endpoint agent requiring the endpoint device to comply with particular criteria before being granted access to network resources, the protected endpoint providing a policy-based approach to network security;
parsing entity identifier information associated with the from the stream of events entity to provide an entity identifier element, the entity identifier information comprising temporal information;
classifying the entity identifier element by type to provide a classified entity identifier element, the classified entity identifier element comprising an entity identifier element type, the entity identifier element type providing a representation of a particular attribute associated with the entity identifier element;

associating the classified and normalized entity identifier element and the temporal information with the entity in real time to resolve the identity of the entity at a particular point in time, the associating determining whether the classified and normalized entity identifier element matches a known entity identifier element type for the particular point in time in a repository of resolved entity identifier data; [[and,]]
storing the resolved identity of the entity in the repository of resolved entity identifier data;
performing a security analysis operation, the security analysis operation using the resolved identity of the entity at the particular point in time to assess a risk associated with the entity; and,
responding with an associated response based on the accessed risk associated with the entity.

Allowable Subject Matter
The following is an examiner’s statement of reasons for allowance:
The prior art of record does not teach the limitations of claim 1.  An updated search did not reveal any prior art that would anticipate or render obvious the invention as presented in the claim.  Specifically, the prior art does not teach:
“receiving a stream of events from a protected endpoint, the stream of events comprising a plurality of events, the protected endpoint comprising an endpoint agent executing on an 
parsing entity identifier information associated with the entity from the stream of events to provide an entity identifier element, the entity identifier information comprising temporal information;
classifying the entity identifier element by type to provide a classified entity identifier element, the classified entity identifier element comprising an entity identifier element type, the entity identifier element type providing a representation of a particular attribute associated with the entity identifier element;
normalizing the classified entity identifier element to provide a classified and normalized entity identifier element, the classified and normalized entity identifier element comprising a type-dependent normalized entity identifier element;
associating the classified and normalized entity identifier element and the temporal information with the entity in real time to resolve the identity of the entity at a particular point in time, the associating determining whether the classified and normalized entity identifier element matches a known entity identifier element type for the particular point in time in a repository of resolved entity identifier data;
storing the resolved identity of the entity in the repository of resolved entity identifier data;
performing a security analysis operation, the security analysis operation using the resolved identity of the entity at the particular point in time to assess a risk associated with the entity; and,
responding with an associated response based on the accessed risk associated with the entity.”.
Claim(s) 7 and 13 recite(s) features similar to those of claim 1 and is/are allowed for at least the same reasons.
The dependent claim(s), which depend directly or indirectly upon claim(s) 1, 7 and 13, is/are also distinct from the prior art for at least the same reasons.
After further review of the results of the searches conducted and the claims most currently amended, the examiner is persuaded that the prior art does not teach the above described and highlighted major features in independent claim(s) 1, 7 and 13 and other recited features.
An updated search for prior art was conducted.  The prior art searched and examined do not fairly teach or suggest the limitations of the claimed subject matter.
The prior art of record neither anticipates nor renders obvious the recited combination.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Prior Art
Pertinent prior art was discovered, but does neither anticipate nor render obvious the claimed subject matter.


Point of Contact
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HUBERT G CHEUNG whose telephone number is (571) 270-1396. The examiner can normally be reached M-R 8:00A-5:00P EST; alt. F 8:00A-4:00P EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neveen Abel-Jalil can be reached on (571) 270-0474. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



Examiner: Hubert Cheung
/Hubert Cheung/Assistant Examiner, Art Unit 2152Date: January 7, 2022

/NEVEEN ABEL JALIL/Supervisory Patent Examiner, Art Unit 2152