Notice of Pre-AIA  or AIA  Status
The present application, filed on or after June 05, 2019, is being examined under the first inventor to file provisions of the AIA .
Detailed action 
Claims 1, 3-5, 7-8, 10-12, 14-15, 17-19 and 21 are pending and are being considered.
Claims 1, 5, 8 and 15 have been amended.

Response to 103 
	Applicants argument filled on 12/09/2021 have been fully considered and are partially persuasive. In response to applicants argument on page 9 of remarks that none of the cited references teach the amended limitation 
1.	“wherein each security- relevant subsystem of the plurality of security-relevant subsystems is configured to monitor and log their activity with respect to the computing platform” 
2.	“receiving a unified query concerning logged files of the plurality of security-relevant subsystems with respect to the computing platform”
	The applicant on page 9-14 of remarks argues that Navas (i.e. primary reference) fails to teach the amended limitation “wherein each security- relevant subsystem of the plurality of security-relevant subsystems is configured to monitor and log their activity with respect to the computing platform” the applicant further on last para of page 14 argues that Cichon and Zimmermann (i.e. second and third reference) also fails to teach the above amended limitation. The examiner acknowledges applicants point of but respectfully disagrees because Zimmermann (i.e. third reference) teaches the above amended limitation. Zimmermann on [0137] teaches the set of events are tracked by the UBA platform 500 (i.e. security relevant sub-system interpreted in view of [0080] of instant application). See also on [0124-0125] teaches the cyber intelligence platform to monitor and analyze user activity, such as through a UBA the platform 500. The cyber intelligence platform 6500 may also monitor and analyze activity, such as through the platform 500, from logs and other sources of events. See on [0171] teaches UBA may be performed in part by ingesting and analyzing event log data that may be sourced from the APIs of different service providers. See on [0542] teaches the CSF 100 may collect logs, such as S3 access logs, for inspection, such as for UBA. See on [0114] teaches user behavior monitoring services 114 (which monitor and analyze user activity to detect potential anomalies and significant changes that may suggest malicious behavior). For more detail see the rejection below. 
Rest of applicant’s argument regarding the second amended limitation are moot in view of new grounds of rejection. The argument do not apply to the current art being used. 

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 12 and 19 recites the limitation "the third party".  There is insufficient antecedent basis for this limitation in the claim. Should read as “a third party”.

                                               Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior 

Claims 1, 3-5, 7-8, 10-12, 14-15, 17-19 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Navas (US 20100125574) in view of Zimmermann et al (hereinafter Zimmermann) (US 20180027006) and further in view of Bhattacharjee et al (hereinafter Bhattacharjee) (US 20190095488).

Regarding claim 1 Navas teaches A computer-implemented method, executed on a computing device, comprising (Navas on [Claim 1] teaches A computer-implemented method);
establishing connectivity with a plurality of security-relevant subsystems within a computing platform [[including utilizing a respective application program interface to access each of the plurality of security-relevant subsystems]] (Navas Fig 1 and text on [0029] teaches an enterprise system that supports federation of real-time event data. Enterprise network 100 illustrates a network of nodes LE nodes 110, 120, 130, and 140 within the enterprise for processing queries. Further teaches a client device that connects with enterprise network 100 that allows a user to interact with enterprise network 100. See also Fug 2-3 and text on [0060-0063 and 0066] teaches establishing connectivity between different nodes by sending and responding to request or query);
distributing at least a portion of the unified query to the plurality of security- relevant subsystems, including:  (Navas Fig 2 and text on [0059-0061] teaches LE node 210 is the access node for the user that generates query 202. Thus, node 210 receives the query for LE system 200, and parses the query into component parts Q1, Q3, and Q2+Q4. LE node 220 may receive the queries and route them to the data sources. Q1 is parsed to node 230, 250 and Q2, Q4 is parsed to node 240 accordingly response R1-R4 is generated as result of respective queries);
parsing the unified query to form a plurality of queries, wherein a specific query is defined for each of the plurality of security-relevant subsystems (Navas Fig 2 and text on [0059-0062 and 0066] teaches LE node 210 is the access node for the user that generates query 202. Thus, node 210 receives the query for LE system 200, and parses the query into component parts Q1, Q3, and Q2+Q4. LE node 220 may receive the queries and route them to the data sources. Q1 is parsed to node 230, 250 and Q2, Q4 is parsed to node 240 accordingly response R1-R4 is generated as result of respective queries);
and providing the specific query defined for each of the plurality of security- relevant subsystems to the respective security-relevant subsystems (Navas Fig 2 and text on [0059-0062, 0066] teaches LE node 210 is the access node for the user that generates query 202. Thus, node 210 receives the query for LE system 200, and parses the query into component parts Q1, Q3, and Q2+Q4. LE node 220 may receive the queries and route them to the data sources. Q1 is parsed to node 230, 250 and Q2, Q4 is parsed to node 240 accordingly response R1-R4 is generated as result of respective queries);
effectuating the at least a portion of the unified query on each of the plurality of security-relevant subsystems to generate a plurality of result sets (Navas on [0059-0060 and 0062] teaches an enterprise system that separates event queries into component parts and combines results for the component part queries. the query response components are designated R1, R2, R3, and R4, referring to respective responses for query segments Q1, Q2, Q3, and Q4. The responses components R1, R2, R3, and R4 represent event data that can be returned as data objects, actionable content, or some other form. The separate response components can then be selectively combined or joined to form a complete response. The responses are all combined as returned to provide the desired information. See also Fig 3 and text on [0066-0068] teaches the solid arrows represent the queries, while the dashed arrows represent responses that will be returned. At LE node 342, queries 312 and 322 will be parsed into the component segments illustrated, while LE node 344 will perform similar parsing for query 332. For purposes of simplicity in this example, consider that each query is completely parsed, rather than having a process of iterative parsing);
(Navas on [0059-0060 and 0062] teaches an enterprise system that separates event queries into component parts and combines results for the component part queries. the query response components are designated R1, R2, R3, and R4, referring to respective responses for query segments Q1, Q2, Q3, and Q4. The responses components R1, R2, R3, and R4 represent event data that can be returned as data objects, actionable content, or some other form. The separate response components can then be selectively combined or joined to form a complete response. The responses are all combined as returned to provide the desired information. See also Fig 3 and text on [0066-0068] teaches the solid arrows represent the queries, while the dashed arrows represent responses that will be returned. At LE node 342, queries 312 and 322 will be parsed into the component segments illustrated, while LE node 344 will perform similar parsing for query 332. For purposes of simplicity in this example, consider that each query is completely parsed, rather than having a process of iterative parsing (i.e. the portion of query Q1-Q4 are processed at different nodes and respective response from each node is returned)).
Although the combination of Navas teaches multiple APIs that enable a user to interact with server (Navas on [0104]), but fails to explicitly teach utilizing a respective application program interface to access each of the plurality of security-relevant subsystems, wherein each security- relevant subsystem of the plurality of security-relevant subsystems is configured to monitor and log their activity with respect to the computing platform and processing one or more results sets of the plurality of result sets so that the results sets all have at least one of a common format, a common nomenclature, and a common structure, however Zimmermann from analogous art teaches utilizing a respective application program interface to access each of the plurality of security-relevant subsystems (Zimmermann on [0009] teaches systems for a cloud security fabric for providing enhanced security to an one or more enterprise computing environments. The cloud security fabric has a plurality of enterprise APIs for connecting to the information technology infrastructure of at least one enterprise, a plurality of developer APIs for enabling developers to use capabilities of the fabric to develop applications, and a plurality of connector APIs by which the fabric may discover information about entities relating to the information security of the enterprise computing environment. See on [0102] teaches enterprise API 104 family may include a variety of APIs 104 by which an enterprise may benefit from connection or interaction with the CSF 100, including to receive outputs and results from each of the modules or components of the CSF 100, to deliver results and inputs to the CSF 100. See on [0108] teaches connector APIs 108 allow the CSF 100 to interact with and discover user accounts, data, event logs, applications and configuration in cloud platforms and in the applications that run on them or are developed on them (i.e. different APIs for performing different task on security relevant-subsystem interpreted in view of [0160] of instant application));
wherein each security- relevant subsystem of the plurality of security-relevant subsystems is configured to monitor and log their activity with respect to the computing platform (Zimmermann on [0114] teaches user behavior monitoring services 114 of CFS system (which monitor and analyze user activity to detect potential anomalies and significant changes that may suggest malicious behavior. See on [0124-0125] teaches the cyber intelligence platform to monitor and analyze user activity, such as through a UBA the platform 500. The cyber intelligence platform 6500 may also monitor and analyze activity, such as through the platform 500, from logs and other sources of events. See on (0137) teaches the set of events are tracked by the UBA platform 500 (i.e. security relevant sub-system interpreted in view of [0080] of instant application). See on [0171] teaches UBA may be performed in part by ingesting and analyzing event log data that may be sourced from the APIs of different service providers. See on [0350] teaches the system may monitor and analyze their activity. See on [0422] teaches the CSF 100 may enable the collection of various events, such as from the logs 2720, APIs 2718, publication of events from a SIEM 2712, servers in the cloud 2714, and other APIs, logs, and tracking systems of the various facilities that enable or report on access to or usage of an application. See also on [0461] teaches the classification services of the CSF 100 continuously monitor a given cloud platform (e.g., Google Drive™), discovering and classifying potentially sensitive information. See also on [0489-0491] teaches the CFS 100 monitors and logs all the activities. See on [0532] teaches CSF 100 may include configuration monitoring and security. Configuration monitoring and security may include monitoring of sensitive configurations and monitoring of privileged access. Sensitive configuration monitoring may detect changes to key configurations, such as security group and password policy settings. Secure privileged access may include monitoring of the creation of access keys).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Zimmermann into the teaching of Navas by utilizing respective APIs for accessing security subsystem. One would be motivated to do so in order to improve enterprise data security in security relevant system with no impact on the performance of a cloud resource (Zimmermann [0001 and 0014]).
Although the combination of Navas and Zimmermann teaches the system identifies identical or common event information and merge the queries but fails to explicitly teach receiving a unified query concerning logged files of the plurality of security-relevant subsystems with respect to the computing platform, and processing one or more results sets of the plurality of result sets so that the results sets all have at least one of a common format, a common nomenclature, and a common structure, however Bhattacharjee from analogous art teaches receiving a unified query concerning logged files of the plurality of security-relevant subsystems with respect to the computing platform (Bhattacharjee on [0187] teaches a host device 106 comprising a router may generate one or more router logs that record information related to network traffic managed by the router. As yet another example, a host application 114 comprising a database server may generate one or more logs that record information related to requests (i.e. request concerning log file information) sent from other host applications 114 (e.g., web servers or application servers) for data managed by the database server);
processing one or more results sets of the plurality of result sets so that the results sets all have at least one of a common format, a common nomenclature, and a common structure (Bhattacharjee on [0516] teaches the worker nodes receive the partial search results collected from the data sources and transform them into a specified format. As such, partial search results in diverse formats can be transformed into a common specified format (i.e. multiple result into common format). The specified format may be specified to facilitate processing by the worker nodes).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Bhattacharjee into the combined teaching of Navas and Zimmermann by processing different result based on a query into result having common format. One would be motivated to do so in order to improve performance on processing and analyzing data (Bhattacharjee on [0005-0006]).

Regarding claim 8 Navas teaches A computer program product residing on a non-transitory computer readable medium having a plurality of instructions stored thereon which, when executed by a processor, cause the processor to perform operations comprising (Navas on [0127] teaches Memory 1120 may include read-only memory (ROM), flash memory, one or more varieties of random access memory (RAM), or the like, or a combination of such devices. Memory 1120 stores data and instructions for performing operations, including interacting with user clients, data sources, and/or other event server nodes);
establishing connectivity with a plurality of security-relevant subsystems within a computing platform [[including utilizing a respective application program interface to access each of the plurality of security-relevant subsystems]] (Navas Fig 1 and text on [0029] teaches an enterprise system that supports federation of real-time event data. Enterprise network 100 illustrates a network of nodes LE nodes 110, 120, 130, and 140 within the enterprise for processing queries. Further teaches a client device that connects with enterprise network 100 that allows a user to interact with enterprise network 100. See also Fug 2-3 and text on [0060-0063 and 0066] teaches establishing connectivity between different nodes by sending and responding to request or query);
distributing at least a portion of the unified query to the plurality of security- relevant subsystems, including:  (Navas Fig 2 and text on [0059-0061] teaches LE node 210 is the access node for the user that generates query 202. Thus, node 210 receives the query for LE system 200, and parses the query into component parts Q1, Q3, and Q2+Q4. LE node 220 may receive the queries and route them to the data sources. Q1 is parsed to node 230, 250 and Q2, Q4 is parsed to node 240 accordingly response R1-R4 is generated as result of respective queries);
parsing the unified query to form a plurality of queries, wherein a specific query is defined for each of the plurality of security-relevant subsystems (Navas Fig 2 and text on [0059-0062 and 0066] teaches LE node 210 is the access node for the user that generates query 202. Thus, node 210 receives the query for LE system 200, and parses the query into component parts Q1, Q3, and Q2+Q4. LE node 220 may receive the queries and route them to the data sources. Q1 is parsed to node 230, 250 and Q2, Q4 is parsed to node 240 accordingly response R1-R4 is generated as result of respective queries);
and providing the specific query defined for each of the plurality of security- relevant subsystems to the respective security-relevant subsystems (Navas Fig 2 and text on [0059-0062, 0066] teaches LE node 210 is the access node for the user that generates query 202. Thus, node 210 receives the query for LE system 200, and parses the query into component parts Q1, Q3, and Q2+Q4. LE node 220 may receive the queries and route them to the data sources. Q1 is parsed to node 230, 250 and Q2, Q4 is parsed to node 240 accordingly response R1-R4 is generated as result of respective queries);
(Navas on [0059-0060 and 0062] teaches an enterprise system that separates event queries into component parts and combines results for the component part queries. the query response components are designated R1, R2, R3, and R4, referring to respective responses for query segments Q1, Q2, Q3, and Q4. The responses components R1, R2, R3, and R4 represent event data that can be returned as data objects, actionable content, or some other form. The separate response components can then be selectively combined or joined to form a complete response. The responses are all combined as returned to provide the desired information. See also Fig 3 and text on [0066-0068] teaches the solid arrows represent the queries, while the dashed arrows represent responses that will be returned. At LE node 342, queries 312 and 322 will be parsed into the component segments illustrated, while LE node 344 will perform similar parsing for query 332. For purposes of simplicity in this example, consider that each query is completely parsed, rather than having a process of iterative parsing);
 receiving the plurality of result sets from the plurality of security-relevant subsystems (Navas on [0059-0060 and 0062] teaches an enterprise system that separates event queries into component parts and combines results for the component part queries. the query response components are designated R1, R2, R3, and R4, referring to respective responses for query segments Q1, Q2, Q3, and Q4. The responses components R1, R2, R3, and R4 represent event data that can be returned as data objects, actionable content, or some other form. The separate response components can then be selectively combined or joined to form a complete response. The responses are all combined as returned to provide the desired information. See also Fig 3 and text on [0066-0068] teaches the solid arrows represent the queries, while the dashed arrows represent responses that will be returned. At LE node 342, queries 312 and 322 will be parsed into the component segments illustrated, while LE node 344 will perform similar parsing for query 332. For purposes of simplicity in this example, consider that each query is completely parsed, rather than having a process of iterative parsing (i.e. the portion of query Q1-Q4 are processed at different nodes and respective response from each node is returned)).
Although the combination of Navas teaches multiple APIs that enable a user to interact with server (Navas on [0104]), but fails to explicitly teach utilizing a respective application program interface to access each of the plurality of security-relevant subsystems, wherein each security- relevant subsystem of the plurality of security-relevant subsystems is configured to monitor and log their activity with respect to the computing platform and processing one or more results sets of the plurality of result sets so that the results sets all have at least one of a common format, a common nomenclature, and a common structure, however Zimmermann from analogous art teaches utilizing a respective application program interface to access each of the plurality of security-relevant subsystems (Zimmermann on [0009] teaches systems for a cloud security fabric for providing enhanced security to an one or more enterprise computing environments. The cloud security fabric has a plurality of enterprise APIs for connecting to the information technology infrastructure of at least one enterprise, a plurality of developer APIs for enabling developers to use capabilities of the fabric to develop applications, and a plurality of connector APIs by which the fabric may discover information about entities relating to the information security of the enterprise computing environment. See on [0102] teaches enterprise API 104 family may include a variety of APIs 104 by which an enterprise may benefit from connection or interaction with the CSF 100, including to receive outputs and results from each of the modules or components of the CSF 100, to deliver results and inputs to the CSF 100. See on [0108] teaches connector APIs 108 allow the CSF 100 to interact with and discover user accounts, data, event logs, applications and configuration in cloud platforms and in the applications that run on them or are developed on them (i.e. different APIs for performing different task on security relevant-subsystem interpreted in view of [0160] of instant application));
(Zimmermann on [0114] teaches user behavior monitoring services 114 of CFS system (which monitor and analyze user activity to detect potential anomalies and significant changes that may suggest malicious behavior. See on [0124-0125] teaches the cyber intelligence platform to monitor and analyze user activity, such as through a UBA the platform 500. The cyber intelligence platform 6500 may also monitor and analyze activity, such as through the platform 500, from logs and other sources of events. See on (0137) teaches the set of events are tracked by the UBA platform 500 (i.e. security relevant sub-system interpreted in view of [0080] of instant application). See on [0171] teaches UBA may be performed in part by ingesting and analyzing event log data that may be sourced from the APIs of different service providers. See on [0350] teaches the system may monitor and analyze their activity. See on [0422] teaches the CSF 100 may enable the collection of various events, such as from the logs 2720, APIs 2718, publication of events from a SIEM 2712, servers in the cloud 2714, and other APIs, logs, and tracking systems of the various facilities that enable or report on access to or usage of an application. See also on [0461] teaches the classification services of the CSF 100 continuously monitor a given cloud platform (e.g., Google Drive™), discovering and classifying potentially sensitive information. See also on [0489-0491] teaches the CFS 100 monitors and logs all the activities. See on [0532] teaches CSF 100 may include configuration monitoring and security. Configuration monitoring and security may include monitoring of sensitive configurations and monitoring of privileged access. Sensitive configuration monitoring may detect changes to key configurations, such as security group and password policy settings. Secure privileged access may include monitoring of the creation of access keys).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Zimmermann into the teaching of Navas by utilizing respective APIs for (Zimmermann [0001 and 0014]).
Although the combination of Navas and Zimmermann teaches the system identifies identical or common event information and merge the queries but fails to explicitly teach receiving a unified query concerning logged files of the plurality of security-relevant subsystems with respect to the computing platform, and processing one or more results sets of the plurality of result sets so that the results sets all have at least one of a common format, a common nomenclature, and a common structure, however Bhattacharjee from analogous art teaches receiving a unified query concerning logged files of the plurality of security-relevant subsystems with respect to the computing platform (Bhattacharjee on [0187] teaches a host device 106 comprising a router may generate one or more router logs that record information related to network traffic managed by the router. As yet another example, a host application 114 comprising a database server may generate one or more logs that record information related to requests (i.e. request concerning log file information) sent from other host applications 114 (e.g., web servers or application servers) for data managed by the database server);
processing one or more results sets of the plurality of result sets so that the results sets all have at least one of a common format, a common nomenclature, and a common structure (Bhattacharjee on [0516] teaches the worker nodes receive the partial search results collected from the data sources and transform them into a specified format. As such, partial search results in diverse formats can be transformed into a common specified format (i.e. multiple result into common format). The specified format may be specified to facilitate processing by the worker nodes).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Bhattacharjee into the combined teaching of Navas and Zimmermann by processing different result based on a query into result having common format. One would be 
Regarding claim 15 Navas teaches a computing system including a processor and memory configured to perform operations comprising (Navas on [0126-0128] teaches Computing system 1100 includes one or more processors 1110, which executes instructions and may perform various operations. Memory 1120 represents the main memory of the computing system 1100, and provides temporary storage for code);
establishing connectivity with a plurality of security-relevant subsystems within a computing platform [[including utilizing a respective application program interface to access each of the plurality of security-relevant subsystems]] (Navas Fig 1 and text on [0029] teaches an enterprise system that supports federation of real-time event data. Enterprise network 100 illustrates a network of nodes LE nodes 110, 120, 130, and 140 within the enterprise for processing queries. Further teaches a client device that connects with enterprise network 100 that allows a user to interact with enterprise network 100. See also Fug 2-3 and text on [0060-0063 and 0066] teaches establishing connectivity between different nodes by sending and responding to request or query);
distributing at least a portion of the unified query to the plurality of security- relevant subsystems, including:  (Navas Fig 2 and text on [0059-0061] teaches LE node 210 is the access node for the user that generates query 202. Thus, node 210 receives the query for LE system 200, and parses the query into component parts Q1, Q3, and Q2+Q4. LE node 220 may receive the queries and route them to the data sources. Q1 is parsed to node 230, 250 and Q2, Q4 is parsed to node 240 accordingly response R1-R4 is generated as result of respective queries);
parsing the unified query to form a plurality of queries, wherein a specific query is defined for each of the plurality of security-relevant subsystems (Navas Fig 2 and text on [0059-0062 and 0066] teaches LE node 210 is the access node for the user that generates query 202. Thus, node 210 receives the query for LE system 200, and parses the query into component parts Q1, Q3, and Q2+Q4. LE node 220 may receive the queries and route them to the data sources. Q1 is parsed to node 230, 250 and Q2, Q4 is parsed to node 240 accordingly response R1-R4 is generated as result of respective queries);
and providing the specific query defined for each of the plurality of security- relevant subsystems to the respective security-relevant subsystems (Navas Fig 2 and text on [0059-0062, 0066] teaches LE node 210 is the access node for the user that generates query 202. Thus, node 210 receives the query for LE system 200, and parses the query into component parts Q1, Q3, and Q2+Q4. LE node 220 may receive the queries and route them to the data sources. Q1 is parsed to node 230, 250 and Q2, Q4 is parsed to node 240 accordingly response R1-R4 is generated as result of respective queries);
effectuating the at least a portion of the unified query on each of the plurality of security-relevant subsystems to generate a plurality of result sets (Navas on [0059-0060 and 0062] teaches an enterprise system that separates event queries into component parts and combines results for the component part queries. the query response components are designated R1, R2, R3, and R4, referring to respective responses for query segments Q1, Q2, Q3, and Q4. The responses components R1, R2, R3, and R4 represent event data that can be returned as data objects, actionable content, or some other form. The separate response components can then be selectively combined or joined to form a complete response. The responses are all combined as returned to provide the desired information. See also Fig 3 and text on [0066-0068] teaches the solid arrows represent the queries, while the dashed arrows represent responses that will be returned. At LE node 342, queries 312 and 322 will be parsed into the component segments illustrated, while LE node 344 will perform similar parsing for query 332. For purposes of simplicity in this example, consider that each query is completely parsed, rather than having a process of iterative parsing);
 receiving the plurality of result sets from the plurality of security-relevant subsystems (Navas on [0059-0060 and 0062] teaches an enterprise system that separates event queries into component parts and combines results for the component part queries. the query response components are designated R1, R2, R3, and R4, referring to respective responses for query segments Q1, Q2, Q3, and Q4. The responses components R1, R2, R3, and R4 represent event data that can be returned as data objects, actionable content, or some other form. The separate response components can then be selectively combined or joined to form a complete response. The responses are all combined as returned to provide the desired information. See also Fig 3 and text on [0066-0068] teaches the solid arrows represent the queries, while the dashed arrows represent responses that will be returned. At LE node 342, queries 312 and 322 will be parsed into the component segments illustrated, while LE node 344 will perform similar parsing for query 332. For purposes of simplicity in this example, consider that each query is completely parsed, rather than having a process of iterative parsing (i.e. the portion of query Q1-Q4 are processed at different nodes and respective response from each node is returned));
Although the combination of Navas teaches multiple APIs that enable a user to interact with server (Navas on [0104]), but fails to explicitly teach utilizing a respective application program interface to access each of the plurality of security-relevant subsystems, wherein each security- relevant subsystem of the plurality of security-relevant subsystems is configured to monitor and log their activity with respect to the computing platform and processing one or more results sets of the plurality of result sets so that the results sets all have at least one of a common format, a common nomenclature, and a common structure, however Zimmermann from analogous art teaches utilizing a respective application program interface to access each of the plurality of security-relevant subsystems (Zimmermann on [0009] teaches systems for a cloud security fabric for providing enhanced security to an one or more enterprise computing environments. The cloud security fabric has a plurality of enterprise APIs for connecting to the information technology infrastructure of at least one enterprise, a plurality of developer APIs for enabling developers to use capabilities of the fabric to develop applications, and a plurality of connector APIs by which the fabric may discover information about entities relating to the information security of the enterprise computing environment. See on [0102] teaches enterprise API 104 family may include a variety of APIs 104 by which an enterprise may benefit from connection or interaction with the CSF 100, including to receive outputs and results from each of the modules or components of the CSF 100, to deliver results and inputs to the CSF 100. See on [0108] teaches connector APIs 108 allow the CSF 100 to interact with and discover user accounts, data, event logs, applications and configuration in cloud platforms and in the applications that run on them or are developed on them (i.e. different APIs for performing different task on security relevant-subsystem interpreted in view of [0160] of instant application));
wherein each security- relevant subsystem of the plurality of security-relevant subsystems is configured to monitor and log their activity with respect to the computing platform (Zimmermann on [0114] teaches user behavior monitoring services 114 of CFS system (which monitor and analyze user activity to detect potential anomalies and significant changes that may suggest malicious behavior. See on [0124-0125] teaches the cyber intelligence platform to monitor and analyze user activity, such as through a UBA the platform 500. The cyber intelligence platform 6500 may also monitor and analyze activity, such as through the platform 500, from logs and other sources of events. See on (0137) teaches the set of events are tracked by the UBA platform 500 (i.e. security relevant sub-system interpreted in view of [0080] of instant application). See on [0171] teaches UBA may be performed in part by ingesting and analyzing event log data that may be sourced from the APIs of different service providers. See on [0350] teaches the system may monitor and analyze their activity. See on [0422] teaches the CSF 100 may enable the collection of various events, such as from the logs 2720, APIs 2718, publication of events from a SIEM 2712, servers in the cloud 2714, and other APIs, logs, and tracking systems of the various facilities that enable or report on access to or usage of an application. See also on [0461] teaches the classification services of the CSF 100 continuously monitor a given cloud platform (e.g., Google Drive™), discovering and classifying potentially sensitive information. See also on [0489-0491] teaches the CFS 100 monitors and logs all the activities. See on [0532] teaches CSF 100 may include configuration monitoring and security. Configuration monitoring and security may include monitoring of sensitive configurations and monitoring of privileged access. Sensitive configuration monitoring may detect changes to key configurations, such as security group and password policy settings. Secure privileged access may include monitoring of the creation of access keys).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Zimmermann into the teaching of Navas by utilizing respective APIs for accessing security subsystem. One would be motivated to do so in order to improve enterprise data security in security relevant system with no impact on the performance of a cloud resource (Zimmermann [0001 and 0014]).
Although the combination of Navas and Zimmermann teaches the system identifies identical or common event information and merge the queries but fails to explicitly teach receiving a unified query concerning logged files of the plurality of security-relevant subsystems with respect to the computing platform, and processing one or more results sets of the plurality of result sets so that the results sets all have at least one of a common format, a common nomenclature, and a common structure, however Bhattacharjee from analogous art teaches receiving a unified query concerning logged files of the plurality of security-relevant subsystems with respect to the computing platform (Bhattacharjee on [0187] teaches a host device 106 comprising a router may generate one or more router logs that record information related to network traffic managed by the router. As yet another example, a host application 114 comprising a database server may generate one or more logs that record information related to requests (i.e. request concerning log file information) sent from other host applications 114 (e.g., web servers or application servers) for data managed by the database server);
(Bhattacharjee on [0516] teaches the worker nodes receive the partial search results collected from the data sources and transform them into a specified format. As such, partial search results in diverse formats can be transformed into a common specified format (i.e. multiple result into common format). The specified format may be specified to facilitate processing by the worker nodes).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Bhattacharjee into the combined teaching of Navas and Zimmermann by processing different result based on a query into result having common format. One would be motivated to do so in order to improve performance on processing and analyzing data (Bhattacharjee on [0005-0006]).
Regarding claim 3, 10 and 17 the combination of Navas, Zimmermann and Bhattacharjee teaches all the limitations of claim 1, 8 and 15 respectively, Navas further teaches further comprising: combining the plurality of result sets to form a unified query result (Navas on [0059-0060 and 0062] teaches an enterprise system that separates event queries into component parts and combines results for the component part queries. the query response components are designated R1, R2, R3, and R4, referring to respective responses for query segments Q1, Q2, Q3, and Q4. The responses components R1, R2, R3, and R4 represent event data that can be returned as data objects, actionable content, or some other form. The separate response components can then be selectively combined or joined to form a complete response. The responses are all combined as returned to provide the desired information. See also Fig 3 and text on [0066-0068] teaches the solid arrows represent the queries, while the dashed arrows represent responses that will be returned. At LE node 342, queries 312 and 322 will be parsed into the component segments illustrated, while LE node 344 will perform similar parsing for query 332. For purposes of simplicity in this example, consider that each query is completely parsed, rather than having a process of iterative parsing. See on [0094] teaches the event server combines a complete response from the separate query component responses received from all data sources, 724. Combining of a response may be to combine multiple component responses, each to a different query component segment).

Regarding claim 4, 11 and 18 the combination of Navas, Zimmermann and Bhattacharjee teaches all the limitations of claim 3, 10 and 17 respectively, Navas further teaches wherein combining the plurality of result sets to form a unified query result includes: homogenizing the plurality of result sets to form the unified query result (Navas on [0059-0060 and 0062] teaches an enterprise system that separates event queries into component parts and combines results for the component part queries. the query response components are designated R1, R2, R3, and R4, referring to respective responses for query segments Q1, Q2, Q3, and Q4. The responses components R1, R2, R3, and R4 represent event data that can be returned as data objects, actionable content, or some other form. The separate response components can then be selectively combined or joined to form a complete response. The responses are all combined as returned to provide the desired information. See also Fig 3 and text on [0066-0068] teaches the solid arrows represent the queries, while the dashed arrows represent responses that will be returned. At LE node 342, queries 312 and 322 will be parsed into the component segments illustrated, while LE node 344 will perform similar parsing for query 332. For purposes of simplicity in this example, consider that each query is completely parsed, rather than having a process of iterative parsing. See on [0094] teaches the event server combines a complete response from the separate query component responses received from all data sources, 724. Combining of a response may be to combine multiple component responses, each to a different query component segment).
5, 12 and 19 the combination of Navas, Zimmermann and Bhattacharjee teaches all the limitations of claim 3, 10 and 17 respectively, Navas further teaches further comprising: providing the unified query result to the third-party (Navas on [0094] teaches The event server combines a complete response from the separate query component responses received from all data sources, 724. Combining of a response may be to combine multiple component responses, each to a different query component segment, as well as combining multiple responses for the same query component segment received from multiple different data sources. Combining the response may require processing of the data. The event server returns the response to the user, 726. See on [0028] teaches the data sources provide a response to the query processing entities, which then return results to the query source. See on [0068] teaches the response to the queries are sent back to LE node 342, which can then return the response components corresponding to the query components to user 310, as well as to LE node 344, which can return the response components to user 330).

Regarding claim 7, 14 and 21 the combination of Navas, Zimmermann and Bhattacharjee teaches all the limitations of claim 1, 8 and 15 respectively, Navas further wherein the plurality of security- relevant subsystems includes one or more of: a data lake; a data log; a security-relevant software application; a security-relevant hardware system; and a resource external to the computing platform (Navas on [0026, 0032, 0058] teaches An enterprise system refers to the network of computers and interconnection equipment within a company or organization. The enterprise system includes software components such as the servers and management systems. Each element of hardware and software within the enterprise system may be referred to as a subsystem, or simply "system" (thus, the enterprise system may be considered a system of systems). The enterprise system as described herein includes data sources. The data sources may be any subsystem (e.g., supply chain management (SCM), enterprise resource planning (ERP), human resources, customer relations management (CRM), information technology (IT), etc.), database).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOEEN KHAN whose telephone number is (571)272-3522.  The examiner can normally be reached on 7AM-5PM EST M-TH Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.



/MOEEN KHAN/Examiner, Art Unit 2436                                                                                                                                                                                                        
/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436