DETAILED ACTION
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .  Claims 1, 3-10 and 12-22 are presented for examination on the merits.

Claim Rejections - 35 USC § 103
2.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
3.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

4.	Claims 1-4, 6-8, 10-13 and 15-20 rejected under 35 U.S.C. 103 as being unpatentable over Seigel (US 2017/0031741).
As to claim 1, Seigel discloses in managing alert profiles having claimed:
a.	collecting event logs from monitoring systems communicatively coupled to a computing device read on ¶ 0014, (monitor (e.g., in real time) event logs generated by multiple agents);
b.	each event log indicating an event occurring at a given time at a given activity within an operational process read on ¶ 0004, (an interesting activity may be defined by a system administrator, determined using machine learning, or both. An interesting activity may include one or more event logs that are currently of interest, such as event logs that may be indicative of malicious activity (e.g., failed login attempts, accessing restricted resources, or the like), event logs that may be indicative of resource under-utilization, event logs that may be indicative of a resource that is at or near maximum utilization, a particular type of event logs (e.g., event logs indicating attempts to gain access to a computer system, event logs indicating mass copying of records in a database, etc.), another type of activity that is determined to be of interest, or any combination thereof. The auditing software may create an alert profile. The auditing software may assign a severity to the alert profile. The auditing software may determine whether the alert profile is relevant. The auditing software may deactivate the alert profile based on determining that the alert profile is not relevant);
c.	wherein measuring the transition times between the activities of the operational process from the event logs for the plurality of users comprises measuring a plurality of transition times for the activity and calculating an average transition time for the activity from the plurality of transition times read on ¶ 0035, (when the auditing software 122 determines that the alert profile 124 is no longer relevant and deactivates (or deletes) the alert profile 124, the auditing software 122 may use the timestamp 130 to determine a length of time that the alert profile 124 was active. The auditing software 122 may use the length of time that the alert profile 124 was active to determine an average length of time associated with multiple alert profiles. The auditing software 122 may determine an expiration time period for a next alert profile based on the average length of time. To illustrate, the auditing software 122 may use a classifier (e.g., trained using machine learning) to determine when the alert profile 124 is no longer relevant to deactivate (or delete) the alert profile 124. The auditing software 122 may determine how long multiple alert profiles, including the alert profile 124, were active (e.g., using the timestamp 130). The auditing software 122 may determine that Y hours (where Y>0) is the average time that an alert profile is active and set a next alert profile to expire after Y hours. In some cases, if alert profiles have an associated severity, the average length of time that an alert profile is active may be determined for each severity).  Seigel in different embodiment,
d.	measuring transition times between activities of the process from the event logs; calculating, from the measured transition times, a capacity of an activity of the activities; and
generating an alert indicating the activity approaching or at a maximum capacity of the activity responsive to the capacity above a threshold read on ¶ 0014 & ¶ 0056-0058, (an alert profile may be created to perform one or more actions when a user identifier is used to attempt to access more than two databases or more than two servers within a particular period of time (e.g., within a two hour time period, within the same day, or the like).  For example, the alert profile may specify that when a user identifier is used to attempt to access more than two databases or access more than two servers within a particular period of time, one or more actions are to be performed. The one or more actions may include notifying a particular user (e.g., system administrator).   For example, in FIG. 1, the central server 116 may receive the event log 114(1) and determine that the event log 114(1) is indicative of an interesting activity, such as failed login attempts at one of the user devices 104 or a large number of transactions performed in a short period of time by one of the databases 102 or the servers 106. In response to determining that the event log 114(1) is indicative of an interesting activity, the central server 116 may create the alert profile 124).  It would have been obvious to one having ordinary skill in the art at the time the invention was filed to incorporate an alert profile may include a set of conditions, for example, event logs occurring within a predetermined period of time and actions to perform, for example raise an alert and/or send an alert notification message when the conditions are satisfied.  For example, if the auditing system determines that the conditions of a particular alert profile are satisfied, for example, one or more event logs occur within a predetermined period of time, then the auditing system may perform the actions specified in the particular alert profile). 
	It would have been obvious to one having ordinary skill in the art at the time the invention was filed to incorporate an alert profile may include a set of conditions, for example, event logs occurring within a predetermined period of time and actions to perform, for example raise an alert and/or send an alert notification message when the conditions are satisfied.  For example, if the auditing system determines that the conditions of a particular alert profile are satisfied, for example, one or more event logs occur within a predetermined period of time, then the auditing system may perform the actions specified in the particular alert profile. 
As to claim 3, Seigel further discloses:
a.	calculating an average service time based on the average transition time, and calculating the capacity of the activity based on an average arrival rate and the average service time read on ¶ 0035 & ¶ 0039, (the alert profile 124 may be used to monitor and determine whether one or more of the databases 102, the user devices 104, or the servers 106 are being over-utilized (e.g., at or near maximum capacity) or under-utilized, where bottlenecks in the system 100 are occurring, etc. To illustrate, the alert profile 124 may monitor the databases 102 to identify when transaction throughput begins to decline, e.g., indicating that one of the databases 102 is nearly full (e.g., at or near full capacity, indicating that a new database is to be added, indicating that an existing database's capacity is to be increased, and the like. The alert profile 124 may be used to monitor and identify which of the user devices 104 are prone to being hacked, whether the user devices 104 are being over-utilized (e.g., more than a threshold number of users logging in to the same user device) and whether to add a new user device, whether the user devices 104 are being under-utilized (e.g., at least one of the user devices 104 is never used or used less than a threshold number of times in a particular time period) and whether to remove one or more of the user devices 104, and the like. The alert profile 124 may be used to monitor and identify which of the servers 106 are prone to being hacked (e.g., server 106(P) is hacked at least once a month), whether the servers 106 are being over-utilized (e.g., transaction throughput is at or near full capacity) and whether to add a new server, whether the servers 106 are being under-utilized (e.g., a number of transactions processed in a particular time period falls below a predetermined threshold) and whether to remove one or more of the servers 106, etc.).
As to claim 4, Seigel further discloses:
a.	measuring a total elapsed time for event observations, a total number of sojourns between activities, and a total number of sojourns overall from the event logs, wherein the transition times comprise an average transition time, and wherein the capacity is further calculated based on the total elapsed time, the total number of sojourns between activities, and the total number of sojourns overall read on ¶ 0014 & ¶ 0035, (an alert profile may be created to perform one or more actions when a user identifier is used to attempt to access more than two databases or more than two servers within a particular period of time (e.g., within a two hour time period, within the same day, or the like). For example, the alert profile may specify that when a user identifier is used to attempt to access more than two databases or access more than two servers within a particular period of time, one or more actions are to be performed.  While many of the examples described herein are related to creating alert profiles to identify malicious activity, the systems and techniques described herein may also be used to optimize a computer system by identifying bottlenecks, resources that are being under-utilized or over-utilized (e.g., at or near maximum capacity), and other system-related activities).  When the auditing software 122 determines that the alert profile 124 is no longer relevant and deactivates (or deletes) the alert profile 124, the auditing software 122 may use the timestamp 130 to determine a length of time that the alert profile 124 was active. The auditing software 122 may use the length of time that the alert profile 124 was active to determine an average length of time associated with multiple alert profiles. The auditing software 122 may determine an expiration time period for a next alert profile based on the average length of time. To illustrate, the auditing software 122 may use a classifier (e.g., trained using machine learning) to determine when the alert profile 124 is no longer relevant to deactivate (or delete) the alert profile 124. The auditing software 122 may determine how long multiple alert profiles, including the alert profile 124, were active (e.g., using the timestamp 130). The auditing software 122 may determine that Y hours (where Y>0) is the average time that an alert profile is active and set a next alert profile to expire after Y hours. In some cases, if alert profiles have an associated severity, the average length of time that an alert profile is active may be determined for each severity).
As to claim 6, Seigel further discloses:
a.	wherein generating the alert comprises generating, with an artificially-intelligent chatbot, a natural language statement indicating the activity is approachingPage 46 of 51Docket No. MCU19301 or at capacity, and transmitting the natural language statement to a client device communicatively coupled to the server read on ¶ 0039 & ¶ 0049, (Alert profiles, such as the representative alert profile 124, may be used for a variety of purposes, including identifying malicious activity, preventing malicious activity from taking place, logging malicious activity and undoing the effects of the malicious activity, identifying ways to optimize (e.g., improve the operations of) the computer system 100, other activities related to the computer-system 100, or any combination therefore. For example, the alert profile 124 may be used to monitor and determine whether one or more of the databases 102, the user devices 104, or the servers 106 are being over-utilized (e.g., at or near maximum capacity) or under-utilized, where bottlenecks in the system 100 are occurring, etc. To illustrate, the alert profile 124 may monitor the databases 102 to identify when transaction throughput begins to decline, e.g., indicating that one of the databases 102 is nearly full (e.g., at or near full capacity, indicating that a new database is to be added, indicating that an existing database's capacity is to be increased, and the like. The alert profile 124 may be used to monitor and identify which of the user devices 104 are prone to being hacked, whether the user devices 104 are being over-utilized (e.g., more than a threshold number of users logging in to the same user device) and whether to add a new user device, whether the user devices 104 are being under-utilized (e.g., at least one of the user devices 104 is never used or used less than a threshold number of times in a particular time period) and whether to remove one or more of the user devices 104, and the like.  The event log 114(Q) may indicate a large number of transactions processed by one of the databases 102 within a short period of time. The auditing software 122 may determine that the event log 114(1) and the event log 114(Q) satisfy the conditions 126 and perform the actions 128, such as sending an alert message to a system administrator, raising an alert on a user interface used to monitor the computer system 100, locking out the user ID associated with the failed login attempts, locking one or more of the databases 102 to temporarily prevent access by a particular user or by all users, etc.  For example, after the auditing software determines that a particular set of event logs were received within a predetermined period of time, the auditing software may determine that the conditions associated with the alert profile have been satisfied, and cause one or more actions (e.g., sending an alert message to a system administrator) to be performed).
As to claim 7, Seigel further discloses:
a.	automatically deriving a model of the operational process from the event logs read on ¶ 0014, (monitor (e.g., in real time) event logs generated by multiple agents, determine when an event log is interesting, and create an alert profile associated with the event log.  An alert profile may be used to draw attention to a set of one or more event logs that have occurred. When conditions associated with the alert profile are satisfied, one or more actions may be performed).
As to claim 8, Seigel further discloses:
a.	automatically adjusting the model of the operational process based on the capacity of the activity read on ¶ 0014, (For example, due to a change in circumstances (e.g., a corporate restructuring etc.), the responsibilities of one or more individuals may be modified such that the individuals access more than two databases or access more than two servers within the particular period of time. The systems and techniques may be used to deactivate (or delete) the alert profile and create a new alert profile based on data gathered after the circumstances have changed). 
As to claim 10, the claim is corresponding to claim 1.  Therefore, the claim is rejected for the same rationales set forth for claim 1.  
As to claim 12, the claim is corresponding to claim 3.  Therefore, the claim is rejected for the same rationales set forth for claim 3.  
As to claim 13, the claim is corresponding to claim 4.  Therefore, the claim is rejected for the same rationales set forth for claim 4.  
As to claim 15, the claim is corresponding to claim 7.  Therefore, the claim is rejected for the same rationales set forth for claim 7.  
As to claim 16, the claim is corresponding to claim 8.  Therefore, the claim is rejected for the same rationales set forth for claim 8.  
As to claim 17, Seigel further discloses:
a.	wherein the instructions when executed further cause the processor to adjust an operation of one or more of the monitored systems based on the capacity read on ¶ 0014, (For example, the alert profile may specify that when a user identifier is used to attempt to access more than two databases or access more than two servers within a particular period of time, one or more actions are to be performed. The one or more actions may include notifying a particular user (e.g., system administrator), temporarily denying the user identifier access to predetermined set of resources, temporarily denying the user identifier access to all resources, using a camera (e.g., webcam) connected to a computing device to take a picture of a user that is using the user identifier, logging the keystrokes entered by the user, another action, or any combination thereof).
As to claim 18, the claim is corresponding to claim 1.  Therefore, the claim is rejected for the same rationales set forth for claim 1.  
As to claim 19, the claim is corresponding to claim 3.  Therefore, the claim is rejected for the same rationales set forth for claim 3.  
As to claim 20, Seigel further discloses:
a.	wherein the program is further configured to cause the operational processor to: automatically derive a model of the process from the event logs, and adjust the model based on the process capacity read on ¶ 0014, (for example, due to a change in circumstances (e.g., a corporate restructuring etc.), the responsibilities of one or more individuals may be modified such that the individuals access more than two databases or access more than two servers within the particular period of time. The systems and techniques may be used to deactivate (or delete) the alert profile and create a new alert profile based on data gathered after the circumstances have changed). 

5.	Claims 5, 9 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Seigel in view of Mathur (US 2018/0253373).
	As to claim 5, Seigel disclose all claim limitations except explicitly disclose graphic indication of the activity approaching or at the maximum capacity, and transmitting the graphical indication to a client device communicatively coupled to the server.
	However, Mathur in systems and methods for measuring performance metrics of apps teaches:
a.	wherein generating the alert comprises generating a graphical indication of the activity approaching or at the maximum capacity, and transmitting the graphical indication to a client device communicatively coupled to the server read on ¶ 0058 & Claim 1, (With reference to FIG. 7, FIG. 7 is a waterfall graph of instrumentation time for event logs in accordance with an embodiment. FIG. 7 illustrates in waterfall graph 700 event logging and processing time for events at the client, server and network. The waterfall graph 700 enables an app developer to visually monitor processing at different stages of the instrumentation and gives insight about a component or event processing at each stage. For example, an event may be processed faster at the server versus the network. There may be bottlenecks discerned at the network due to bandwidth allocation. In any event, by visually viewing the processing times of the instrumentation of the testing and monitoring debugging and amount of processing required for apps can be easily discovered. In an exemplary embodiment, the delay time 710 can be compared with the server time 720 and network time 730).  the at least one processor having an input to receive data from processors of the client, server, and network to present in a first instance in a waterfall graph of event logging and processing time for events across the client, server and network; and in a second instance to present in a flame graph for discrete events of creation time for each component on a page whereby a bottleneck in an event and component processing is identified visually at an event level across the client, server and network and at a component level across components of the page related to the client, server and network by a particular display of the waterfall and flame graphs).
Therefore, it would have been obvious to one having ordinary skill in the art at the time the invention was filed to incorporate the system and method for automated web performance testing for cloud apps in use-case scenarios of Mathur into Seigel in order to provide an adequate solution for desktop, laptop, mobile and server app performance testing which is cross-platform, device independent, and is scalable.
As to claim 9, the claim is corresponding to claim 3.  Therefore, the claim is rejected for the same rationales set forth for claim 5.  
As to claim 14, the claim is corresponding to claim 3.  Therefore, the claim is rejected for the same rationales set forth for claim 5.  

Allowable Subject Matter
6.	Claims 21 and 22 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.  However, an updated search will need to be performed after the next response from Applicant.


Response to Arguments
7.	Applicant's arguments with respect to claims 1, 3-10 and 12-20 have been fully considered but they are not persuasive. 
a.	Applicant argues:
The Office asserts that Seigel discloses “measuring transition time between activities of the process from the event logs; calculating, from the measured transition times, a capacity of the activity of the activities; and generating an alert indicating the activity approaching or at a maximum capacity of the activity responsive to the capacity above a threshold,” citing paragraphs [0014] and [0056]-[0058] of Seigel in support (Office action, pages 5-6).  However, there is no teaching or disclosure in Seigel of “measuring a plurality of transition times for the activity and calculating an average transition time for the activity from the plurality of transition times,” as required by claims 1 and 10.  Rather in support of its argument, the Office directs Applicant’s attention to paragraph [0035] of Seigel as disclosing “calculating an average transition time for the activity from the plurality of transition times” (Office action, page 7).  There is no teaching or suggestion in Seigel of a measurement of transition time between activities. Claim 3 additionally requires “calculating an average service time based on the average transition time, and calculating the capacity of the activity based on an average arrival rate and the average service time.”  Seigel does not teach or disclose “calculating an average service time based on the average transition time, and calculating the capacity of the activity based on an average arrival rate and the average service time.” While Seigel discloses monitoring databases to identify when transaction throughput begins to decline, there is no disclosure of calculating average service time or average transition time, or that the capacity is based on an average arrival rate and an average service time, as required by claim 3.
Examiner reply:
Seigel discloses in ¶ 0035 as “read on ¶ 0035, (when the auditing software 122 determines that the alert profile 124 is no longer relevant and deactivates (or deletes) the alert profile 124, the auditing software 122 may use the timestamp 130 to determine a length of time that the alert profile 124 was active. The auditing software 122 may use the length of time that the alert profile 124 was active to determine an average length of time associated with multiple alert profiles. The auditing software 122 may determine an expiration time period for a next alert profile based on the average length of time. To illustrate, the auditing software 122 may use a classifier (e.g., trained using machine learning) to determine when the alert profile 124 is no longer relevant to deactivate (or delete) the alert profile 124. The auditing software 122 may determine how long multiple alert profiles, including the alert profile 124, were active (e.g., using the timestamp 130). The auditing software 122 may determine that Y hours (where Y>0) is the average time that an alert profile is active and set a next alert profile to expire after Y hours. In some cases, if alert profiles have an associated severity, the average length of time that an alert profile is active may be determined for each severity).”  Seigel discloses the auditing software uses the length of time that the alert profile (event log) was active to determine an average length of time associated with multiple alert profiles.  Seigel further discloses in ¶ 0039 as “The alert profile 124 may be used to monitor and identify which of the user devices 104 are prone to being hacked, whether the user devices 104 are being over-utilized (e.g., more than a threshold number of users logging in to the same user device) and whether to add a new user device, whether the user devices 104 are being under-utilized (e.g., at least one of the user devices 104 is never used or used less than a threshold number of times in a particular time period) and whether to remove one or more of the user devices 104, and the like. The alert profile 124 may be used to monitor and identify which of the servers 106 are prone to being hacked (e.g., server 106(P) is hacked at least once a month), whether the servers 106 are being over-utilized (e.g., transaction throughput is at or near full capacity) and whether to add a new server, whether the servers 106 are being under-utilized (e.g., a number of transactions processed in a particular time period falls below a predetermined threshold) and whether to remove one or more of the servers 106, etc.).”  The alert profile monitors and determine whether one or more of the databases, the user devices, or the servers 106 are being over-utilized (e.g., at or near maximum capacity) or under-utilized, where bottlenecks in the system 100 are occurring, etc.
b.	Applicant further argues:
Regarding claim 6, in Seigel, the determination is made “after the auditing software determines that a particular set of event logs were received within a predetermined period of time” (Office action, page 10). However, this is not an alert based on the activities or any transition time between the activities as required by claim 6.  Claims 5, 9, and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Seigel in view of U.S. Patent Application Publication No. 2018/0253373 (Mathur).  Applicant respectfully traverses this rejection. Claims 5 and 9 depend from claim 1, and claim 14 depends from claim 10. As argued above, Seigel does not teach or suggest the limitations of claims 1 and 10. Mathur does not cure this deficiency. Thus, at least by virtue of their dependency, Applicant respectfully requests that the rejection of claims 5, 9, and 14 be withdrawn. For at least these reasons, Applicant respectfully requests that this rejection be withdrawn.  
Examiner reply:
Claim 6 recites “a natural language statement indicating the activity is approaching at capacity, and transmitting the natural language statement to a client device communicatively coupled to the server”  Seigel in ¶ 0039 further discloses “Alert profiles, such as the representative alert profile 124, may be used for a variety of purposes, including identifying malicious activity, preventing malicious activity from taking place, logging malicious activity and undoing the effects of the malicious activity, identifying ways to optimize (e.g., improve the operations of) the computer system 100, other activities related to the computer-system 100, or any combination therefore. For example, the alert profile 124 may be used to monitor and determine whether one or more of the databases 102, the user devices 104, or the servers 106 are being over-utilized (e.g., at or near maximum capacity) or under-utilized, where bottlenecks in the system 100 are occurring, etc. To illustrate, the alert profile 124 may monitor the databases 102 to identify when transaction throughput begins to decline, e.g., indicating that one of the databases 102 is nearly full (e.g., at or near full capacity, indicating that a new database is to be added, indicating that an existing database's capacity is to be increased, and the like. The alert profile 124 may be used to monitor and identify which of the user devices 104 are prone to being hacked, whether the user devices 104 are being over-utilized (e.g., more than a threshold number of users logging in to the same user device) and whether to add a new user device, whether the user devices 104 are being under-utilized (e.g., at least one of the user devices 104 is never used or used less than a threshold number of times in a particular time period) and whether to remove one or more of the user devices 104, and the like.” 
 The examiner has considered the remark/presentation of claims in view of the disclosure and the present state of the prior art, and it is the examiner's position that the claims 1-22 are currently rejected for the reasons set forth in the above argument and this Office action.  
For the above reasons, it is believed that the rejections should be sustained.

Citation of pertinent Prior Arts
8.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: see PTO-892 Notice of References Cited.

Conclusion
9.	THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Fekadeselassie Girma whose telephone number is (571) 270-5886.  The examiner can normally be reached on Monday thru Friday, 8:30 – 5:00.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph H. Feild can be reached on (571) 272-4090.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Fekadeselassie Girma/
Primary Examiner Art Unit 2689