16DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Double Patenting
Applicant alleged that the required Terminal Disclaimer was filed. However, the Examine cannot find any filed Terminal Disclaimer in the image file wrapper.  Therefore, the double patenting rejection is maintained.

Claim Rejections - 35 USC § 102
Applicant’s arguments filed on 3/01/2022, directed at the amended claims submitted on 3/01/2022 were considered, but are moot in view of new rejections made below in response to the latest amendments by applicant.

	
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claim 1 is rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 10,425,442. Although the claims at issue are not identical, they are not patentably distinct from each other because claim 1 is generic to all that is recited in claim 1 of U.S. Patent No. 10,425,442. That is, claim 1 of U.S. Patent No. 10,425,442 falls entirely within the scope of claim 1 or, in other words, claim 1 is anticipated by claim 1 of U.S. Patent No. 10,425,442.


Claim 1 of U.S. Patent No. 10,425,442 recites
A computer-implemented method, comprising: 
A computer-implemented method, comprising:
sending a forensic data request to an endpoint device of an information technology or security environment, wherein the forensic data request is triggered based on execution of a search query identifying data indicating a potential security threat in the information technology or security environment, and wherein the forensic data request instructs the endpoint device to:
executing a first query used to identify occurrences of a type of security threat at endpoint devices, the first query executed against event data generated from data collected from the endpoint devices, wherein execution of the first query is based at least in part on data from a component of the information technology or security environment that is not the endpoint device, and based on the first query having identified an occurrence of the type of security threat at the endpoint device, sending a forensic data request to the endpoint device,
obtain forensic data related to activity of the endpoint device in the information technology or security environment, and
the forensic data request causing the endpoint device to collect forensic data related to the type of security threat;
send the forensic data to another component in the information technology or security environment;
receiving, from an endpoint device of an information technology or security environment, forensic data collected from and related to activity of the endpoint device,
obtaining the forensic data related to activity of the endpoint device of the information technology or security environment; 
receiving, from an endpoint device of an information technology or security environment, forensic data collected from and related to activity of the endpoint device,
 obtaining non-forensic data related to activity of at least one component in the information technology or security environment that is not the endpoint device; 
receiving, from a second component of the information technology or security environment that is not the endpoint device, non-forensic data related to activity in the information technology or security environment;
segmenting the forensic data and the non-forensic data into a plurality of events; 
segmenting the forensic data into events; segmenting the non-forensic data into events;
for each event of the plurality of events, determining a time stamp for the event, associating the time stamp with the event, and storing the event in a field-searchable data store; and 
for each of the events, determining a time stamp for the event, associating the time stamp with the event, and storing the event in a field-searchable data store;

correlating an event derived from the forensic data with an event derived from the non- forensic data.
receiving a second query that includes search criteria identifying a relationship between an event derived from the non-forensic data and an event derived from the forensic data; and executing the second query. (The Examiner interprets executing a query that includes search criteria identifying a relationship between an event derived from the non-forensic data and an event derived from the forensic data as “correlating an event derived from the forensic data with an event derived from the non- forensic data” because claim 11 of the instant application recites “wherein correlating the event derived from the forensic data with the event derived from the non-forensic data includes executing a query identifying a relationship between the event derived from the forensic data and the event derived from the non-forensic data”.)


Claims of the Instant Application
Claims of U.S. Patent No. 10,425,442
Claims of the Instant Application
Claims of U.S. Patent No. 10,425,442
1
1
18
17
2
2
19
18
3
3
20
19
4
4
21
20
5
5
22
21
6
6
23
22
8
8
24
23
9
9
25
24
10
10
26
25
11
1
27
26
12
11
28
27
15
14
29
28
16
15
30
29
17
16
31
14



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 8-12, 15, 17-19, 24-26 and 31 are rejected under 35 U.S.C. 103 as being unpatentable over Baum (US 2015/0142842), further in view of Vasseur (US 2017/0279833), and further in view of Demopoulos (US 2005/0193429).

Regarding claims 1, 17 and 24, Baum teaches A computer-implemented method, comprising: 
obtaining the forensic data related to activity of the endpoint device of the information technology or security environment (see [0027] and Fig. 3: “In the collection step 305, the MD [machine data] 110 may be collected directly from its original source or consolidated over a number of sources. Machine data 110 can, and often does, arrive out of order. Collection 305 of MD 110 can be performed based on standard approaches to data access, for example, reading log files, examining message bus traffic, becoming a sync for logging systems like Syslog, or connecting to database auditing systems”. And see [0024]: “During the understanding process 275, ED 250 is analyzed to create dynamic links between events and build the MDW 290. As an example, consider that a log from a web server may contain specific types of events 250 with specific event data, but a log from an application server or A system administrator may, for example, locate the web server event by looking for a session ID found in a web server log”. The Examiner interprets “raw machine data 110” (see Fig. 3) that are “a web server log” (see [0024]) from “a web server” (interpreted by the Examiner as “an endpoint device”) as “forensic data related to activity of an endpoint device of an information technology or security environment” because claim 2 of instant application defines “wherein the forensic data related to activity of the endpoint device including one or more of: file system information, registry information, service information, process information, and file information, log data”. The Examiner interprets collecting “a web server log” from “the web server” as “obtaining forensic data related to activity of an endpoint device of an information technology or security environment”); 
obtaining non-forensic data related to activity of at least one component in the information technology or security environment that is not the endpoint device (see [0027] and Fig. 3: “In the collection step 305, the MD [machine data] 110 may be collected directly from its original source or consolidated over a number of sources. Machine data 110 can, and often does, arrive out of order. Collection 305 of MD 110 can be performed based on standard approaches to data access, for example, reading log files, examining message bus traffic, becoming a sync for logging systems like Syslog, or connecting to database auditing systems”. And see [0024]: “As an example, consider that a log from a web server may contain specific types of events 250 with specific event data, but a log from an application server or database may contain different events 250 and event data specific to its own domain. A system administrator may, for example, locate the web server event by looking for a session ID found in a web server log, locate the application server event by finding a process ID in the message queue”. The Examiner interprets “an application server” taught in [0024] as “at least one component of the information technology or security environment that is not the endpoint device” because the application server is not “a web server” (interpreted by the Examiner as “an endpoint device”). The Examiner interprets “raw machine data 110” (see Fig. 3) that are “a log from an application server” (see [0024) as “non-forensic data related to activity of at least one component in the information technology or security environment that is not the endpoint device” because claim 3 of instant application defines “wherein the non-forensic data includes one or more of: firewall data, router data, email server data, and user identity management system data, log data”. The Examiner interprets collecting “raw machine data 110” (see Fig. 3) that are “a log from an application server” (see [0024) as to “obtaining non-forensic data related to activity of at least one component in the information technology or security environment that is not the endpoint device”); 
segmenting the forensic data and the non-forensic data into a plurality of events (see [0034]: “Aggregation of Machine Data into Raw Events”. And see [0035] and Fig. 3: “Aggregation rules describe the manner in which MD 110, from a particular domain, is organized 325 into event data 330 by identifying the boundaries of events within a collection of MD, for example, how to locate a discrete event by finding its beginning and ending”. And see [0023]: “FIG. 2 represents one approach 200 to building a MDW 290 from MD 110. This approach includes an organization process 235 and an understanding process 275. During the organization process 235, the MD 110 is organized into collections of discrete events 250, referred to herein as event data (ED). Events 250 represent units of system activity. Examples of events 250 include, for example, a web server servicing an HTTP "get" request from a web browser, an application server servicing an API call, or a database updating records in a table”); 
for each event of the plurality of events, determining a time stamp for the event (see claim 24: “determining a time stamp for each event in the plurality of events”. And see [0037]: “Typically, lines starting with a time-stamp are the start of a new event”), associating the time stamp with the event (see [0056]: “For example, in an email-messaging information-processing environment, an event 250 may exist in the message transfer agent (MTA) indicating the receipt of a message from a sender, These three events 250 may contain no common structure other than a timestamp”. And see [0023]: “One of the challenges in organizing 235 MD 110 into events 250 is that MD generally has little formal structure and typically includes not much more than a time stamp common across different sources of MD and different types of events”. Baum teaches in [0056] and [0023] that each of the events is associated with a time stamp), and storing the event (see title: “UNIFORM STORAGE AND SEARCH OF EVENTS DERIVED FROM MACHINE DATA FROM DIFFERENT SOURCES”) in a field-searchable data store (see title: “UNIFORM STORAGE AND SEARCH OF EVENTS DERIVED FROM MACHINE DATA FROM DIFFERENT SOURCES”. And see claim 10: “wherein performing a search on the plurality of events comprises identifying an event in the plurality of events that includes machine data that includes a particular extracted entity”. And see [0040] and Fig. 3: “Following aggregation 325 and before event segmentation 345, various extraction methods 335 can be applied to identify semantic entities 340 within the data. In one implementation, search trees or regular expressions can be applied to extract and validate, for example, IP addresses or email addresses”. The Examiner interprets extracted entities of an event, such as “IP addresses or email addresses” as values of a field. Because Baum teaches searching for “an event in the plurality of events that includes machine data that includes a particular extracted entity” (a particular field value) in a data store, Baum teaches “storing the event in a field-searchable data store”); and
correlating an event derived from the forensic data with an event derived from the non- forensic data (see [0024]: “During the understanding process 275, ED 250 is analyzed to create dynamic links between events and build the MDW 290. As an example, consider that a log from a web server may contain specific types of events 250 with specific event data, but a log from an application server or A system administrator may, for example, locate the web server event by looking for a session ID found in a web server log, locate the application server event by finding a process ID in the message queue, and locate a database table update event by searching for a transaction ID in the database audit trail. All three sources may contain events 250 that are part of a larger system activity, yet there is no obvious or explicit common structure or data shared among the MD 110 produced by each system. Common structure is manufactured across the three sources by analyzing the event data 250 so that connections between events can be identified”. The Examiner interprets creating links and identifying connections between the web server event (an event derived from the forensic data) and the application server event (an event derived from the non-forensic data) taught in [0024] as correlating an event derived from the forensic data with an event derived from the non- forensic data).

Baum fails to teach sending a forensic data request to an endpoint device of an information technology or security environment, wherein the forensic data request is triggered based on execution of a search query identifying data indicating a potential security threat in the information technology or security environment, and wherein the forensic data request instructs the endpoint device to: obtain forensic data related to activity of the endpoint device in the information technology or security environment, and send the forensic data to another component in the information technology or security environment.

In the same field of endeavor, Vasseur teaches sending a forensic data request to an endpoint device of an information technology or security environment, wherein the forensic data request is triggered based on (see [0076], [0058], [0050] and Fig. 6A: “assume client device 504 may receive input from the user that indicates whether the detected anomaly is associated with scanning activity in the network. In turn, client device 504 may provide this indication to SCA 502 via an AnomalyAssessment( )message 606. In various embodiments, the indication may further label whether or not any scanning activity is legitimate or illegitimate”. And see [0079] and FIG. 6D: “if AnomalyAssessment( )message 606 indicates that the anomaly is scanning-related, legitimate or not, SCA 502 may continue the training process as follows”. And see [0080], [0074] and FIG. 6D: “Assuming that the detected anomaly is scanning-related, … CCE [classification computation engine] 508 may also send a packet capture (PCAP)-Request( )message 608 to DLA 400a that raised the anomaly, to request the sending of traffic data 506 regarding the original traffic that raised the anomaly (e.g., captured traffic packets, characteristics derived therefrom, etc.)”.  
The Examiner interprets DLA 400a as an endpoint device of an information technology or security environment. The Examiner further interprets “send[ing] a packet capture (PCAP)-Request( )message 608… to request the sending of traffic data 506 regarding the original traffic that raised the anomaly (e.g., captured traffic packets, characteristics derived therefrom, etc.)” in [0080] and FIG. 6D as sending a forensic data request to an endpoint device of an information technology or security environment. The Examiner also interprets “AnomalyAssessment( )message 606 indicat[ing] that the anomaly is scanning-related” in [0079] and FIG. 6D as identifying data indicating a potential security threat in the information technology or security environment. The Examiner further interprets “if AnomalyAssessment( )message 606 indicates that the anomaly is scanning-related, … Assuming that the CCE [classification computation engine] 508 may also send a packet capture (PCAP)-Request( )message 608 to DLA 400a that raised the anomaly, to request the sending of traffic data 506 regarding the original traffic that raised the anomaly (e.g., captured traffic packets, characteristics derived therefrom, etc.)”in [0079] and [0080] as wherein the forensic data request is triggered based on ), and wherein the forensic data request instructs the endpoint device to: 
obtain forensic data related to activity of the endpoint device in the information technology or security environment (see [0080]: “CCE 508 may also send a packet capture (PCAP)-Request( )message 608 to DLA 400a that raised the anomaly, to request the sending of traffic data 506 regarding the original traffic that raised the anomaly (e.g., captured traffic packets, characteristics derived therefrom, etc.). Such traffic may be characterized by a source/destination IP address, additional partner flows, duration and packet timing information, port information, or information specific to the IP protocol involved. If available, the traffic may also be characterized by device classification information about all the sources and destinations, such as from external providers (e.g., ISE or machine learning based clustering)”), and 
send the forensic data to another component in the information technology or security environment (see [0080] and Fig. 6D: “In response, DLA 400a may return the requested traffic data to SCA 502 via a PCAP-Response( )message 610”).

Both Vasseur and Baum teach collection of forensic data from an endpoint device. Therefore, before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Baum by letting the collection of the forensic data from the endpoint device taught by Baum include sending a forensic data request to an endpoint device of an 

Baum modified in view of Vasseur fails to teach that identifying data indicating a potential security threat in the information technology or security environment is through execution of a search query.
In the same field of endeavor, Demopoulos teaches execution of a search query identifying data indicating a potential security threat in the information technology or security environment (see [0161]: “If the event data message was generated by the virus detection module, then a virus attack detection operation 1018 is performed. The virus attack detection operation 1018 searches the event database event records indicating infected e-mails were previously received from the same source as the event data received in receive operation 1002. In an embodiment, a virus attack is presumed if a predetermined number of e-mails from the same source failed the virus detection module within a predetermined period of time. The number of e-mails and period used may be predetermined by the administrator of the computing system 300. In an embodiment, a virus attack is presumed if three or more virus-containing e-mails are received from the same source within a one-minute period. The SSI 312 makes the attack determination by searching the event database for records indicating receipt of the predetermined number of virus-containing e-mails within the period”).


Regarding claims 2, 18 and 25, Baum further teaches wherein the forensic data related to activity of the endpoint device includes one or more of: file system information, registry information, service information, process information, file information, log data (see [0024]: “During the understanding process 275, ED 250 is analyzed to create dynamic links between events and build the MDW 290. As an example, consider that a log from a web server may contain specific types of events 250 with specific event data, but a log from an application server or database may contain different events 250 and event data specific to its own domain. A system administrator may, for example, locate the web server event by looking for a session ID found in a web server log”. The Examiner interprets “a web server log”(see [0024]) from “a web server” (interpreted by the Examiner as “an endpoint device”) as “wherein the forensic data related to activity of the endpoint device includes one or more of: … log data”).

Regarding claims 3, 19 and 26, Baum further teaches wherein the non-forensic data includes one or more of: firewall data, router data, email server data, user identity management system data, log data (see [0024]: “As an example, consider that a log from a web server may contain specific types of a log from an application server or database may contain different events 250 and event data specific to its own domain. A system administrator may, for example, locate the web server event by looking for a session ID found in a web server log, locate the application server event by finding a process ID in the message queue”. The Examiner interprets “a log from an application server” (see [0024) as “wherein the non-forensic data includes one or more of: … log data”).

Regarding claim 8, Baum further teaches wherein the endpoint device is one of: a desktop computer, a workstation, a laptop computer, a tablet computer, a mobile device (see [0022]: “a computer may be logging operating system events”).

Regarding claim 9, Baum further teaches wherein the at least one component interacts with the endpoint device via a network (see [0022] and Fig. 1: “the information-processing environment includes hardware and software components such as computers, routers, databases, operating systems and applications in a distributed configuration for processing information”).

Regarding claim 10, Baum further teaches wherein each of the events includes a portion of raw machine data (“raw machine data 110”, see Fig. 3) created by a component of the information technology or security environment (see [0034] “Aggregation of Machine Data into Raw Events”. And see [0035]: “Aggregation rules describe the manner in which MD 110, from a particular domain, is organized 325 into event data 330 by identifying the boundaries of events within a collection of MD, for example, how to locate a discrete event by finding its beginning and ending”) and related to activity of the component in the information technology or security environment (see [0022]: “Each component may be producing MD 110, and there may be many MD sources and large quantities of MD across 

Regarding claim 11, Baum further teaches wherein correlating the event derived from the forensic data with the event derived from the non-forensic data includes executing a query identifying a relationship between the event derived from the forensic data and the event derived from the non-forensic data (see [0059]: “In one implementation, link analysis 405 takes place by creating a co-occurrence table with an entry for pairs of event types or event data values that occur within a predetermined window of each other. In one aspect, windows are bounded by a window threshold taking the form of time (e.g. 10 minutes), event types (e.g. 50 unique event types), or event instances (e.g. 1000 events). The value of the co-occurrence table entry is the distance between the pair (time, event types, or event instances). Pairs that co-occur often enough, and meet a distance standard deviation threshold are deemed relevant and reliable links. For example, assume that an event 250 of type A occurred 50 times, an event of type B occurred 40 times, an event of type A was followed by an event of type B 20% of the time, and the standard deviation of their distance was less than 5.0 (a predetermined threshold), then a link 410 is created between events 250 of type A and type B (represented as A->B)”).

Regarding claim 12, Baum fails to teach sending a forensic data request to the endpoint device, the forensic data request instructing the endpoint device to send the forensic data to another component in the information technology or security environment.
sending a forensic data request to the endpoint device (see [0080], [0074] and FIG. 6D: “Assuming that the detected anomaly is scanning-related, … CCE [classification computation engine] 508 may also send a packet capture (PCAP)-Request( )message 608 to DLA 400a that raised the anomaly, to request the sending of traffic data 506 regarding the original traffic that raised the anomaly (e.g., captured traffic packets, characteristics derived therefrom, etc.)”), the forensic data request instructing the endpoint device to send the forensic data to another component in the information technology or security environment (see [0080] and Fig. 6D: “In response, DLA 400a may return the requested traffic data to SCA 502 via a PCAP-Response( )message 610”).
Both Vasseur and Baum teach collection of the forensic data from the endpoint device. Therefore, before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Baum by letting the collection of the forensic data from the endpoint device taught by Baum include sending a forensic data request to the endpoint device, the forensic data request instructing the endpoint device to send the forensic data to another component in the information technology or security environment, as taught by Vasseur. It would have been obvious because doing so achieves the commonly understood benefit of obtaining further forensic data related to a detected potential security threat so that the potential threat can be investigated more closely.

Regarding claim 15, Baum further teaches wherein correlating the event derived from the forensic data with the event derived from the non-forensic data includes executing a query identifying a relationship between the event derived from the forensic data and the event derived from the non-forensic data (see [0059]: “In one implementation, link analysis 405 takes place by creating a co-occurrence table with an entry for pairs of event types or event data values that occur within a Pairs that co-occur often enough, and meet a distance standard deviation threshold are deemed relevant and reliable links. For example, assume that an event 250 of type A occurred 50 times, an event of type B occurred 40 times, an event of type A was followed by an event of type B 20% of the time, and the standard deviation of their distance was less than 5.0 (a predetermined threshold), then a link 410 is created between events 250 of type A and type B (represented as A->B)”),
wherein executing the query includes searching for event data in the field-searchable data store (see title: “UNIFORM STORAGE AND SEARCH OF EVENTS DERIVED FROM MACHINE DATA FROM DIFFERENT SOURCES”. And see claim 10: “wherein performing a search on the plurality of events comprises identifying an event in the plurality of events that includes machine data that includes a particular extracted entity”. And see [0040]: “Following aggregation 325 and before event segmentation 345, various extraction methods 335 can be applied to identify semantic entities 340 within the data. In one implementation, search trees or regular expressions can be applied to extract and validate, for example, IP addresses or email addresses”. The Examiner interprets extracted entities of an event, such as “IP addresses or email addresses” as values of a field. Because Baum teaches searching for “an event in the plurality of events that includes machine data that includes a particular extracted entity” (a particular field value) in a data store, Baum teaches “searching for event data in the field-searchable data store”).

Regarding claim 31, Demopoulos further teaches wherein executing the search query includes searching for event data in a field-searchable data store (see [0161]: “If the event data message was  The virus attack detection operation 1018 searches the event database event records indicating infected e-mails were previously received from the same source as the event data received in receive operation 1002. In an embodiment, a virus attack is presumed if a predetermined number of e-mails from the same source failed the virus detection module within a predetermined period of time. The number of e-mails and period used may be predetermined by the administrator of the computing system 300. In an embodiment, a virus attack is presumed if three or more virus-containing e-mails are received from the same source within a one-minute period. The SSI 312 makes the attack determination by searching the event database for records indicating receipt of the predetermined number of virus-containing e-mails within the period”).

Claims 4, 20 and 27 are rejected under 35 U.S.C. 103 as being unpatentable over Baum (US 2015/0142842), further in view of Vasseur (US 2017/0279833), further in view of Demopoulos (US 2005/0193429), and further in view of Chandramouli (US 2012/0254333).

Regarding claims 4, 20 and 27, Baum modified in view of Vasseur and Demopoulos fails to teach wherein the forensic data includes file information related to an endpoint device, and wherein the non-forensic data includes email server data, and wherein correlating the event derived from the forensic data with the event derived from the non-forensic data includes identifying events indicating a phishing attack against the endpoint device.
In the same field of endeavor, Chandramouli teaches wherein the forensic data includes file information related to an endpoint device, and wherein the non-forensic data includes email server data, and wherein correlating the event derived from the forensic data with the event derived from the non-forensic data includes identifying events indicating a phishing attack against the endpoint device (see abstract: “A method and apparatus for automatically identifying harmful electronic messages, such as those presented in emails, on Craigslist or on Twitter, Facebook and other social media websites, features methodology for discriminating unwanted garbage communications (spam) and unwanted deceptive messages (scam) from wanted, truthful communications based upon patterns discernable from samples of each type of electronic communication”. And see [0118]: “The most often reported email scams include phishing emails”. And see [0534]: “The user interface is the set of screen(s) presented to an end user analyzing text documents for deceptiveness. The dashboard may be used by a forensic analyst to obtain fine details such as the psycho-linguistic cues that triggered the deception detector, statistical significance of the cues, decision confidence intervals, IP geolocation of the origin of the text document (e.g., URL), spatiotemporal patterns of deceptive source, deception trends, etc. These interfaces also allow the end user and the forensic analyst to customize a number of outputs, graphs, etc. The following screens can be used for the user interface and the dashboard, respectively”. And see [0535]: “Opening screen: User chooses the text source domain : mail server, web browser, file folders, crawling (URLs, Tweets, etc.)”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Baum modified in view of Vasseur and Demopoulos by letting the forensic data include file information related to an endpoint device, letting the non-forensic data include email server data, and letting correlating the event derived from the forensic data with the event derived from the non-forensic data include identifying events indicating a phishing attack against the endpoint device, as taught by Chandramouli. It would have been obvious because doing so achieves the commonly understood benefit of detecting a phishing attack.

Claims 5, 21 and 28 are rejected under 35 U.S.C. 103 as being unpatentable over Baum (US 2015/0142842), further in view of Vasseur (US 2017/0279833), and further in view of Demopoulos (US 2005/0193429), and further in view of Adams (US 9,729,572).

Regarding claims 5, 21 and 28, Baum modified in view of Vasseur and Demopoulos fails to teach wherein the forensic data includes registry information related to the endpoint device, and wherein the non-forensic data includes a malware alert from a security application, and wherein correlating the event derived from the forensic data with the event derived from the non-forensic data includes identifying events indicating a malware attack against the endpoint device.
However, Adams teaches wherein the forensic data includes registry information related to the endpoint device, and wherein the non-forensic data includes a malware alert from a security application, and wherein correlating the event derived from the forensic data with the event derived from the non-forensic data includes identifying events indicating a malware attack against the endpoint device (see col. 8, lines 35-44 and Fig. 2: “In some implementations, security device 220 may determine information regarding client device 210 when determining information associated with the malicious file. For example, security device 220 may determine information regarding a registry of client device 210, a state of a peripheral associated with client device 210 (e.g., a state of a network adapter, a state of an external data structure, etc.), or the like that may be utilized to select a remediation action (e.g., from a set of remediation actions performable by security device 220) for remediating the malicious file”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Baum modified in view of Vasseur and Demopoulos by letting the forensic data include registry information related to the endpoint device, letting the non-forensic data include a malware alert from a security application, and letting the correlating the event .

Claims 6, 7, 22, 23, 29 and 30 are rejected under 35 U.S.C. 103 as being unpatentable over Baum (US 2015/0142842), further in view of Vasseur (US 2017/0279833), further in view of Demopoulos (US 2005/0193429), and further in view of Seigel (US 2017/0063884).

Regarding claims 6, 22 and 29, Baum modified in view of Vasseur and Demopoulos fails to teach wherein the forensic data includes login history information related to the endpoint device, and wherein the non-forensic data includes information from a user identity management system, and wherein the correlating the event derived from the forensic data with the event derived from the non-forensic data includes identifying events indicating a brute-force login attack against the endpoint device.
In the same field of endeavor, Seigel teaches wherein the forensic data includes login history information related to the endpoint device, and wherein the non-forensic data includes information from a user identity management system, and wherein the correlating the event derived from the forensic data with the event derived from the non-forensic data includes identifying events indicating a brute-force login attack against the endpoint device (see [0027]: “For example, the agent 108(M) may generate the event log 114(Q) in response to determining that more than a threshold number of attempts were made to access the database 102(M) using incorrect credentials. … The agent 110(N) may generate the event log 114(Q) in response to determining that more than a threshold number of attempts were made to login to one (or more) of the user devices 104(1) to 104(N) within a predetermined period of time using incorrect credentials”).


Regarding claims 7, 23 and 30, Baum modified in view of Vasseur and Demopoulos fails to teach causing display, on a graphical user interface, of indications of the event derived from the forensic data and the event derived from the non-forensic data.
In the same field of endeavor, Seigel teaches causing display, on a graphical user interface, of indications of the event derived from the forensic data and the event derived from the non-forensic data (see [0045], [0046] and Fig. 3: “FIG. 3 is a block diagram illustrating a graphical user interface (GUI) 300 that includes a file created event according to some embodiments”. The Examiner further interprets the file created event 324 in Fig. 3 as “the event derived from the forensic data” because claim 2 of the instant application defines that the forensic data related to activity of the endpoint device includes file system information. And see [0049]: “The user then successfully logs on to the second network element 210 (e.g., one of the databases 102 or the servers 106) using the first credentials 204, causing an agent to generate an event log for the logon event 318. The user accesses a directory on the second network element 210, causing an agent to generate an event log for a directory accessed event 322. The user creates a file on the first network element 208, causing an agent to generate an event log for a file created event 324”. The Examiner further interprets the directory access event 322 in Fig. 3 as “the event derived from the non-forensic data” because the Examiner considers the directory access event 226 derived from log data and claim 3 of the instant application defines that the non-forensic data includes log data).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Baum modified in view of Vasseur and Demopoulos by adding the step of causing display, on a graphical user interface, of indications of the event derived from the forensic data and the event derived from the non-forensic data taught by Seigel. It would have been obvious because Seigel explicitly teaches that “by displaying a context within which to interpret the event logs, a system administrator may see a more complete picture of the events” (see [0041], last sentence).

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Baum (US 2015/0142842), further in view of Vasseur (US 2017/0279833), further in view of Demopoulos (US 2005/0193429), and further in view of Chervets (US 2007/0124437).

Regarding claim 14, Baum modified in view of Vasseur and Demopoulos fails to teach periodically executing a query used to correlate events derived from the forensic data with events derived from the non-forensic data.
In the same field of endeavor, Chervets teaches periodically executing a query (see [0014], last sentence: “the log server 28 makes data available through the interface 30 to the other modules/components 32 which may periodically poll the log server 28”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Baum modified in view of Vasseur and Demopoulos by letting the executed query used to correlate events derived from the forensic data with events derived .

Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Baum (US 2015/0142842), further in view of Vasseur (US 2017/0279833), further in view of Demopoulos (US 2005/0193429), and further in view of Seward (US 2015/0180891).

Regarding claim 16, Baum further teaches wherein correlating the event derived from the forensic data with the event derived from the non-forensic data includes executing a query identifying a relationship between the event derived from the forensic data and the event derived from the non-forensic data (see [0059]: “In one implementation, link analysis 405 takes place by creating a co-occurrence table with an entry for pairs of event types or event data values that occur within a predetermined window of each other. In one aspect, windows are bounded by a window threshold taking the form of time (e.g. 10 minutes), event types (e.g. 50 unique event types), or event instances (e.g. 1000 events). The value of the co-occurrence table entry is the distance between the pair (time, event types, or event instances). Pairs that co-occur often enough, and meet a distance standard deviation threshold are deemed relevant and reliable links. For example, assume that an event 250 of type A occurred 50 times, an event of type B occurred 40 times, an event of type A was followed by an event of type B 20% of the time, and the standard deviation of their distance was less than 5.0 (a predetermined threshold), then a link 410 is created between events 250 of type A and type B (represented as A->B)”),
wherein executing the query includes searching for event data in the field-searchable data store (see title: “UNIFORM STORAGE AND SEARCH OF EVENTS DERIVED FROM MACHINE DATA FROM performing a search on the plurality of events comprises identifying an event in the plurality of events that includes machine data that includes a particular extracted entity”. And see [0040]: “Following aggregation 325 and before event segmentation 345, various extraction methods 335 can be applied to identify semantic entities 340 within the data. In one implementation, search trees or regular expressions can be applied to extract and validate, for example, IP addresses or email addresses”. The Examiner interprets extracted entities of an event, such as “IP addresses or email addresses” as values of a field. Because Baum teaches searching for “an event in the plurality of events that includes machine data that includes a particular extracted entity” (a particular field value) in a data store, Baum teaches “searching for event data in the field-searchable data store”).
Baum modified in view of Vasseur and Demopoulos fails to teach wherein executing the query includes searching for event data in the field-searchable data store using a late-binding schema.
In the same field of endeavor, Seward teaches wherein executing the query includes searching for event data in the field-searchable data store using a late-binding schema (see [0069]: “in a system using a late-binding schema, the schema can be developed on an ongoing basis up until the time it needs to be applied, e.g., at query or search time. In a query system using a late-binding schema, the query may specify, for example, a search for events that have certain criteria defined by the schema for specified fields and the events including such fields”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Baum modified in view of Vasseur and Demopoulos by letting the searching for event data in the field-searchable data store use a late-binding schema, as taught by Seward. It would have been obvious because doing so achieves the commonly understood benefit of keeping the query flexible.


	Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHIMEI ZHU whose telephone number is (571)270-7990. The examiner can normally be reached 10am-6pm Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit 





/ZHIMEI ZHU/Examiner, Art Unit 2495                                                                                                                                                                                                        
/JEFFERY L WILLIAMS/Primary Examiner, Art Unit 2495