Notice of Pre-AIA  or AIA  Status
The present application, filed on or after June 05, 2019, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 05/18/2022 has been entered.
Claims 1, 3-5, 7-8, 10-12, 14-15, 17-19 and 21 are pending and are being considered.
Claims 1, 8, 12, 15 and 19 have been amended.
 
Response to 103 
	Applicants argument filled on 05/18/2022 have been fully considered and are persuasive but are moot in view of new grounds of rejection. The arguments do not apply to the current art being used.

                                               Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-5, 7-8, 10-12, 14-15, 17-19 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Navas (US 20100125574) in view of Zimmermann et al (hereinafter Zimmermann) (US 20180027006) and further in view of CICHON et al (hereinafter CICHON) (US 20170308800).

Regarding claim 1 Navas teaches A computer-implemented method, executed on a computing device, comprising (Navas on [Claim 1] teaches A computer-implemented method);
establishing connectivity with a plurality of security-relevant subsystems within a computing platform [[including utilizing a respective application program interface to access each of the plurality of security-relevant subsystems]] (Navas Fig 1 and text on [0029] teaches an enterprise system that supports federation of real-time event data. Enterprise network 100 illustrates a network of nodes LE nodes 110, 120, 130, and 140 within the enterprise for processing queries. Further teaches a client device that connects with enterprise network 100 that allows a user to interact with enterprise network 100 (i.e. connectivity with security-relevant subsystem). See also Fug 2-3 and text on [0060-0063 and 0066] teaches establishing connectivity between different nodes by sending and responding to request or query. See on [0104] teaches system 1000 may include multiple APIs (application programming interfaces) that enable a user to interact with LE server 1002. APIs 1018 represent such interfaces);
wherein each security- relevant subsystem of the plurality of security-relevant subsystems is configured to monitor and log their activity with respect to the computing platform (Navas on [0045 and 0065] teaches the LE system (i.e. referencing LE node 210-LE260 as security relevant sub-system) can monitor the event data, and detect when a particular event or series of events or conditions takes place (i.e. monitoring and logging activity). When detected, the LE system can clip and push the information to the user who queried for the particular event, series of events, or conditions);
receiving a unified query concerning logged files of the plurality of security-relevant subsystems with respect to the computing platform (Navas on [0023 and 0028] teaches receiving a query concerning event information and the response to the query is event data. See also on [0034] teaches generating and sending a query that represents monitoring of events (i.e. logged file) within the enterprise. See also [0080] teaches sending query concerning event data stored in LE server and returning the event data in response to the query);
distributing at least a portion of the unified query to the plurality of security- relevant subsystems, including (Navas Fig 2 and text on [0059-0061] teaches LE node 210 is the access node for the user that generates query 202. Thus, node 210 receives the query for LE system 200, and parses the query into component parts Q1, Q3, and Q2+Q4. LE node 220 may receive the queries and route them to the data sources. Q1 is parsed to node 230, 250 and Q2, Q4 is parsed to node 240 (i.e. distributing portion of query) accordingly response R1-R4 is generated as result of respective queries);
parsing the unified query to form a plurality of queries, wherein a specific query is defined for each of the plurality of security-relevant subsystems (Navas Fig 2 and text on [0059-0062 and 0066] teaches LE node 210 is the access node for the user that generates query 202. Thus, node 210 receives the query for LE system 200, and parses the query into component parts Q1, Q3, and Q2+Q4. LE node 220 may receive the queries and route them to the data sources. Q1 is parsed to node 230, 250 and Q2, Q4 is parsed to node 240 accordingly response R1-R4 is generated as result of respective queries);
and providing the specific query defined for each of the plurality of security- relevant subsystems to the respective security-relevant subsystems (Navas Fig 2 and text on [0059-0062, 0066] teaches distributing each of plurality of portion of queries Q1, Q2, Q3 and Q4 to each LE node 210, 220, 230 and 240. Thus, node 210 receives the query for LE system 200, and parses the query into component parts Q1, Q3, and Q2+Q4. LE node 220 may receive the queries and route them to the data sources. Q1 is parsed to node 230, 250 and Q2, Q4 is parsed to node 240 accordingly response R1-R4 is generated as result of respective queries);
effectuating the at least a portion of the unified query on each of the plurality of security-relevant subsystems to generate a plurality of result sets (Navas on [0059-0060 and 0062] teaches an enterprise system that separates event queries into component parts and combines results for the component part queries. the query response components are designated R1, R2, R3, and R4, referring to respective responses for query segments Q1, Q2, Q3, and Q4. The responses components R1, R2, R3, and R4 represent event data that can be returned as data objects, actionable content, or some other form. The separate response components can then be selectively combined or joined to form a complete response. The responses are all combined as returned to provide the desired information. See also Fig 3 and text on [0066-0068] teaches the solid arrows represent the queries, while the dashed arrows represent responses that will be returned. At LE node 342, queries 312 and 322 will be parsed into the component segments illustrated, while LE node 344 will perform similar parsing for query 332. For purposes of simplicity in this example, consider that each query is completely parsed, rather than having a process of iterative parsing);
 receiving the plurality of result sets from the plurality of security-relevant subsystems (Navas on [0059-0060 and 0062] teaches an enterprise system that separates event queries into component parts and combines results for the component part queries. the query response components are designated R1, R2, R3, and R4, referring to respective responses for query segments Q1, Q2, Q3, and Q4. The responses components R1, R2, R3, and R4 represent event data that can be returned as data objects, actionable content, or some other form. The separate response components can then be selectively combined or joined to form a complete response. The responses are all combined as returned to provide the desired information (i.e. receiving plurality of result R1-R2). See also Fig 3 and text on [0066-0068] teaches the solid arrows represent the queries, while the dashed arrows represent responses that will be returned. At LE node 342, queries 312 and 322 will be parsed into the component segments illustrated, while LE node 344 will perform similar parsing for query 332. For purposes of simplicity in this example, consider that each query is completely parsed, rather than having a process of iterative parsing (i.e. the portion of query Q1-Q4 are processed at different nodes and respective response from each node is returned)).
Although the combination of Navas teaches multiple APIs that enable a user to interact with server (Navas on [0104]), but fails to explicitly teach utilizing a respective application program interface to access each of the plurality of security-relevant subsystems, and processing one or more results sets of the plurality of result sets so that the results sets all have at least one of a common format, a common nomenclature, and a common structure, including using artificial intelligence / machine learning to identify one or more commonalities amongst the plurality of results sets, however Zimmermann from analogous art teaches utilizing a respective application program interface to access each of the plurality of security-relevant subsystems (Zimmermann on [0009] teaches systems for a cloud security fabric for providing enhanced security to an one or more enterprise computing environments. The cloud security fabric has a plurality of enterprise APIs for connecting to the information technology infrastructure of at least one enterprise, a plurality of developer APIs for enabling developers to use capabilities of the fabric to develop applications, and a plurality of connector APIs by which the fabric may discover information about entities relating to the information security of the enterprise computing environment. See on [0102] teaches enterprise API 104 family may include a variety of APIs 104 by which an enterprise may benefit from connection or interaction with the CSF 100, including to receive outputs and results from each of the modules or components of the CSF 100, to deliver results and inputs to the CSF 100. See on [0108] teaches connector APIs 108 allow the CSF 100 to interact with and discover user accounts, data, event logs, applications and configuration in cloud platforms and in the applications that run on them or are developed on them (i.e. different APIs for performing different task on security relevant-subsystem interpreted in view of [0160] of instant application)).

Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Zimmermann into the teaching of Navas by having a system with multiple APIs and utilizing respective APIs for accessing each of plurality of security-relevant subsystem. One would be motivated to do so in order to improve enterprise data security in security relevant system using plurality of connecters APIs within enterprise computing environment with no impact on the performance of the enterprise environment (Zimmermann [0009 and 0014]).
Although the combination of Navas and Zimmermann teaches the system identifies identical or common event information and merge the queries and the system utilizes machine learning model but fails to explicitly teach processing one or more results sets of the plurality of result sets so that the results sets all have at least one of a common format, a common nomenclature, and a common structure, including using artificial intelligence / machine learning to identify one or more commonalities amongst the plurality of results sets, however CICHON from analogous art teaches processing one or more results sets of the plurality of result sets so that the results sets all have at least one of a common format, a common nomenclature, and a common structure, including using artificial intelligence / machine learning to identify one or more commonalities amongst the plurality of results sets (CICHON on [0037] teaches the AI combination platform uses middleware that can adjust or translate a common data stream for use in a multitude of different algorithms to enable the resulting different outputs (i.e. Plurality of results ) to be readily compared. Furthermore, the AI combination platform also outputs the results of multiple algorithms in a common output format for ready visualization, comparison and understanding. See also [0066 and 0084-0085] teaches AI technique to transform one or more results into common format easily readable by the user).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of CICHON into the combined teaching of Navas and Zimmermann by processing utilizing AI/ machine learning model one or more results sets of the plurality of result sets so that the results sets all have at least one of a common format. One would be motivated to do so in order to provide efficient and effective utilization of plurality of results set calculated based on the event using artificial intelligence (CICHON on [0005-0008]).

Regarding claim 8 Navas teaches A computer program product residing on a non-transitory computer readable medium having a plurality of instructions stored thereon which, when executed by a processor, cause the processor to perform operations comprising (Navas on [0127] teaches Memory 1120 may include read-only memory (ROM), flash memory, one or more varieties of random-access memory (RAM), or the like, or a combination of such devices. Memory 1120 stores data and instructions for performing operations, including interacting with user clients, data sources, and/or other event server nodes);
establishing connectivity with a plurality of security-relevant subsystems within a computing platform [[including utilizing a respective application program interface to access each of the plurality of security-relevant subsystems]] (Navas Fig 1 and text on [0029] teaches an enterprise system that supports federation of real-time event data. Enterprise network 100 illustrates a network of nodes LE nodes 110, 120, 130, and 140 within the enterprise for processing queries. Further teaches a client device that connects with enterprise network 100 that allows a user to interact with enterprise network 100 (i.e. connectivity with security-relevant subsystem). See also Fug 2-3 and text on [0060-0063 and 0066] teaches establishing connectivity between different nodes by sending and responding to request or query. See on [0104] teaches system 1000 may include multiple APIs (application programming interfaces) that enable a user to interact with LE server 1002. APIs 1018 represent such interfaces);
wherein each security- relevant subsystem of the plurality of security-relevant subsystems is configured to monitor and log their activity with respect to the computing platform (Navas on [0045 and 0065] teaches the LE system (i.e. referencing LE node 210-LE260 as security relevant sub-system) can monitor the event data, and detect when a particular event or series of events or conditions takes place (i.e. monitoring and logging activity). When detected, the LE system can clip and push the information to the user who queried for the particular event, series of events, or conditions);
receiving a unified query concerning logged files of the plurality of security-relevant subsystems with respect to the computing platform (Navas on [0023 and 0028] teaches receiving a query concerning event information and the response to the query is event data. See also on [0034] teaches generating and sending a query that represents monitoring of events (i.e. logged file) within the enterprise. See also [0080] teaches sending query concerning event data stored in LE server and returning the event data in response to the query);
distributing at least a portion of the unified query to the plurality of security- relevant subsystems, including (Navas Fig 2 and text on [0059-0061] teaches LE node 210 is the access node for the user that generates query 202. Thus, node 210 receives the query for LE system 200, and parses the query into component parts Q1, Q3, and Q2+Q4. LE node 220 may receive the queries and route them to the data sources. Q1 is parsed to node 230, 250 and Q2, Q4 is parsed to node 240 (i.e. distributing portion of query) accordingly response R1-R4 is generated as result of respective queries);
parsing the unified query to form a plurality of queries, wherein a specific query is defined for each of the plurality of security-relevant subsystems (Navas Fig 2 and text on [0059-0062 and 0066] teaches LE node 210 is the access node for the user that generates query 202. Thus, node 210 receives the query for LE system 200, and parses the query into component parts Q1, Q3, and Q2+Q4. LE node 220 may receive the queries and route them to the data sources. Q1 is parsed to node 230, 250 and Q2, Q4 is parsed to node 240 accordingly response R1-R4 is generated as result of respective queries);
and providing the specific query defined for each of the plurality of security- relevant subsystems to the respective security-relevant subsystems (Navas Fig 2 and text on [0059-0062, 0066] teaches distributing each of plurality of portion of queries Q1, Q2, Q3 and Q4 to each LE node 210, 220, 230 and 240. Thus, node 210 receives the query for LE system 200, and parses the query into component parts Q1, Q3, and Q2+Q4. LE node 220 may receive the queries and route them to the data sources. Q1 is parsed to node 230, 250 and Q2, Q4 is parsed to node 240 accordingly response R1-R4 is generated as result of respective queries);
effectuating the at least a portion of the unified query on each of the plurality of security-relevant subsystems to generate a plurality of result sets (Navas on [0059-0060 and 0062] teaches an enterprise system that separates event queries into component parts and combines results for the component part queries. the query response components are designated R1, R2, R3, and R4, referring to respective responses for query segments Q1, Q2, Q3, and Q4. The responses components R1, R2, R3, and R4 represent event data that can be returned as data objects, actionable content, or some other form. The separate response components can then be selectively combined or joined to form a complete response. The responses are all combined as returned to provide the desired information. See also Fig 3 and text on [0066-0068] teaches the solid arrows represent the queries, while the dashed arrows represent responses that will be returned. At LE node 342, queries 312 and 322 will be parsed into the component segments illustrated, while LE node 344 will perform similar parsing for query 332. For purposes of simplicity in this example, consider that each query is completely parsed, rather than having a process of iterative parsing);
 receiving the plurality of result sets from the plurality of security-relevant subsystems (Navas on [0059-0060 and 0062] teaches an enterprise system that separates event queries into component parts and combines results for the component part queries. the query response components are designated R1, R2, R3, and R4, referring to respective responses for query segments Q1, Q2, Q3, and Q4. The responses components R1, R2, R3, and R4 represent event data that can be returned as data objects, actionable content, or some other form. The separate response components can then be selectively combined or joined to form a complete response. The responses are all combined as returned to provide the desired information (i.e. receiving plurality of result R1-R2). See also Fig 3 and text on [0066-0068] teaches the solid arrows represent the queries, while the dashed arrows represent responses that will be returned. At LE node 342, queries 312 and 322 will be parsed into the component segments illustrated, while LE node 344 will perform similar parsing for query 332. For purposes of simplicity in this example, consider that each query is completely parsed, rather than having a process of iterative parsing (i.e. the portion of query Q1-Q4 are processed at different nodes and respective response from each node is returned)).
Although the combination of Navas teaches multiple APIs that enable a user to interact with server (Navas on [0104]), but fails to explicitly teach utilizing a respective application program interface to access each of the plurality of security-relevant subsystems, and processing one or more results sets of the plurality of result sets so that the results sets all have at least one of a common format, a common nomenclature, and a common structure, including using artificial intelligence / machine learning to identify one or more commonalities amongst the plurality of results sets, however Zimmermann from analogous art teaches utilizing a respective application program interface to access each of the plurality of security-relevant subsystems (Zimmermann on [0009] teaches systems for a cloud security fabric for providing enhanced security to an one or more enterprise computing environments. The cloud security fabric has a plurality of enterprise APIs for connecting to the information technology infrastructure of at least one enterprise, a plurality of developer APIs for enabling developers to use capabilities of the fabric to develop applications, and a plurality of connector APIs by which the fabric may discover information about entities relating to the information security of the enterprise computing environment. See on [0102] teaches enterprise API 104 family may include a variety of APIs 104 by which an enterprise may benefit from connection or interaction with the CSF 100, including to receive outputs and results from each of the modules or components of the CSF 100, to deliver results and inputs to the CSF 100. See on [0108] teaches connector APIs 108 allow the CSF 100 to interact with and discover user accounts, data, event logs, applications and configuration in cloud platforms and in the applications that run on them or are developed on them (i.e. different APIs for performing different task on security relevant-subsystem interpreted in view of [0160] of instant application)).

Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Zimmermann into the teaching of Navas by having a system with multiple APIs and utilizing respective APIs for accessing each of plurality of security-relevant subsystem. One would be motivated to do so in order to improve enterprise data security in security relevant system using plurality of connecters APIs within enterprise computing environment with no impact on the performance of the enterprise environment (Zimmermann [0009 and 0014]).
Although the combination of Navas and Zimmermann teaches the system identifies identical or common event information and merge the queries and the system utilizes machine learning model but fails to explicitly teach processing one or more results sets of the plurality of result sets so that the results sets all have at least one of a common format, a common nomenclature, and a common structure, including using artificial intelligence / machine learning to identify one or more commonalities amongst the plurality of results sets, however CICHON from analogous art teaches processing one or more results sets of the plurality of result sets so that the results sets all have at least one of a common format, a common nomenclature, and a common structure, including using artificial intelligence / machine learning to identify one or more commonalities amongst the plurality of results sets (CICHON on [0037] teaches the AI combination platform uses middleware that can adjust or translate a common data stream for use in a multitude of different algorithms to enable the resulting different outputs (i.e. Plurality of results ) to be readily compared. Furthermore, the AI combination platform also outputs the results of multiple algorithms in a common output format for ready visualization, comparison and understanding. See also [0066 and 0084-0085] teaches AI technique to transform one or more results into common format easily readable by the user).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of CICHON into the combined teaching of Navas and Zimmermann by processing utilizing AI/ machine learning model one or more results sets of the plurality of result sets so that the results sets all have at least one of a common format. One would be motivated to do so in order to provide efficient and effective utilization of plurality of results set calculated based on the event using artificial intelligence (CICHON on [0005-0008]).
Regarding claim 15 Navas teaches a computing system including a processor and memory configured to perform operations comprising (Navas on [0126-0128] teaches Computing system 1100 includes one or more processors 1110, which executes instructions and may perform various operations. Memory 1120 represents the main memory of the computing system 1100, and provides temporary storage for code);
establishing connectivity with a plurality of security-relevant subsystems within a computing platform [[including utilizing a respective application program interface to access each of the plurality of security-relevant subsystems]] (Navas Fig 1 and text on [0029] teaches an enterprise system that supports federation of real-time event data. Enterprise network 100 illustrates a network of nodes LE nodes 110, 120, 130, and 140 within the enterprise for processing queries. Further teaches a client device that connects with enterprise network 100 that allows a user to interact with enterprise network 100 (i.e. connectivity with security-relevant subsystem). See also Fug 2-3 and text on [0060-0063 and 0066] teaches establishing connectivity between different nodes by sending and responding to request or query. See on [0104] teaches system 1000 may include multiple APIs (application programming interfaces) that enable a user to interact with LE server 1002. APIs 1018 represent such interfaces);
wherein each security- relevant subsystem of the plurality of security-relevant subsystems is configured to monitor and log their activity with respect to the computing platform (Navas on [0045 and 0065] teaches the LE system (i.e. referencing LE node 210-LE260 as security relevant sub-system) can monitor the event data, and detect when a particular event or series of events or conditions takes place (i.e. monitoring and logging activity). When detected, the LE system can clip and push the information to the user who queried for the particular event, series of events, or conditions);
receiving a unified query concerning logged files of the plurality of security-relevant subsystems with respect to the computing platform (Navas on [0023 and 0028] teaches receiving a query concerning event information and the response to the query is event data. See also on [0034] teaches generating and sending a query that represents monitoring of events (i.e. logged file) within the enterprise. See also [0080] teaches sending query concerning event data stored in LE server and returning the event data in response to the query);
distributing at least a portion of the unified query to the plurality of security- relevant subsystems, including (Navas Fig 2 and text on [0059-0061] teaches LE node 210 is the access node for the user that generates query 202. Thus, node 210 receives the query for LE system 200, and parses the query into component parts Q1, Q3, and Q2+Q4. LE node 220 may receive the queries and route them to the data sources. Q1 is parsed to node 230, 250 and Q2, Q4 is parsed to node 240 (i.e. distributing portion of query) accordingly response R1-R4 is generated as result of respective queries);
parsing the unified query to form a plurality of queries, wherein a specific query is defined for each of the plurality of security-relevant subsystems (Navas Fig 2 and text on [0059-0062 and 0066] teaches LE node 210 is the access node for the user that generates query 202. Thus, node 210 receives the query for LE system 200, and parses the query into component parts Q1, Q3, and Q2+Q4. LE node 220 may receive the queries and route them to the data sources. Q1 is parsed to node 230, 250 and Q2, Q4 is parsed to node 240 accordingly response R1-R4 is generated as result of respective queries);
and providing the specific query defined for each of the plurality of security- relevant subsystems to the respective security-relevant subsystems (Navas Fig 2 and text on [0059-0062, 0066] teaches distributing each of plurality of portion of queries Q1, Q2, Q3 and Q4 to each LE node 210, 220, 230 and 240. Thus, node 210 receives the query for LE system 200, and parses the query into component parts Q1, Q3, and Q2+Q4. LE node 220 may receive the queries and route them to the data sources. Q1 is parsed to node 230, 250 and Q2, Q4 is parsed to node 240 accordingly response R1-R4 is generated as result of respective queries);
effectuating the at least a portion of the unified query on each of the plurality of security-relevant subsystems to generate a plurality of result sets (Navas on [0059-0060 and 0062] teaches an enterprise system that separates event queries into component parts and combines results for the component part queries. the query response components are designated R1, R2, R3, and R4, referring to respective responses for query segments Q1, Q2, Q3, and Q4. The responses components R1, R2, R3, and R4 represent event data that can be returned as data objects, actionable content, or some other form. The separate response components can then be selectively combined or joined to form a complete response. The responses are all combined as returned to provide the desired information. See also Fig 3 and text on [0066-0068] teaches the solid arrows represent the queries, while the dashed arrows represent responses that will be returned. At LE node 342, queries 312 and 322 will be parsed into the component segments illustrated, while LE node 344 will perform similar parsing for query 332. For purposes of simplicity in this example, consider that each query is completely parsed, rather than having a process of iterative parsing);
 receiving the plurality of result sets from the plurality of security-relevant subsystems (Navas on [0059-0060 and 0062] teaches an enterprise system that separates event queries into component parts and combines results for the component part queries. the query response components are designated R1, R2, R3, and R4, referring to respective responses for query segments Q1, Q2, Q3, and Q4. The responses components R1, R2, R3, and R4 represent event data that can be returned as data objects, actionable content, or some other form. The separate response components can then be selectively combined or joined to form a complete response. The responses are all combined as returned to provide the desired information (i.e. receiving plurality of result R1-R2). See also Fig 3 and text on [0066-0068] teaches the solid arrows represent the queries, while the dashed arrows represent responses that will be returned. At LE node 342, queries 312 and 322 will be parsed into the component segments illustrated, while LE node 344 will perform similar parsing for query 332. For purposes of simplicity in this example, consider that each query is completely parsed, rather than having a process of iterative parsing (i.e. the portion of query Q1-Q4 are processed at different nodes and respective response from each node is returned)).
Although the combination of Navas teaches multiple APIs that enable a user to interact with server (Navas on [0104]), but fails to explicitly teach utilizing a respective application program interface to access each of the plurality of security-relevant subsystems, and processing one or more results sets of the plurality of result sets so that the results sets all have at least one of a common format, a common nomenclature, and a common structure, including using artificial intelligence / machine learning to identify one or more commonalities amongst the plurality of results sets, however Zimmermann from analogous art teaches utilizing a respective application program interface to access each of the plurality of security-relevant subsystems (Zimmermann on [0009] teaches systems for a cloud security fabric for providing enhanced security to an one or more enterprise computing environments. The cloud security fabric has a plurality of enterprise APIs for connecting to the information technology infrastructure of at least one enterprise, a plurality of developer APIs for enabling developers to use capabilities of the fabric to develop applications, and a plurality of connector APIs by which the fabric may discover information about entities relating to the information security of the enterprise computing environment. See on [0102] teaches enterprise API 104 family may include a variety of APIs 104 by which an enterprise may benefit from connection or interaction with the CSF 100, including to receive outputs and results from each of the modules or components of the CSF 100, to deliver results and inputs to the CSF 100. See on [0108] teaches connector APIs 108 allow the CSF 100 to interact with and discover user accounts, data, event logs, applications and configuration in cloud platforms and in the applications that run on them or are developed on them (i.e. different APIs for performing different task on security relevant-subsystem interpreted in view of [0160] of instant application)).

Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Zimmermann into the teaching of Navas by having a system with multiple APIs and utilizing respective APIs for accessing each of plurality of security-relevant subsystem. One would be motivated to do so in order to improve enterprise data security in security relevant system using plurality of connecters APIs within enterprise computing environment with no impact on the performance of the enterprise environment (Zimmermann [0009 and 0014]).
Although the combination of Navas and Zimmermann teaches the system identifies identical or common event information and merge the queries and the system utilizes machine learning model but fails to explicitly teach processing one or more results sets of the plurality of result sets so that the results sets all have at least one of a common format, a common nomenclature, and a common structure, including using artificial intelligence / machine learning to identify one or more commonalities amongst the plurality of results sets, however CICHON from analogous art teaches processing one or more results sets of the plurality of result sets so that the results sets all have at least one of a common format, a common nomenclature, and a common structure, including using artificial intelligence / machine learning to identify one or more commonalities amongst the plurality of results sets (CICHON on [0037] teaches the AI combination platform uses middleware that can adjust or translate a common data stream for use in a multitude of different algorithms to enable the resulting different outputs (i.e. Plurality of results ) to be readily compared. Furthermore, the AI combination platform also outputs the results of multiple algorithms in a common output format for ready visualization, comparison and understanding. See also [0066 and 0084-0085] teaches AI technique to transform one or more results into common format easily readable by the user).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of CICHON into the combined teaching of Navas and Zimmermann by processing utilizing AI/ machine learning model one or more results sets of the plurality of result sets so that the results sets all have at least one of a common format. One would be motivated to do so in order to provide efficient and effective utilization of plurality of results set calculated based on the event using artificial intelligence (CICHON on [0005-0008]).
Regarding claim 3, 10 and 17 the combination of Navas, Zimmermann and CICHON teaches all the limitations of claim 1, 8 and 15 respectively, Navas further teaches further comprising: combining the plurality of result sets to form a unified query result (Navas on [0059-0060 and 0062] teaches an enterprise system that separates event queries into component parts and combines results for the component part queries. the query response components are designated R1, R2, R3, and R4, referring to respective responses for query segments Q1, Q2, Q3, and Q4. The responses components R1, R2, R3, and R4 represent event data that can be returned as data objects, actionable content, or some other form. The separate response components can then be selectively combined or joined to form a complete response. The responses are all combined as returned to provide the desired information. See also Fig 3 and text on [0066-0068] teaches the solid arrows represent the queries, while the dashed arrows represent responses that will be returned. At LE node 342, queries 312 and 322 will be parsed into the component segments illustrated, while LE node 344 will perform similar parsing for query 332. For purposes of simplicity in this example, consider that each query is completely parsed, rather than having a process of iterative parsing. See on [0094] teaches the event server combines a complete response from the separate query component responses received from all data sources, 724. Combining of a response may be to combine multiple component responses, each to a different query component segment).

Regarding claim 4, 11 and 18 the combination of Navas, Zimmermann and CICHON teaches all the limitations of claim 3, 10 and 17 respectively, Navas further teaches wherein combining the plurality of result sets to form a unified query result includes: homogenizing the plurality of result sets to form the unified query result (Navas on [0059-0060 and 0062] teaches an enterprise system that separates event queries into component parts and combines results for the component part queries. the query response components are designated R1, R2, R3, and R4, referring to respective responses for query segments Q1, Q2, Q3, and Q4. The responses components R1, R2, R3, and R4 represent event data that can be returned as data objects, actionable content, or some other form. The separate response components can then be selectively combined or joined to form a complete response. The responses are all combined as returned to provide the desired information (i.e. mixing or combining the result is equivalent to homogenizing the result). See also Fig 3 and text on [0066-0068] teaches the solid arrows represent the queries, while the dashed arrows represent responses that will be returned. At LE node 342, queries 312 and 322 will be parsed into the component segments illustrated, while LE node 344 will perform similar parsing for query 332. For purposes of simplicity in this example, consider that each query is completely parsed, rather than having a process of iterative parsing. See on [0094] teaches the event server combines a complete response from the separate query component responses received from all data sources, 724. Combining of a response may be to combine multiple component responses, each to a different query component segment).
Regarding claim 5, 12 and 19 the combination of Navas, Zimmermann and CICHON teaches all the limitations of claim 3, 10 and 17 respectively, Navas further teaches further comprising: providing the unified query result to the third-party (Navas on [0094] teaches the event server combines a complete response from the separate query component responses received from all data sources, 724. Combining of a response may be to combine multiple component responses, each to a different query component segment, as well as combining multiple responses for the same query component segment received from multiple different data sources. Combining the response may require processing of the data. The event server returns the response to the user 726 (i.e. third party). See on [0028] teaches the data sources provide a response to the query processing entities (i.e. also as a third party), which then return results to the query source. See on [0068] teaches the response to the queries are sent back to LE node 342, which can then return the response components corresponding to the query components to user 310, as well as to LE node 344, which can return the response components to user 330).

Regarding claim 7, 14 and 21 the combination of Navas, Zimmermann and CICHON  teaches all the limitations of claim 1, 8 and 15 respectively, Navas further wherein the plurality of security- relevant subsystems includes one or more of: a data lake; a data log; a security-relevant software application; a security-relevant hardware system; and a resource external to the computing platform (Navas on [0026, 0032, 0058] teaches An enterprise system refers to the network of computers and interconnection equipment within a company or organization. The enterprise system includes software components such as the servers and management systems. Each element of hardware and software within the enterprise system may be referred to as a subsystem, or simply "system" (thus, the enterprise system may be considered a system of systems). The enterprise system as described herein includes data sources. The data sources may be any subsystem (e.g., supply chain management (SCM), enterprise resource planning (ERP), human resources, customer relations management (CRM), information technology (IT), etc.), database).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Williams et al (US 20190332667) is directed towards a method for automatically cross-linking a plurality of APIs in an artificial intelligence (AI) graph structure comprises maintaining an AI graph structure defining a plurality of API-agnostic semantic entities, a plurality of function nodes, a plurality of input-adapter edges, and a plurality of output adapter edges. The method further comprises cross-linking a new function from a new API by computer-analyzing documentation of the new API with a natural language processing (NLP) machine in order to recognize the new function.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOEEN KHAN whose telephone number is (571)272-3522.  The examiner can normally be reached on 7AM-5PM EST M-TH Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 


/MOEEN KHAN/Examiner, Art Unit 2436