DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims  1-14, 16-18 and 20-30 are allowed.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 5/26/20 is being considered by the examiner.
EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Jordan Becker on 3/17/22.
1.	(Currently amended)  A method comprising:
receiving events associated with activity by a plurality of entities in an information technology (IT) environment, wherein each event of the plurality of events includes a portion of raw machine data that reflects activity in the IT environment and that is produced by a component of the IT environment, wherein each event is associated with a timestamp extracted from the raw machine data;
accessing an entity relationship graph indicative of relationships and activity between a plurality of entities in the IT environment;
wherein the entity relationship graph includes:
a first node representative of a first entity of the plurality of entities;
a second node representative of a second entity of the plurality of entities; and
an edge connecting the first node to the second node, the edge including a directionality indicative of a direction of communication between the first entity and the second entity; 
updating the entity relationship graph based on the events;
determining that the first entity and/or the second entity is operating in a particular logical location in a topology of the IT environment;
monitoring the edge connecting the first node to the second node in response to determining that the first entity and/or the second entity is operating in the particular logical location in the topology of the IT environment;
detecting a change in a characteristic of the edge; and
detecting an anomaly in response to detecting the change in the characteristic of the edge.
4.	(Currently amended)  The method of claim 1, 
wherein the characteristic of the edge is indicative of a first client-server relationship between the first entity and the second entity, wherein the first client-server relationship is indicative that the first entity is a client and the second entity is a server, and 
wherein the anomaly is detected in response to detecting a change in the first client-server relationship to a second client-server relationship between the first entity and the second entity, wherein the second client-server relationship is indicative that the first entity is a server and the second entity is a client.
15.	(Cancelled).
19.	(Cancelled). 
29.	(Currently Amended)  A computer system comprising:
a processor; and 
a storage device having instructions stored thereon, which when executed by the processor cause the computer system to:
receive events associated with activity by a plurality of entities in an information technology (IT) environment, wherein each event of the plurality of events includes a portion of raw machine data that reflects activity in the IT environment and that is produced by a component of the IT environment, wherein each event is associated with a timestamp extracted from the raw machine data;
access an entity relationship graph indicative of relationships and activity between a plurality of entities in the IT environment;
wherein the entity relationship graph includes:
a first node representative of a first entity of the plurality of entities;
a second node representative of a second entity of the plurality of entities; and
an edge connecting the first node to the second node, the edge including a directionality indicative of a direction of communication between the first entity and the second entity; 
update the entity relationship graph based on the events;
determine that the first entity and/or the second entity is operating in a particular logical location in a topology of the IT environment;
monitor the edge connecting the first node to the second node in response to determining that the first entity and/or the second entity is operating in the particular logical location in the topology of the IT environment;
detect a change in a characteristic of the edge; and
detect an anomaly in response to detecting the change in the characteristic of the edge.
30.	(Currently Amended)  A non-transitory computer-readable medium containing instructions, execution of which in a computer system causes the computer system to:
receive events associated with activity by a plurality of entities in an information technology (IT) environment, wherein each event of the plurality of events includes a portion of raw machine data that reflects activity in the IT environment and that is produced by a component of the IT environment, wherein each event is associated with a timestamp extracted from the raw machine data;
access an entity relationship graph indicative of relationships and activity between a plurality of entities in the IT environment;
wherein the entity relationship graph includes:
a first node representative of a first entity of the plurality of entities;
a second node representative of a second entity of the plurality of entities; and
an edge connecting the first node to the second node, the edge including a directionality indicative of a direction of communication between the first entity and the second entity; 
update the entity relationship graph based on the events;
determine that the first entity and/or the second entity is operating in a particular logical location in a topology of the IT environment;
monitor the edge connecting the first node to the second node in response to determining that the first entity and/or the second entity is operating in the particular logical location in the topology of the IT environment;
detect a change in a characteristic of the edge; and
detect an anomaly in response to detecting the change in the characteristic of the edge.


Allowable Subject Matter
The following is an examiner’s statement of reasons for allowance:
The closest prior art of record, Muddu et al. U.S. Pub. No. 20170063910, discloses a security platform to detect security related anomalies and threats in a computer network environment, wherein the security platform performs user/entity behavioral analytics to detect the security related anomalies and threats based on relationship graph generated based on user events/activities.
The closest prior art of record does not explicitly disclose, in light of other feature recited in independent claims, receive events associated with activity by a plurality of entities in an information technology (IT) environment, wherein each event of the plurality of events includes a portion of raw machine data that reflects activity in the IT environment and that is produced by a component of the IT environment, wherein each event is associated with a timestamp extracted from the raw machine data;
update the entity relationship graph based on the events; determine that the first entity and/or the second entity is operating in a particular logical location in a topology of the IT environment; monitor the edge connecting the first node to the second node in response to determining that the first entity and/or the second entity is operating in the particular logical location in the topology of the IT environment.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Puri et al. U.S. Pub. No. 20170324759 discloses network sampling based path decomposition and anomaly detection.
Kesin et al. U.S. Pat. No. 9407652 discloses network anomaly detection.
Hitt et al. U.S. Pub. No. 20150229662 discloses method for identifying a threatening network.
Yang et al. U.S. Pub. No. 20170295193 discloses adaptive anomaly context description.
Yadav et al. U.S. Pub. No. 20160359872 discloses system for monitoring and managing datacenters.
Bower, III et al. U.S. Pub. No. 20170279844 discloses identifying and remediating at-risk resources in a computing environment.
Du et al. U.S. Pub. No. 20150256413 discloses network system with live topology mechanism.
Zimmermann et al. U.S. Pub. No. 20180027006 discloses method for securing an enterprise computing environment.
Davis et al. U.S. Pub. No. 20130191887 discloses social network based trust verification schema.
Davis U.S. Pub. No. 20130133052 discloses behavioral fingerprint device identification.
Davis et al. U.S. Pat. No. 9729549 discloses behavioral fingerprinting with adaptive development.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHIN HON (ERIC) CHEN whose telephone number is (571)272-3789.  The examiner can normally be reached on Monday to Thursday 9am- 7pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/SHIN-HON (ERIC) CHEN/Primary Examiner, Art Unit 2431