DETAILED ACTION
Claim Status
Applicant's submission filed on 05/12/2022 has been entered. Claim 14 has been canceled. New claim 31 has been added. Claims 1-13 and 15-31 are pending in the application.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this Examiner’s amendment was given in an interview with Eric Sellars on 06/02/2022. 

The application has been amended as follows:
Please amend Claim 1 to recite the following:
“A computer-implemented method performed by a configuration server coupled to a network, the method comprising:
receiving input defining an ephemeral event stream to be generated by a remote capture agent, the input indicating:
a first search query to be executed against timestamped event data generated by the remote capture agent based on network traffic monitored by the remote capture agent, wherein timestamped event data satisfying the search query indicates a potential security incident in a computing environment, and wherein identification of at least one timestamped event satisfying the search query causes the remote capture agent to generate the ephemeral event stream,
an identifier of a network protocol used by network packets from which the ephemeral event stream is to be generated, and
an amount of time the remote capture agent is to generate timestamped event data to be included in the ephemeral event stream, wherein the timestamped event data is generated by the remote capture agent based on the network packets monitored by the remote capture agent;
generating, based on the input, configuration information that includes settings to be used by the remote capture agent to generate the ephemeral event stream;
sending, via the network, the configuration information to the remote capture agent; 
causing display of a graphical user interface (GUI) including identifiers of a plurality of events streams, wherein the plurality of event streams includes the ephemeral event stream;
receiving, via the GUI, a second search query identifying an event stream attribute;
executing the second search query to identify a subset of the plurality of event streams associated with the event stream attribute, wherein the subset of the plurality of event streams includes the ephemeral event stream; and
causing display of identifiers of event streams in the subset of the plurality of event streams.”

Please amend Claim 5 to recite the following:
“The method of claim 1,  wherein the GUI further includes event stream information for the ephemeral event stream, and wherein the event stream information for the ephemeral event stream includes at least one of: a name of the ephemeral event stream, a number of instances of the ephemeral event stream, an application associated with the ephemeral event stream, a start time of the ephemeral event stream, an end time of the ephemeral event stream, a time remaining for generation of event data associated with the ephemeral event stream, or a status of the ephemeral event stream.”

Please amend Claim 6 to recite the following:
“The method of claim 1, wherein the GUI includes an interface element that, upon selection, causes an action to be applied to a set of user-selected ephemeral event streams.”

Please amend Claim 7 to recite the following:
“The method of claim 1, wherein the input is first input, and wherein the method further comprises:
receiving second input selecting a set of ephemeral event streams including the ephemeral event stream; and
causing display, in the GUI, of event stream information for the set of ephemeral event streams.”

Please amend Claim 8 to recite the following:
“The method of claim 1, wherein the input is first input, and wherein the method further comprises:
receiving second input selecting a set of ephemeral event streams including the ephemeral event stream, wherein the input selecting the set of ephemeral event streams is based on an event stream attribute, and wherein the event stream attribute is at least one of: a category associated with the set of ephemeral event streams, a protocol used by network packets associated with the set of ephemeral event streams, an application used to create the set of ephemeral event streams, or an event stream lifecycle associated with the set of ephemeral event streams; and
causing display, in the GUI, of event stream information for the set of ephemeral event streams.”

Please amend Claim 11 to recite the following:
“The method of claim 1, further comprising:
causing display, in the GUI, of event stream information, the event stream information including information related to a plurality of ephemeral event streams including the ephemeral event stream; and
sorting the event stream information by an event stream attribute associated with each of the plurality of ephemeral event streams.”

Please amend Claim 12 to recite the following:
“The method of claim 1, further comprising:
causing display, in the GUI, of event stream information, the event stream information including information related to a plurality of ephemeral event streams including the ephemeral event stream; and
sorting the event stream information by an event stream attribute associated with each of the plurality of ephemeral event streams, wherein the event stream attribute is at least one of: a name associated with each ephemeral event stream of the plurality of ephemeral event streams, a number of ephemeral event streams in the plurality of ephemeral event streams, an application used to create each of the ephemeral event streams of the plurality of ephemeral event streams, a start time associated with each ephemeral event stream of the plurality of ephemeral event streams, an end time associated with each ephemeral event stream of the plurality of ephemeral event streams, an amount of remaining time associated with each ephemeral event stream of the plurality of ephemeral event streams, and a status of each ephemeral event stream of the plurality of ephemeral event streams.”

Please amend Claim 16 to recite the following:
“The method of claim 1, wherein the GUI further includes: event stream information for the ephemeral event stream, and an interface element used to navigate between the event stream information and creation information for a creator of the ephemeral event stream.”

Please amend Claim 17 to recite the following:
“The method of claim 1, wherein the GUI further includes: event stream information for the ephemeral event stream, and an interface element for navigating between the event stream information and creation information for a creator of the ephemeral event stream, wherein the creator of the ephemeral event stream is at least one of: an application for monitoring network traffic captured by the remote capture agent, or a capture trigger for generating additional timestamped event data from the network packets based on a security risk.”

Please amend Claim 19 to recite the following:
“The method of claim 1, wherein the GUI further includes event stream information related to at least one permanent event stream

Please amend Claim 20 to recite the following:
“The method of claim 1, wherein the GUI further includes event stream information for the ephemeral event stream, the event stream information including a description of a capture trigger that caused generation of the ephemeral event stream.”

Please amend Claim 21 to recite the following:
“The method of claim 1, wherein the GUI further includes a visualization of a metric related to the ephemeral event stream.”

Please amend Claim 22 to recite the following:
“The method of claim 1, wherein the GUI further includes event stream information for a plurality of ephemeral event streams, the event stream information including a plurality of inline visualizations of a metric associated with each of the plurality of ephemeral event streams.”

Please amend Claim 23 to recite the following:
“The method of claim 1, wherein the input defining the ephemeral event stream is received via the GUI.”

Please amend Claim 24 to recite the following:
“The method of claim 1, wherein the GUI further includes event stream information for the ephemeral event stream, the event stream information including an indication of a number of notable events associated with the ephemeral event stream.”

Please amend Claim 25 to recite the following:
“The method of claim 1, wherein the GUI further includes event stream information for a plurality of ephemeral event streams including the ephemeral event stream, the event stream information including an aggregated metric for the plurality of ephemeral event streams.”

Please amend Claim 26 to recite the following:
“The method of claim 1, wherein the GUI further includes a graph of a metric associated with the ephemeral event stream, wherein the graph of the metric is updated as additional timestamped event data associated with the ephemeral event stream is received.”

Please amend Claim 29 to recite the following:
“An apparatus, comprising:
one or more processors; and
memory storing instructions that, when executed by the one or more processors, cause the apparatus to:
receive input defining an ephemeral event stream to be generated by a remote capture agent, the input indicating:
a first search query to be executed against timestamped event data generated by the remote capture agent based on network traffic monitored by the remote capture agent, wherein timestamped event data satisfying the search query indicates a potential security incident in a computing environment, and wherein identification of at least one timestamped event satisfying the search query causes the remote capture agent to generate the ephemeral event stream,
an identifier of a network protocol used by network packets from which the ephemeral event stream is to be generated, and
an amount of time the remote capture agent is to generate timestamped event data to be included in the ephemeral event stream, wherein the timestamped event data is generated by the remote capture agent based on the network packets monitored by the remote capture agent;
generate, based on the input, configuration information that includes settings to be used by the remote capture agent to generate the ephemeral event stream;
send, via the network, the configuration information to the remote capture agent;
cause display of a graphical user interface (GUI) including identifiers of a plurality of event streams, wherein the plurality of event streams includes the ephemeral event stream; 
receive, via the GUI, a second search query identifying an event stream attribute;
execute the second search query to identify a subset of the plurality of event streams associated with the event stream attribute, wherein the subset of the plurality of event streams includes the ephemeral event stream; and
cause display of identifiers of event streams in the subset of the plurality of event streams.”

Please amend Claim 30 to recite the following:
“A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform operations for facilitating processing of network data, the operations comprising:
receiving input defining an ephemeral event stream to be generated by a remote capture agent, the input indicating:
a first search query to be executed against timestamped event data generated by the remote capture agent based on network traffic monitored by the remote capture agent, wherein timestamped event data satisfying the search query indicates a potential security incident in a computing environment, and wherein identification of at least one timestamped event satisfying the search query causes the remote capture agent to generate the ephemeral event stream,
an identifier of a network protocol used by network packets from which the ephemeral event stream is to be generated, and
an amount of time the remote capture agent is to generate timestamped event data to be included in the ephemeral event stream, wherein the timestamped event data is generated by the remote capture agent based on the network packets monitored by the remote capture agent;
generating, based on the input, configuration information that includes settings to be used by the remote capture agent to generate the ephemeral event stream;
sending, via the network, the configuration information to the remote capture agent; 
causing display of a graphical user interface (GUI) including identifiers of a plurality of event streams, wherein the plurality of event streams includes the ephemeral event stream;
receiving, via the GUI, a second search query identifying an event stream attribute;
executing the second search query to identify a subset of the plurality of event streams associated with the event stream attribute, wherein the subset of the plurality of event streams includes the ephemeral event stream; and
causing display of identifiers of in the subset of the plurality of event streams.”


Allowable Subject Matter
Claims 1-13 and 15-31 are allowed.
The following is an examiner’s statement of reasons for allowance:
The prior art in the field, such as Dugatkin (US 20050021715 A1) teaches the network testing system may include collectors to capture, to collect, to filter and to perform other operations on network traffic collected from network. The collectors may review, capture and otherwise obtain network traffic and network traffic data according to system defined and/or user defined constraints. The constraints may include a “start trigger” and a “stop trigger”. The triggers may specify events that cause the collectors to begin or cease capturing network traffic.  
Malloy (US 20070067450 A1) on-demand mode wherein the capturing of network traffic is explicitly started and stopped by a user or some predefined triggering event. A capture agent is a network monitoring tool, commonly referred to as a “sniffer” or “protocol analyzer”, that is used to capture network traffic data. Multiple capture agents can be placed at various points within a network and are configured to monitor the traffic flowing through those points.
Hastwell (US 8958318 B1) The network flow is monitored for the occurrence of at least one predetermined triggering event. In response to detecting the triggering event, at least a portion of one or more of the packets received after the triggering event is captured. Example detectable triggering events (e.g. security incident) may include, for example, Address Resolution Protocol (ARP) inspection violations (e.g., dynamic ARP inspection (DAI) violations), Dynamic Host Configuration Protocol (DHCP) snooping violations, Internet Protocol (IP) spoofing attacks (e.g., IP Source Guard violations), port security violations, etc.
Claudatos (US 20080159146 A1) teaches various methods and formats may be used for logging data derived from the network traffic (e.g. events). The database may be used to contain records where each record could contain the traffic file itself (such as a .cap, .pcap file, etc.) and all the relevant data (e.g. can include the events of the ephemeral event streams) as well as additional data derived and/or extracted from the traffic itself so that the record can be easily searched.
The prior art of record fail to explicitly teach each and every limitation recited in the amended independent claims 1, 29 and 30. 

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZI YE whose telephone number is (571)270-1039. The examiner can normally be reached Monday - Friday, 8:00am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Emmanuel Moise can be reached on 5712723865. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/ZI YE/Primary Examiner, Art Unit 2455