DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This office action is in response to the amendment filed on 05/16/2022.
Claims 1 and 13 are pending in the application.
Claims 11-12 are cancelled
The 101 rejections against claims 1-10 and 13 as being abstract ideas are maintained because the Applicant’s arguments are not persuasive, please see the Response to Applicant’s Arguments section below. 
Response to Applicant’s Arguments
Applicant’s Remarks filed on 05/16/2022
Regarding 101 abstract idea rejections regarding claims 1-10, and 13-15, the Applicant argues in the Remarks filed on 05/16/2022 starting near the top of page 2 that “Applicant reiterates the arguments from the response filed January 21, 2022 to preserve the arguments for appeal“ and near the bottom of page 3, “Applicant disagrees with the Examiner and reiterates the arguments from the response filed January 21, 2022 to preserve the arguments for appeal. Further, Applicant reiterates computer security (e.g., allowing or denying access to a network) is a practical application. Moreover, Applicant has amended claim 13 similarly to claim 1, so the arguments above are reiterated here” . Applicant’s arguments have been fully considered but they are not persuasive because the Applicant’s arguments do not add new argument that has not been responded to yet and merely repeating the same arguments that have already been responded (see MPEP 707.07(f) ¶7.37).	The Applicant further argues starting near the top of page 2 of the Remarks, “Further, Applicant has amended claims to include that the first object is written to a different subsection of the big-data repository than the subsection that was monitored for the first event. The Examiner indicates that the monitoring and performing searches elements are mental functions that can be performed by a human and that the other elements can be performed by a human with a general-purpose computer. Applicant respectfully disagrees.” Applicant’s arguments have been fully considered but the Examiner respectfully disagrees because they are not persuasive.  Specifically,	Starting near the bottom of page 2 of the Remarks, the Applicant argues “Claim 2 of Example 37 was deemed to have patent eligible subject matter, because the processor had to keep track of memory. From the explanation of the example 37, under Step 2A prong 1: "the 'determining step' now requires action by a processor that cannot be practically applied in the mind. In particular, the claimed step of determining the amount of use of each icon by tracking how much memory has been allocated to each application associated with each icon over a predetermined period of time is not practically performed in the human mind, at least because it requires a processor accessing computer memory indicative of application usage. Similarly, the monitoring elements of claim 1 of the present application cannot be performed by the human mind, because the human mind cannot monitor the memory of a big- data repository for a new item being written to the memory of the big-data environment. Specifically, there are different subsections of memory (a big-data environment by definition requiring computer memory) being monitored for events, as recited in claim 1. The monitoring step requires action by a processor that cannot be practically applied in the mind. In particular, the monitoring step is not practically performed in the human mind, at least because it requires a processor accessing computer memory indicative of changes to the memory of an addition of a new item. Also, in reply to the Examiner indication that "monitoring data, when recited at a high level of generality" is merely observation. However, in amended claim 1, memory is monitored specifically for an addition of an entry into a first subsection of the big-data environment - not just monitored for at a high level of generality. Monitoring memory for application usage and monitoring memory for an additional entry are a similar level of specificity - not generality. Further, claim 1 includes that the monitoring is performed by a big-data monitoring tool (i.e., specific program running by the processor). As such, Applicant respectfully submits that the monitoring elements are not abstract ideas, similar to monitoring memory usage. Therefore, like claim 2 of example 37, Applicant submits that claim 1 recites patent-eligible subject matter.” 	The Examiner respectfully disagrees.  Example 37, claim 2 specifically use the amount of memory, that is allocated to each application associated with each icon.  Memory amount that is used associated with each icon cannot be simulated by a human brain (such as to render the icon in the brain to find out the amount of memory used).  On the other hand, merely monitoring (observing) for the arrival of some data is not specific to the inner working of a computer.  When considering whether the use of two subsections of memory is tangential to the claim or significant or not, the Examiner finds that the use of different subsections of memory is insignificant and arbitrary (i.e. tangential to the claim).  The instant specification further confirms this in ¶25 by indicating a same subsections can be used without any specific why different subsections would provide unexpected benefit or unexpected result (instant spec. ¶25, the object can be written to that subset of machine generated logs in the data repository or to a different subset of machine-generated logs in the data repository).  According to MPEP 2144.04 (V)(C) and In re Dulberg, 289 F.2d 522, 523, 129 USPQ 348, 349 (CCPA 1961), if it is desirable for any reason to write it to a separate subsection, it would be obvious to do so.  As a result, the use of 2 separate subsections is merely tangential to the abstract idea, and the Applicant’s argument is not persuasive.	Furthermore, the monitoring is applied onto a big data environment, without any specific recitation of a big data environment feature that differentiate it from other environment further merely indicates a field of use or technological environment in which to apply a judicial exception, and does not amount to significantly more than the exception itself, and cannot integrate a judicial exception into a practical application (see MPEP 2106.05(h)). The monitoring is recited in high level of generality, without the specific big data environment technology that is used to monitor it in specific steps or algorithms. In conclusion, the applicant’s arguments are fully considered.  However, the arguments are not persuasive and the 101 rejection regarding the claims 1-10, and 13-15 for being directed to abstract ideas is maintained.b. Regarding U.S.C § 103 rejections	In the office action dated, 02/15/2022, claims 1-4 and 7-9 were rejected under 35 U.S.C. 103 as being unpatentable over Farrell et al. (US 20150304167 A1, hereinafter Farrell) in view of Stackoverflow (NPL U: “Can a SQL trigger call a web service”, dated December 02, 2016, hereinafter Stackoverflow) and further in view of Judith S. Hurwitz and Alan Nugent and Fern Halper and Marcia Kaufman (NPL U page 2: “Unstructured Data in a Big Data Environment”, dated 03/26/2016, downloaded from the Internet URL: https://www.dummies.com/article/technology/information-technology/data-science/big-data/unstructured-data-in-a-big-data-environment-167370 on 02/09/2022, hereinafter Hurwitz); claim 5 was rejected under 35 U.S.C. 103 as being unpatentable over Farrell in view of Stackoverflow and further in view of Hinrichs et al. (US 10592302 B1, hereinafter Hinrichs); claim 6 were rejected under 35 U.S.C. 103 as being unpatentable over Farrell in view of Stackoverflow and further in view of JOSHI et al. (US 20140337974 A1, hereinafter Joshi); claim 10 were rejected under 35 U.S.C. 103 as being unpatentable over Farrell in view of Stackoverflow and further in view of Mizuno et al. (US 7778193 B2, hereinafter Mizuno); claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Farrell in view of Todd C et al. (NPL X: “Calling an api from sql server stored-procedure”, dated June 2017, hereinafter Todd) and further in view of JbcEdge (NPL W: MS SQL SERVER – Triggers, dated February 2018, p. 1-3, retrieved from the Internet URL: http://web.archive.org/web/20210401150706/https://jbcedge.com/2018/02/08/ms-sql-server-triggers/) and Hurwitz; claim 14 were rejected under 35 U.S.C. 103 as being unpatentable over Farrell in view of Todd, JbcEdge, Hurwitz and further in view of Howard (US 20050021996 A1, hereinafter Howard); claim 15 was rejected under 35 U.S.C. 103 as being unpatentable over Farrell in view of Todd, JbcEdge, Hurwitz and further in view of Arsenault et al. (US 20170257341 A1, hereinafter Arsenault); claim 16 was rejected under 35 U.S.C. 103 as being unpatentable over Farrell in view of Todd, JbcEdge, Hurwitz and further in view of Grimm et al. (US 20190312887 A1, Grimm).
	At the top of page 5 of the Remarks, the Applicant argues, “Applicant reiterates the arguments from the previous response filed January 21, 2022”.	Applicant’s arguments have been fully considered but they are not persuasive because the Applicant’s arguments do not add new argument that has not been responded to yet and merely repeating the same arguments that have already been responded (see MPEP 707.07(f) ¶7.37).	Starting near top of page 6, the Applicant argues, “Applicant respectfully submits that the combination of elements does not teach the species of amended claim 1, where "the first designated change in the machine-generated logs includes an addition of a new item in a first subsection of the machine-generated logs;" and "writing a first object to a second subsection of the data repository ... where the second subsection is different than the first subsection"”.	The Examiner respectfully disagrees because the Applicant is not persuasive.  Farrell teaches the monitoring of log data for a change in the machine-generated logs includes an addition of a new item (see Farrel fig. 1 and ¶3, ¶19, ¶16, ¶39, ¶43), then perform a matching process (Farrel ¶30) when combined with the teaching of Stackoverflow, which teaches monitoring for an insertion into a table using a trigger (Stackoverflow top of page 1), then write to a queue table using the trigger, which then perform additional task such as a result of inserting into the queue table such as using procedure call that perform REST/JSON call and response (Stackoverflow page 3), the combination Farrell in view of Stackoverflow teaches two separate subsection.  Stackoverflow does not indicate the table where the first new row was inserted to be the same as the queue table.  Furthermore, the separation of the two subsections are obvious; According to MPEP 2144.04 (V)(C) and In re Dulberg, 289 F.2d 522, 523, 129 USPQ 348, 349 (CCPA 1961), if it is desirable for any reason to write it to a separate subsection, it would be obvious to do so.  The instant specification further confirms this in ¶25 by indicating a same subsection can be used without any specific why different subsections would provide unexpected benefit or unexpected result (instant spec. ¶25, the object can be written to that subset of machine generated logs in the data repository or to a different subset of machine-generated logs in the data repository).  In conclusion, the Applicant’s argument is not persuasive, and the prior art teaches the disputed limitation.	The Applicant further argues starting near the bottom of page 5 of the Remarks, “while big data has more data than traditional data, there is a difference in how data is organized (not easily decipherable by humans) because it is dynamically organized instead of fixed, so traditional database search tools do not work in a big data environment. Thus, a traditional tool or traditional data structure does not translate into a big-data environment. As mentioned earlier, if a "proposed modification or combination of the prior art would change the principle of operation of the prior art invention being modified, then the teachings of the references are not sufficient to render the claims prima facie obvious. In other words, a reference may not be modified to Farrell is a traditional data environment (e.g., monitoring for echoes of a log file and writing them to memory). Therefore, Applicant respectfully submits that the structure of Farrell may not be modified to include a big-data environment, because to do so would change the principle of operation of Farrell (e.g., using traditional tools instead of big- data tools). See https://www.purestorage.com/knowledge/big-data/big-data-vs-traditional-data.html”	The Examiner respectfully disagrees because the Applicant is not persuasive.  The claim does not recite any specific feature of a big data environment related to the monitoring that a monitoring of a general purpose database cannot be used.  Furthermore, due to market force, where there are more data, more real-time demand and data moving onto cloud computing, one of ordinary skilled would find it obvious to adapt the monitoring to big data environment with high expectation of success when the recitation of the claim is in high level of generality (not particular mechanism, steps or algorithm for monitoring that differentiate it from a general purpose database and it cannot be performed the same was a one would perform in a general purpose database), see MPEP 2142 (I) and Id. at 417, 82 USPQ2d at 1396. 	For the sake of argument, if the Applicant argues that the monitor in a big data environment is non-obvious and not common knowledge, then the Applicant admits the claim fails 112(a) of written description because in the specification, the Applicant discloses the monitoring is performed by user setting an alert (¶21 of the instant spec.) and using embedding alerts (¶12 of the instant spec.).  However, these are the desired outcome without specifics of how the alert is set in a big data environment or what the unconventional embedding alerts is (¶12 of the instant spec.). The Applicant discloses the embedding alert is by monitoring for change in a database. Without admission from the Applicant that the claim violates 112(a) requirements regarding the monitoring step, the Examiner find the steps obvious to an ordinary skill in the art by using a trigger to monitor change as disclosed by the cited prior art.	The Applicant fails to point out which claimed limitations that is specific to a big data environment that a person of ordinary skill can cannot implement a predictable variation.  The article provided by the Applicant discloses big data characteristics as big in volume/size, having variety of structures, generates quickly and processed in real time (velocity) and veracity (accuracy).  However, the recited limitations of monitor is void of features that addresses or bound by those characteristics.  	Furthermore, the Applicant fails to establish Farrell’s principal of operation is.  Farrell teaches multiple hosts interconnected, “Host devices may intercommunicate with one another to exchange information … watch data from many hosts” (Farrell column 3 lines 36-47).  Farrell further indicates that the data can be both traditional or distributed in column 3 lines 48-67, “The system may operate in a distributed fashion, with individual hosts intercommunicating with one another, may utilize a centralized server, or may employ a combination of distributed and centralized topography”.  As a result, Farrell’s teaching does not expressly or implied that the limitation of scope of its teaching to traditional database system the Applicant allegedly argues. In conclusion, the Applicant’s argument is not persuasive and the prior art teaches the disputed limitations of the claimed invention.	Near the middle of page 6, the Applicant further argues, “Further, the Examiner states that Farrell clearly teaches monitoring log files stored in memory. However, Farrell clearly states that the "log files" are "log file ... echoes" in paragraph 19 and in paragraph 16 Farrell states that the log files are echoed. The Examiner also states that the messages can be put in a datastore in paragraph 39. However, the messages are placed there, which are the echoed log files. Thus, there is no monitoring for an addition of an entry in Farrell, but instead the messages (e.g., the complete echo of the log file, not an addition to a log file) are stored in the datastore”.	The Examiner respectfully disagrees.  Farrell in ¶40 discloses the monitoring step, “monitors the communication port and/or echoes the log entries in order to detect the addition of the new network device”.  Farrell discloses the monitoring of echo log entries, not a complete echo of the log file.  Although Farrell discloses one way to monitor, when combined with the teaching of Stackoverflow, a monitoring can be performed using a trigger (page 1 and 3 of Stackoverflow).  As a result, the combination teaches the disputed limitation.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-10, and 13-15 are rejected under 35 U.S.C.101 because the claimed invention is directed to abstract ideas without significantly more.
	Step 1 Statutory Category:
		Claims 1-10, and 13-15 are directed to a process for performing an action within a machine-generated big data environment. The claims are directed to statutory categories.
		Claim 13 is directed to a process for verifying a device on a network. The claim is directed to statutory categories.	Step 2A Prong 1 Judicial exception:
		The independent claims recite the following limitations which have been identified as reciting a Mental Process:
		Claim 1 recites “monitoring … a data repository … for a first designated change; … performing a first search; … monitoring … the data repository … for a second designated change; … performing a second search ….”.  Claim 13 recites “monitoring the data repository … searching … monitoring data repository …; determine if the identity of the new device is known … monitoring the data repository … determine if the identity of the new device is known”.  These steps are mental processes that an ordinary person of skill in the art at the effective filing date can perform with or without pen and paper.  Monitoring data and performing a search are merely basic human actions using observation, evaluation and determination applied on a general computer with generic hardware. As a result, the claim is an abstract idea.
		Step 2A Prong 2, additional elements that integrate into a practical application of the exception:
		 Claim 1 further recites “by a big-data monitoring tool … in a big-data environment … wherein the first search is based on the first designated change in the machine-generated logs ... in a first subsection … where the data repository is stored in memory … creating and writing a first object to a second subsection of the data repository based on a result of the first search …  where the second subsection is different than the first subsection; … and performing a predetermined action”. The additional steps of creating and writing an object and performing an action are basic human actions performed on a general purpose computer.   Claim 13 further recites “by a big-data monitoring tool … in a big-data environment …  where the data repository is stored in memory … where the event is an addition of a new item in a first subsection of the data repository … consolidating multiple system …; writing, if the identity of the new device is not present in the known-devices system log … and the locally-not-found object is written to a second subsection of the data repository; retrieving … the identity of the new device ..; invoking … an external script that uses an application programming interface (API) of an external application …; writing… an externally-not-known object …; and performing a predetermined action”.  The big-data monitoring tool and big-data environment limitations are merely field of use.  Link the use of the judicial exception to a particular technological environment or field of use, do not meaningfully limit the claim because generic computer functions can perform all the steps recited in the claim, and to execute an abstract idea, even when limiting the use of the idea to one particular environment, does not improve the technology.  See MPEP 2106.05(h).  These other limitations are insignificant extra solution activities, See MPEP 2106.05(b)(I).  They’re merely activities for collecting, retrieving, sending data or simply an activity to perform some action.  Calling an API within a script is not new in the art.  In the era of networking and collaboration, almost all remote services are defined with API for clients to call. The first subsection and second subsection used for storing data is arbitrary and tangential to the abstract ideas as it is not significant or provide unexpected result which is shown in the instant specification (¶25) that the claimed invention would work as well with the two subsections are the same or different.  Also, MPEP 2144.04 (V)(C) and In re Dulberg, 289 F.2d 522, 523, 129 USPQ 348, 349 (CCPA 1961), if it is desirable for any reason to write it to a separate subsection, it would be obvious to do so. As a result, an ordinary skilled person in the art would know the technology to interface with these remote services or the information is readily available for reference purpose to communicate with these external services.  The extra elements do not improve existing technology.  When taken individually or viewed as an ordered combination, the claims as a whole do not amount to significantly more than the abstract idea.	Step 2B significantly more:
		Claim 1 recites “creating and writing a first object to a second subsection of the data repository based on a result of the first search, where the second subsection is different than the first subsection; … and performing a predetermined action”.  The additional steps of creating and writing an object and performing an action are basic human actions performed on a general purpose computer.   Claim 13 recites “consolidating multiple system … where the data repository is stored in memory; writing, if the identity of the new device is not present in the known-devices system log … ; monitoring … where the event is an addition of a new item in a first subsection of the data repository; retrieving … the identity of the new device ..; invoking … an external script that uses an application programming interface (API) of an external application …; writing… an externally-not-known object … and the locally-not-found object is written to a second subsection of the data repository;  and performing a predetermined action”.  These are routing actions performed by an ordinary person skilled in the art.  Adding a record so it can be read later, or so that a database trigger can be generated are common actions in the art”.  Claims 1 and 13 recites limitations that relates to the big-data monitoring tool and big-data environment limitations which are merely field of use.  Link the use of the judicial exception to a particular technological environment or field of use, do not meaningfully limit the claim because generic computer functions can perform all the steps recited in the claim, and to execute an abstract idea, even when limiting the use of the idea to one particular environment, is not significantly more.  The use of two different subsections are tangential (see discussion above) and is not significant more than abstract ideas.  See MPEP 2106.05(h).   When taken individually or viewed as an ordered combination, the claims as a whole do not amount to significantly more than the abstract idea.
	As a result, the independent claims 1 and 13 remain abstract ideas.

	Regarding dependent claim 2, the claim recites “… writing the first object including a parameter ....”.  Write a record of data with all relevant data for future use is not significantly more than judicial exception.  It does not improve existing technology so it does not integrate the judicial exception into a practical application.  The claim is an abstract idea.

	Regarding dependent claim 3, the claim recites “… performing the second search using the parameter ...”.  Performing a search using a parameter such as a keyword is a common action of an ordinary person skilled in the art applied on a conventional computer with conventional hardware.  It is not significantly more than judicial exception.  It does not improve existing technology so it does not integrate the judicial exception into a practical application.  The claim is an abstract idea.
	
	Regarding dependent claim 4, the claim recites “… performing the predetermined action using the parameter of the object written to the data repository”.  Passing data to a function or action for execution is not new and is a common idea in the art where it can be found in early computers with command line interface (command line arguments).  It is not significantly more than judicial exception.  It does not improve existing technology so it does not integrate the judicial exception into a practical application.  The claim is an abstract idea.

	Regarding dependent claim 5, the claim recites “… creating and writing a JavaScript Object Notation (JSON) object to the data repository”.  Using one format versus another format to store data is not new.  It is merely an implementation choice.  Furthermore, JSON is a well-known standard, created by a standard body to help people to use it.  As a result, it’s well used and well publicized in the art.  As a result, it is not significantly more than judicial exception.  It does not improve existing technology so it does not integrate the judicial exception into a practical application.  The claim is an abstract idea.

	Regarding dependent claim 6, the claim recites “… monitoring an unstructured data repository of machine-generated logs”.  Log data that are unstructured are common data.  Without specific details of how the data is parsed, or the novelty feature of parsing the data, it can be simply pattern matching or string matching, which is a basic action of search applied on a general purpose computer with generic hardware.  As a result, it is not significantly more than judicial exception.  It does not improve existing technology so it does not integrate the judicial exception into a practical application.  The claim is an abstract idea.

	Regarding dependent claim 7, the claim recites “… creating and writing the object to a selected subset of the machine- generated logs”.  Selecting a place to write data is arbitrary without specific structure.  Furthermore, organized data is a basic human activity that can be performed by an ordinary person skilled in the art that is applied on a general computer using generic hardware.  As a result, it is not significantly more than judicial exception.  It does not improve existing technology so it does not integrate the judicial exception into a practical application.  The claim is an abstract idea.
	
	Regarding dependent claim 8, the claim recites “invoking an external script”.  The mechanism for invoking an external script is provided by an operating system and/or the database system being used.  As a result, it’s a well-known, already implemented and publicly documented idea in the art.  Making use of it or within the context of a database trigger is not new or any more special than making use of it in other computing environment.  As a result, it is not significantly more than judicial exception.  It does not improve existing technology so it does not integrate the judicial exception into a practical application.  The claim is an abstract idea.

	Regarding dependent claim 9, the claim recites “… invoking the external script to make a call on an application programming interface to retrieve data from an external program”.  Retrieving data is a basic human action applying on a general purpose computer using generic hardware.  Using a script to perform the action is common action performed by an ordinary skilled person in the art.  As a result, it is not significantly more than judicial exception.  It does not improve existing technology so it does not integrate the judicial exception into a practical application.  The claim is an abstract idea.

	Regarding dependent claim 10, the claim recites “… displaying the object written to the data repository based on results of the first search”.  This is an insignificant extra solution activity, see MPEP 2106.05(b)(I) .  As a result, it is not significantly more than judicial exception.  It does not improve existing technology so it does not integrate the judicial exception into a practical application.  The claim is an abstract idea.
	Regarding dependent claims 14 and 15, the claims recite “performing a predetermined action based on the externally-not-known object comprises sending an alert to a security team” and “performing a predetermined action based on the externally-not-known object comprises creating a work order to vet the new device”.  These are insignificant post solution activities.  Sending an alert or creating a work order are commonly performed by a person of ordinary skill in the art.  When considered individually or in an ordered combination, the claims as a whole do no improve on existing technology nor are significantly more than abstract ideas.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4 and 7-9 are rejected under 35 U.S.C. 103 as being unpatentable over Farrell et al. (US 20150304167 A1, hereinafter Farrell) in view of Stackoverflow (NPL U: “Can a SQL trigger call a web service”, dated December 02, 2016, hereinafter Stackoverflow) and further in view of Judith S. Hurwitz and Alan Nugent and Fern Halper and Marcia Kaufman (NPL U page 2: “Unstructured Data in a Big Data Environment”, dated 03/26/2016, downloaded from the Internet URL: https://www.dummies.com/article/technology/information-technology/data-science/big-data/unstructured-data-in-a-big-data-environment-167370 on 02/09/2022, hereinafter Hurwitz).
	Regarding claim 1, Farrell teaches a process for performing an action within a machine-generated big data environment, the process comprising:	monitoring, with a first alert  wherein the first designated change in the machine-generated logs includes an addition of a new item in a first subsection of the machine-generated logs, where the data repository is stored in memory ([Examiner note: the crossed over text is discussed below]; Farrell Fig. 1: 
    PNG
    media_image1.png
    376
    642
    media_image1.png
    Greyscale
;Farrell [0003], … A discovery system receives the each classified message and detects, based on the each received classified message, a new network device added to the one or more networks and detects one or more configuration changes made on the one or more network devices; Farrell [0039] One or more datastores (e.g., a datastore 650 shown in FIGS. 5-7) store the one or more messages, which are intercepted by the classifier, according to corresponding message groups; Farrell [0019], At 100 in FIG. 1, the one or more network devices communicate each other … The one or more messages include, but are not limited to: … (6) log files (e.g., log files 615 shown in FIGS. 5-6) echoed from the one or more network devices; Farrell [0021] Returning to FIG. 1, at 110, a classifier (e.g., a classifier 630 shown in FIG. 5) intercepts the one or more messages associated with the one or more network devices ; Farrell [0043], memory device 370-378 [Examiner remark: an ordinary skilled in the art would find it obvious to implement datastore 650 in memory of any of the devices 370-378]; Farrell [0016], … the discovery system monitors the communication port and/or echoes the log entries in order to detect the addition of the new network device and/or the configuration changes. For example, a communication port of the discovery system may receive a message whose header indicates a new mail server whose web address is not listed on a list of current existing network device stored in the discovery system; [Examiner remark: the corresponding the log file of the log files 615 that the message comes from correspond to the first subsection]);	performing, ([Examiner note: the crossed over text is discussed below]), a first search within the data repository, wherein the first search is based on the first designated change in the machine-generated logs (Farrell [0030], At 230, if the classifier determines that the sender and the receiver of the intercepted message match a layer whose senders' IP address list includes the identification of the sender; Farrell ¶39, (“One or more datastores (e.g., a datastore 650 shown in FIGS. 5-7) store the one or more messages”); [Examiner note: the sender is associated with the intercepted message, the first search is based on the sender and as a result, the first search is based on the intercepted message, which corresponds to the first designated change]);	creating and writing a first object to a second subsection of the data repository based on a result of the first search, where the second subsection is different than the first subsection (Farrell [0033], At 270, if the classifier determines that the sender, the receiver or the content of the intercepted message does not match any layer, i.e., there is no match between the IP address of the sender of the message and an IP address listed on the senders' IP address list of each layer … then the classifier inserts a time stamp, which indicate a time period taken to process the intercepted message by the classifier, into the intercepted message. ... after inserting the time stamp into the intercepted message, the classifier places the intercepted message with the inserted time stamp in a pending table; [Examiner note: the database housing the pending table corresponds to the data repository; the pending table corresponds to the second subsection; since the pending table is not restricted to be the same as that of the log file the message belongs to, and there are many log files, the pending table is different from the log file the message belongs to when the message is from other log files that is not the pending table since Ferrell discloses the monitoring of all log files. Furthermore, the instant specification, ¶25, discloses “the object can be written to that subset of machine generated logs in the data repository or to a different subset of machine-generated logs in the data repository”; the instant specification does not indicate how one subset is different from another, or any reason or benefit when the two subsections are different.  It is not apparent to an ordinary skill in the art to find how writing to a different subsection would be significant or unexpected. See also MPEP 2144.04 (IV)(A) and 2144.04 (IV)(B), In re Dulberg, 289 F.2d 522, 523, 129 USPQ 348, 349 (CCPA 1961), if it were considered desirable for any reason to write the object to a different subsection than the first subsection, it would be obvious to write to a different subsection for that purpose.  Furthermore, this limitation is further taught by Stackoverflow below]);	the second designated change in the machine-generated logs corresponds to the first object and includes an addition of the first object to the data repository (Farrell [0033], At 270, if the classifier determines that the sender, the receiver or the content of the intercepted message does not match any layer, i.e., there is no match between the IP address of the sender of the message and an IP address listed on the senders' IP address list of each layer … then the classifier inserts a time stamp, which indicate a time period taken to process the intercepted message by the classifier, into the intercepted message. ... after inserting the time stamp into the intercepted message, the classifier places the intercepted message with the inserted time stamp in a pending table);	performing a second search within the data repository based on the second designated change in the machine-generated logs (Farrell [0016], … the discovery system may receive a message whose header indicates a new mail server whose web address is not listed on a list of current existing network device stored in the discovery system; Farrell [0033], after inserting the time stamp into the intercepted message, the classifier places the intercepted message with the inserted time stamp in a pending table; Farrell [0034], … the classifier searches the pending table in order to find a match between the inserted time stamp and a pre-determined elapsed time set in a pending table entry … [Examiner note: places the intercepted message with the inserted time stamp corresponds to the second designated change]); and	performing a predetermined action based on the second search (Farrell [0034], … upon finding the match, the classifier sends the intercepted message to a router that forwards the intercepted message to a network domain that corresponds to the found match.).
	Although Farrell teaches the limitations of the claim 1 (see discussion above), Farrell does not teach: 	monitoring, with a second alert by the big-data monitoring tool, the data repository of machine-generated logs for a second designated change in the machine-generated logs, wherein the second designated change in the machine-generated logs corresponds to the first object, and includes an addition of the first object to the data repository.
		Stackoverflow teaches using a trigger based on data insertion of a new row into a table to perform an action (call a web service using data from that insert) and also insert another record into a queue table (Stackoverflow, top of page 1: When a user "checks-in" [Inserts new row into a table] I want to then take data from that insert and call a web service; page 3, used a trigger to insert a record in a Queue table, then a Stored procedure using a cursor to pull Queued entries off; [Examiner note: Stackoverflow teaches using a trigger to monitor the record insertion, then use the trigger to insert another record in a queue table.  Farrell also teaches inserting data to a pending table.  Since the Stackoverflow teaches that a trigger is used to monitor an insertion of a row into a table, and Stackoverflow further teaches the use of the trigger to insert another record into a queue table (that is to be processed, see page 3).  The data that process the queue table’s new record can be done using a trigger as disclosed in page 1 or using a stored procedure in page 3.  It is merely one of the two options that Stackoverflow discloses that using either would work; the queue table is different than the table where the new row is inserted into]).
		It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Stackoverflow, which teaches performing a business logic step by inserting a record into a database pending table and then use a trigger to monitor for the change to process the data into the teaching of Farrell to result in the claimed limitations:		monitoring, with a second alert([Examiner note: the crossed over text is discussed below]), the data repository of machine-generated logs for a second designated change in the machine-generated logs, wherein the second designated change in the machine-generated logs corresponds to the first object and includes an addition of the first object to the data repository (Stackoverflow, top of page 3, … used a trigger to insert a record in a Queue table [Examiner note: by using the trigger taught by Stackoverflow to monitor the pending table taught by Farrell, a new record inserted, which is taught by Farrell, would execute the trigger.  All tables are inside the discovery system’s database taught by Farrell discussed above, which corresponds to the data repository. An insertion of a record into the pending table corresponds to the second designated change.]; Farrell [0033], after inserting the time stamp into the intercepted message, the classifier places the intercepted message with the inserted time stamp in a pending table; [Examiner note: the intercepted message and the time stamp corresponds to the first object]).
	One of ordinary skilled would be motivated to do so as the method is readily available in most database systems; it is quick to implement and run; and it works reliably (Stackoverflow page 3).  Using the trigger as one of the two options (stored procedure or trigger) to process an inserted record would be obvious to try choosing from a finite number of identified, predictable solutions (stored procedure or trigger) with reasonable prediction of success.
	The combination of Farrell in view of Stackoverflow teaches the aforementioned limitations of the claim including machine generated logs stored in datastores and using triggers to monitor and process data.  However, the combination does not disclose the performing and monitoring steps are done by a big-data monitoring tool, and a data repository of machine-generated logs in a big-data environment.
	On the other hand, Hurwitz teaches a data repository in a big-data environment (Unstructured data is data that does not follow a specified format for big data. If 20 percent of the data available to enterprises is structured data, the other 80 percent is unstructured, vendors are scaling out their solutions to handle large volumes of unstructured data, new technologies are also evolving to help support unstructured data and the analysis of unstructured data, some of these support both structured and unstructured data. Some support real-time streams) and a big-data monitoring tool (monitor Twitter feeds that can then programmatically trigger a CMS search).	It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Hurwitz, which teaches the storing of unstructured and structure data in a big-data environment using monitoring tool and programmatically trigger based on a Twitter feed that further performing a search into the teaching of Farrell in view of Stackoverflow to result in the claimed limitations.	One of ordinary skilled would be motivated to do so as incorporating Hurwitz’s teaching would help supporting organization to deal with growth and large scale of data and provide real time response to events. In addition, both of the references (Hurwitz and Farrell in view of Stackoverflow) teach features that are directed to analogous art, such as, storing data in data store, monitoring data and triggering a search. This close relation between both of the references highly suggests an expectation of success when combined.
	Regarding claim 2, Farrell in view of Stackoverflow teaches the process of claim 1, wherein creating and writing a first object to the data repository comprises writing the first object including a parameter for the second search to the data repository (Farrell [0033], … then the classifier inserts a time stamp, which indicate a time period taken to process the intercepted message by the classifier, into the intercepted message. ... after inserting the time stamp into the intercepted message, the classifier places the intercepted message with the inserted time stamp in a pending table; Farrell [0034], … the classifier searches the pending table in order to find a match between the inserted time stamp and a pre-determined elapsed time set in a pending table entry; [Examiner note: the intercepted message and the time stamp corresponds to the parameter for the second search]).
	
	Regarding claim 3, Farrell in view of Stackoverflow teaches the process of claim 2, wherein performing a second search within the data repository comprises performing the second search using the parameter of the object written to the data repository (Farrell [0034], … the classifier searches the pending table in order to find a match between the inserted time stamp and a pre-determined elapsed time set in a pending table entry;).

	Regarding claim 4, Farrell in view of Stackoverflow teaches the process of claim 3, wherein performing a predetermined action based on the second search comprises performing the predetermined action using the parameter of the object written to the data repository (Farrell [0034], … upon finding no match, the classifier creates a table entry, in the pending table, which represents the intercepted message …. The created table entry may include the inserted time stamp of the intercepted message; Farrell [0035] The router sends the intercepted message to a network domain which corresponds to the found match at 410).

	Regarding claim 7, Farrell in view of Stackoverflow teaches the process of claim 1, wherein creating and writing a first object to the data repository comprises creating and writing the object to a selected subset of the machine-generated logs (Farrell [0033], … then the classifier inserts a time stamp, which indicate a time period taken to process the intercepted message by the classifier, into the intercepted message. ... after inserting the time stamp into the intercepted message, the classifier places the intercepted message with the inserted time stamp in a pending table; [Examiner note: the pending table is inside the database in the discovery system taught by Farrell.  The pending table corresponds to the selected subset of the machine-generated logs.  Please also note that writing the object to the selected subset of the machine-generated is an arbitrary limitation that depends on a choice of implementation, since although it’s convenient to write to a local database of the local system, the data can be written anywhere that it can be later retrieved.  The instant application specification does not indicate how writing in one location is better than writing at a different location.  As a result, this limitation is an insignificant extra solution activity that implemented one way or another would still produce the same expected result]).

	Regarding claim 8, Farrell in view of Stackoverflow teaches the process of claim 1, wherein performing a predetermined action comprises invoking an external script (Stackoverflow, top of page 3: used a trigger to insert a record in a Queue table, then a Stored procedure using a cursor to pull Queued entries off … the Stored Procedure calls XP_CMDShell calling a .bat file with parameters [Examiner note: the .bat file corresponds to an external script]).
	
	Regarding claim 9, Farrell in view of Stackoverflow teaches the process of claim 8, wherein invoking an external script comprises invoking the external script to make a call on an application programming interface to retrieve data from an external program (Stackoverflow bottom of page 3: The bat file calls cURL which manages the REST/JSON call and response).

Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Farrell in view of Stackoverflow and further in view of Hinrichs et al. (US 10592302 B1, hereinafter Hinrichs).
	Regarding claim 5, Farrell in view of Stackoverflow teaches the process of claim 1.
		However Farrell in view of Stackoverflow does not explicitly teach creating and writing a first object to the data repository comprises creating and writing a JavaScript Object Notation (JSON) object to the data repository.
 		Hinrichs teaches creating and writing a first object to the data repository comprises creating and writing a JavaScript Object Notation (JSON) object to the data repository ([Examiner note: the format of the data being JSON written to a data repository is an insignificant extra solution activity.  Whether the data is written in one format or another does not change the result of the claimed invention.  The instant specification also indicated any desired format can be used (instant specification paragraph [0024] “At 206, a first object is created and written to the data repository … the object may be in any desired format (e.g., JavaScript Object Notation (JSON), Python, etc.)).  For the purpose of compact prosecution, the examiner further uses prior art to reject the claimed limitation].  Hinrichs: col. 26, lines 26-31: … This database can persist both policies and any data the policies need in their evaluation. … the database saves policies as plain source code, while storing the parameter data as JSON documents. Hinrichs col. 26, lines 60-67, col. 27, lines 1-2: … to retrieve and properly format the parameters for consumption … transforming the collected parameter data from its native format into a structured document (e.g., a JSON document) for storing in the database 1035 ...).
		It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Hinrichs, which stores parameter in JSON format for later use in a database table, into the combined teachings of Farrell and Stackoverflow to result in the limitations of the claimed invention.
		One of ordinary skilled would be motivated to do so as using Hinrichs’ teaching allows data to be stored without depending on the programming language being used, having a structured format and help the data to be readable to humans (Hinrichs col. 2, lines 26-37).

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Farrell in view of Stackoverflow and further in view of JOSHI et al. (US 20140337974 A1, hereinafter Joshi).
	Regarding claim 6, Farrell in view of Stackoverflow teaches the process of claim 1.		However does not teach wherein monitoring a data repository of machine-generated logs comprises monitoring an unstructured data repository of machine-generated logs.
		Joshi teaches monitoring a data repository of machine-generated logs comprises monitoring an unstructured data repository of machine-generated logs (Joshi [0022], … a method of detecting a potential cyber threat or attack, comprising receiving data from at least two data sources, extracting information from the received data, asserting the information extracted using an ontology, accumulating the asserted information and determining if a cyber threat or attack is present based on the received data ...; Joshi [0043], However, these resources also contain unstructured text data in which important information could be embedded …; Joshi [0045], After analyzing the data from these sensors, the information extracted is added to a knowledge base; Joshi [0075], The reasoning logic module 110B found the annots.api dll being executed at the host via the logs received from the IBM … The log also pointed out the product using this service, i.e., Adobe Acrobat Reader.RTM.. The unstructured text data from the Juniper Networks.RTM. link [21] also comprised of `annots.api` in the text.)
		It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Joshi, which teaches an intrusion detection system that monitors unstructured text in data sources, into the combined teachings of Farrell and Stackoverflow to result in the limitations of the claimed invention.
		One of ordinary skilled would be motivated to do so as using Joshi’s teaching can help providing important information for detecting new network device (Joshi [0043]).

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Farrell in view of Stackoverflow and further in view of Mizuno et al. (US 7778193 B2, hereinafter Mizuno).
	Regarding claim 10, Farrell in view of Stackoverflow teaches the process of claim 1.
		However, Farrell in view of Stackoverflow does not teach displaying the object written to the data repository based on results of the first search.
		Mizuno teaches displaying the object written to the data repository based on results of the first search (Mizuno col. 11 lines 16-19: As shown in FIG. 11, the device detection part 103 is connected to the internal network interface 108. The device detection part 103 monitors packets in the residential network NW1 and, when it detects a device not yet registered, makes an enquiry to the user about whether to register the device; Mizuno col. 11 lines 24-34: The device detection part 103 monitors packets in the residential network NW1 … found a packet having an address other than a device IP address allocated to a device to which the home gateway apparatus 100 is already connected (Step S302), searches the settings information files in the database 101 for a corresponding device, on the basis of a device IP address and a device external IP address estimated to correspond, and, if nothing is found, returns to Step S301 to resume the monitoring of packets (Step S303). In case devices were found, it saves the list of all devices found for future convenience (Step S305); Mizuno col. 13 lines 34-42: … a request based on UPnP from the device to be registered, the device information is collected from the device to be connected by UPnP negotiation in Step S121 of FIG. 17. Next, it is determined whether there is a device name and there is product information in the collected device information (Step S122), and if there is not, the process comes to an end by making an error response in Step S129; Mizuno Claim 13: … detecting a new packet emitted from a new device and possessing a device IP address other than registered device IP addresses allocated to devices already registered in said residential network, and a display means displaying that the new device is present as being not yet successful in connection settings.).
		It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Mizuno, which teaches displaying a new device when the device is not found in an existing device list, into the combined teachings of Farrell and Stackoverflow to result in the limitations of the claimed invention.
		One of ordinary skilled would be motivated to do so as both Mizuno and Farrell teaches new device detection against an existing device list, incorporating Mizuno’s teaching would optimize system performance (Mizuno col. 11 lines 33-34).

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Farrell in view of Todd C et al. (NPL X: “Calling an api from sql server stored-procedure”, dated June 2017, downloaded from the Internet, URL: http://web.archive.org/web/20210318151212/https://stackoverflow.com/questions/22067593/calling-an-api-from-sql-server-stored-procedure/35733163 , hereinafter Todd) and further in view of JbcEdge (NPL W: MS SQL SERVER – Triggers, dated February 2018, p. 1-3, retrieved from the Internet URL: http://web.archive.org/web/20210401150706/https://jbcedge.com/2018/02/08/ms-sql-server-triggers/) and Hurwitz.	Regarding claim 13, Farrell teaches a process for verifying a device on a network, the process comprising:		consolidating multiple system logs into a known-devices system log in a data repository discovery system receives the each classified message and detects, based on the each received classified message, a new network device added to the one or more networks and detects one or more configuration changes made on the one or more network devices; Farrell [0019] At 100 in FIG. 1, the one or more network devices communicate each other … The one or more messages include, but are not limited to: … (6) log files (e.g., log files 615 shown in FIGS. 5-6) echoed from the one or more network devices; Farrell [0039], One or more datastores (e.g., a datastore 650 shown in FIGS. 5-7) store the one or more messages, which are intercepted by the classifier, according to corresponding message groups. The verifiers and the discovery systems in different network domains may share the one or more datastores);		monitoring the data repository for an event that signifies a new device has accessed a network, where the event is an addition of a new item in a first subsection of the data repository; ([Examiner note: the crossed over text is discussed below]; Farrell Fig. 1: 
    PNG
    media_image1.png
    376
    642
    media_image1.png
    Greyscale
;Farrell [0019], At 100 in FIG. 1, the one or more network devices communicate each other … The one or more messages include, but are not limited to: … (6) log files (e.g., log files 615 shown in FIGS. 5-6) echoed from the one or more network devices; Farrell [0016], … the discovery system monitors the communication port and/or echoes the log entries in order to detect the addition of the new network device and/or the configuration changes. For example, a communication port of the discovery system may receive a message whose header indicates a new mail server whose web address is not listed on a list of current existing network device stored in the discovery system; Farrell [0040] … a discovery of a new network device and/or configuration changes made on existing network device(s) is run, e.g., by a discovery system (i.e., a system running method steps shown in FIG. 8) as a job during off hours (e.g., computing resources in a corresponding company are not used). Alternatively, the discovery of the new network device and the configuration changes are performed, e.g., by the discovery system, in real-time as the new network device is added to a corresponding network(s) and/or as the configuration changes are made on one or more existing network device(s). The discovery system may run the discovery daily, weekly, and sometimes monthly.);		searching, if the event that signifies a new device has accessed a network occurs, the known-devices system log to determine if an identity of the new device is present in the known-devices system log (Farrell [0033] At 270, if the classifier determines that the sender, the receiver or the content of the intercepted message does not match any layer, i.e., there is no match between the IP address of the sender of the message and an IP address listed on the senders' IP address list; Farrell [0038] … In order to identify the new IP address, the verifier may retrieve a previous configuration file(s), which is(are) stored in a database associated with the one or more network devices);		writing, if the identity of the new device is not present in the known-devices system log, a locally-not-found object to the data repository, wherein the object includes the identity of the new device, ([Examiner remark: the crossed over text is disclosed by Stackoverflow below]; Farrell [0033] At 270, if the classifier determines that the sender …  there is no match between the IP address of the sender of the message and an IP address listed on the senders' IP address list of each layer … then the classifier inserts a time stamp, which indicate a time period taken to process the intercepted message by the classifier, into the intercepted message. ... after inserting the time stamp into the intercepted message, the classifier places the intercepted message with the inserted time stamp in a pending table; [Examiner note: the database housing the pending table corresponds to the data repository]);		searching the data repository for the locally-not-found object ([Examiner note: the crossed over text is addressed below]; Farrell [0034] … the classifier searches the pending table in order to find a match between the inserted time stamp and a pre-determined elapsed time set in a pending table entry [Examiner note: Farrell teaches searching the pending table, but Farrell does not explicitly disclose monitoring the table, which is discussed below]);		retrieving, if the locally-not-found object is added to the data repository, the identity of the new device from the locally-not-found object (Farrell [0027] Upon intercepting the one or more messages, …  based on header information of the one or more messages. … the classifier evaluates whether the sender … each message match a layer which includes an identification (e.g., an IP (Internet Protocol) address) of the sender; Farrell [0033] … places the intercepted message with the inserted time stamp in a pending table … ; Farrell [0034], … the classifier searches the pending table in order to find a match between the inserted time stamp and a pre-determined elapsed time set in a pending table entry. At 410, upon finding the match, the classifier sends the intercepted message to a router [Examiner note: Farrell discloses the message header contains an identification/IP address of the sender.  Farrell further discloses when finding a match in the pending table, the intercepted message is sent to a router.  As a result, the intercepted message is obtained, which has the identification of the sender, which corresponds to the new device]);
		 (Farrell [0035], At 420 in FIG. 4, if the classifier finds no match at 410 in FIG. 4, at 200 in FIG. 2, at 220 in FIG. 2, at 240 in FIG. 2 and at 260 in FIG. 2, the classifier sends the intercepted message to all network domains known to the classifier. Farrell [0036] Each network domain may include one or more discovery systems (e.g., a discovery system 640 shown in FIGS. 5-7). A discovery system receives a classified message(s) (i.e., the one or more messages classified by the classifier) and detects, based on the classified message, a new network device added to the one or more networks and detects one or more configuration changes made on the one or more network devices. Farrell [0037] ... the verifier may query the one or more network devices (e.g., send a verification query to the one or more network device as shown in 625 in FIGS. 5-7; Farrell Fig. 6: 
    PNG
    media_image2.png
    592
    966
    media_image2.png
    Greyscale
Farrell [0038], … In order to identify the new IP address, the verifier may retrieve a previous configuration file(s), which is(are) stored in a database associated with the one or more network devices … The difference may include the new IP address corresponding to the addition of the new network device.).);
		writing, if the identity of the new device is not known to the external application, an Farrell [0033], after inserting the time stamp into the intercepted message, the classifier places the intercepted message with the inserted time stamp in a pending table; [Examiner note: Farrell teaches the process of writing a record to a table when the device is not found locally.  Farrell does not explicitly teaches the same process of writing a record to a table after searching externally for the device. Farrell teaches the verifier searches both locally and query the network devices for the new device and also record the result to a pending table.  Furthermore, the writing of result to a table for further processing is discussed below]);		performing a predetermined action based on the externally-not-known object (Farrell [0037], … Based on answers to the queries received from the one or more network devices and/or the datastore, the verifier may determine that a new configuration or a new service is enabled on the one or more network devices [Examiner note: determine that a new configuration is enabled corresponds to the performing a predetermined action]).
		Although Farrell teaches the limitations of the claimed invention (see above discussion), Farrell does not explicitly teach ([Examiner remark: the bold text is not explicitly disclosed by Farrell) monitoring data repository for the locally-not-found object;			writing, a locally-not-found object to the data repository, and the locally-not-found object is written to a second subsection of the data repository;
			invoking an external script that uses an application programming interface (API) of an external application to determine if the identity of the new device is known to the external application;
			writing, if the identity of the new device is not known to the external application, an externally
		Todd teaches monitoring data repository for the locally-not-found object (Todd top of page 2: built a trigger that queued the DB events [Examiner note: the trigger would monitor the pending table taught by Farrell]);			writing, [object to be processed due to trigger event] to a second subsection of the data repository (Todd starting near bottom of page 6 to page 7, needed to call the API when a database event occurred, DB insert matching the API call ca[[u]]se triggers write to Queue table);
			invoking an external script that uses an application programming interface (API) of an external application to determine if the identity of the new device is known to the external application (Todd middle of page 2: cURL allowed me to send the API calls to a local manager from anywhere [Examiner note: the limitation is disclosed by using Todd’s teaching using an external script to call an API to perform query of network devices for verifying new device taught by Farrell]);
			writing, if the identity of the new device is not known to the external application, an externally(Todd middle of page 2: API call Stored procedure run every 5 seconds runs Cursor to pull each Queue table entry,send the XP_CMDShell call to the bat file with parameters Bat file contains Curl call with parameters inserted sending output to logs [Examiner note: writing the output to a log from the external call to determine if the device is new from an external system meaning the result for both found and not found would be written.  As a result, when the device is not found, the result would be written]);
		It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Todd, which use a queue table and trigger to call an external script to call an API, into the teaching of Farrell to result in the limitations:
			monitoring data repository for the locally-not-found object;			writing, if the identity of the new device is not present in the known-devices system log, a locally-not-found object to the data repository, wherein the object includes the identity of the new device, and the locally-not-found object is written to a second subsection of the data repository;			invoking, if the locally-not-found object is added to the data repository, an external script that uses an application programming interface (API) of an external application to determine if the identity of the new device is known to the external application;			writing, if the identity of the new device is not known to the external application, an externally-not-known object to the data repository;
		One of ordinary skilled would be motivated to do so as both Todd and Stackoverflow teaches monitoring a database table to perform work in response to an event using a database trigger and using an external script to perform an action, incorporate Todd’s teaching helps getting a solution to work quickly within time constraint (Todd, bottom of page 2).
		Although Farrell in view of Todd teaches the limitations of the claimed invention (see discussion above), Farrell in view of Todd does not explicitly teach monitoring the data repository for the externally-not-known object.
		JbcEdge teaches monitoring the data repository for the externally-not-known object (JbcEdge, middle of page 1: CREATE TRIGGER …; JbcEdge middle of page 2: Triggers can be nested that is trigger on TableA updates Table B then TableB trigger updates TableC and so on; Farrell [0034], … classifier creates a table entry, in the pending table … [Examiner note: the creating of a trigger taught by JbcEdge to monitor the output log table taught by Todd would cause the trigger to monitor the data repository for the externally-not-know object, the output log table taught by Todd corresponds to the data repository for the externally-not-know object.  JbcEdge teaches using nested triggers to perform sequential data monitoring and triggering.  As a result, using JbcEdge’s teaching to add nested trigger to the trigger taught by Todd, the output log taught by Todd would be monitored by another trigger]).
	It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of JbcEdge, which teaches to search a new device using a local or an external database into the combined teachings of Farrell and Todd to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as both Todd and JbcEdge teach using triggers to monitor and perform actions based on database table, furthermore, incorporating JbcEdge’s teaching would help keeping a modular implementation of separate business requirements while the tool is readily available (JbcEdge bottom of page 1; JbcEdge middle of page 2).
	The combination of Farrell in view of Todd and JbcEdge teaches the aforementioned limitations of the claim including a data repository and using triggers to monitor and process data.  However, the combination does not explicitly disclose the monitoring steps are done by a big-data monitoring tool, and the data repository in a big-data environment.
	On the other hand, Hurwitz teaches a data repository in a big-data environment (Unstructured data is data that does not follow a specified format for big data. If 20 percent of the data available to enterprises is structured data, the other 80 percent is unstructured, vendors are scaling out their solutions to handle large volumes of unstructured data, new technologies are also evolving to help support unstructured data and the analysis of unstructured data, some of these support both structured and unstructured data. Some support real-time streams) and a big-data monitoring tool (monitor Twitter feeds that can then programmatically trigger a CMS search).	It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Hurwitz, which teaches the storing of unstructured and structure data in a big-data environment using monitoring tool and programmatically trigger based on a Twitter feed that further performing a search into the teaching of Farrell in view of Todd  and JbcEdge to result in the claimed limitations.	One of ordinary skilled would be motivated to do so as incorporating Hurwitz’s teaching would help supporting organization to deal with growth and large scale of data and provide real time response to events. In addition, both of the references (Hurwitz and Farrell in view of Todd and JbcEdge) teach features that are directed to analogous art, such as, storing data in data store, monitoring data and triggering a search. This close relation between both of the references highly suggests an expectation of success when combined.
Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Farrell in view of Todd, JbcEdge, Hurwitz and further in view of Howard (US 20050021996 A1, hereinafter Howard).
	Regarding claim 14, Farrell in view of Todd, JbcEdge, Hurwitz teaches the process of claim 13, wherein performing a predetermined action based on the externally-not-known object comprises sending an alert Based on answers to the queries received from the one or more network devices and/or the datastore, the verifier may determine that a new configuration or a new service is enabled on the one or more network devices, in a communication network, the EMS may issue the one or more messages).	The combination of Farrell in view of Todd, JbcEdge, Hurwitz discloses the sending of messages but the combination does not explicitly disclose to send the message to a security team.	On the other hand, Howard teaches performing a predetermined action based on the not-known object comprises sending an alert to a security team (Howard, ¶7 retrieves this stored identifier and compares it to a list of authorized identifiers. If a match is not found, software also resides in the host computer/processor to log mismatches and to notify security personnel or a system administrator of the attempt to attach the unauthorized peripheral).
	It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Howard, which teaches notifying security personnel when a match of a peripheral identifier is not found into the teaching of Farrell in view of JbcEdge and Huwitz to result in the claimed limitations.	One of ordinary skilled would be motivated to do so as incorporating Howard’s teaching would help improve security of the system disclosed by Farrell. In addition, both of the references (Howard and Farrell) teach features that are directed to analogous art, such as, detecting a new device, searching for a match of the device in a list and send a notification when there is no match. This close relation between both of the references highly suggests an expectation of success when combined.
Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Farrell in view of Todd, JbcEdge, Hurwitz and further in view of Arsenault et al. (US 20170257341 A1, hereinafter Arsenault).
	Regarding claim 15, Farrell in view of Todd, JbcEdge, Hurwitz teaches the process of claim 13 (see discussion above),  wherein performing a predetermined action based on the externally-not-known object  ([Examiner remark: the crossed over text is discussed below], Farrell ¶37, … Based on answers to the queries received from the one or more network devices and/or the datastore, the verifier may determine that a new configuration or a new service is enabled on the one or more network devices, in a communication network, the EMS may issue the one or more messages).	The combination of Farrell in view of Todd, JbcEdge, Hurwitz discloses the performing of an action but the combination does not explicitly disclose the predetermined action based on the externally-not-known object comprises creating a work order to vet the new device.	On the other hand, Arsenault teaches performing a predetermined action based on the not-known object comprises creating a work order to vet the new device (Arsenault [0056], the device gateway 110 sends a request message to a control server 121 of the common communication network 120, requesting an identity of a service provider network associated with an IoT device 100, the request message comprises the manufacturer IoT device identity, after determining that a manufacturer IoT device identity in the local storage does not have a corresponding unique IoT device identifier, the device gateway 110 may determine that a unique IoT device identifier is not found in the device gateway storage and triggers a request message for an identity of a service provider network; [0057] When a subscription identity of the device gateway 110 is included in the request message, the control server 121 and optionally the first service provider network 130 may use the device gateway subscription profile in the validation of the IoT device to service provider network association; [Examiner note: the making of the request message corresponds to creating a work order, and the validation of the IoT device to service provider network association corresponds to the work in response to the work order]).
	It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Arsenault, which teaches making a request message when the device identifier is not found which results in the validation of the device into the teaching of Farrell in view of JbcEdge and Huwitz to result in the claimed limitations.	One of ordinary skilled would be motivated to do so as incorporating Arsenault’s teaching would help improve security of the system disclosed by Farrell. In addition, both of the references (Arsenault and Farrell) teach features that are directed to analogous art, such as, detecting a new device, searching for the device identifier in a storage and perform an action when the device identifier is not found. This close relation between both of the references highly suggests an expectation of success when combined.
Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Farrell in view of Todd, JbcEdge, Hurwitz and further in view of Grimm et al. (US 20190312887 A1, Grimm).
	Regarding claim 16, Farrell in view of JbcEdge and Huwitz teaches the process of claim 13, wherein performing a predetermined action based on the externally-not-known object  ([Examiner remark: the crossed over text is discussed below], Farrell ¶37, … Based on answers to the queries received from the one or more network devices and/or the datastore, the verifier may determine that a new configuration or a new service is enabled on the one or more network devices, in a communication network, the EMS may issue the one or more messages).	The combination of Farrell in view of Todd, JbcEdge, Hurwitz discloses the performing of an action but the combination does not explicitly disclose On the other hand, Grimm teaches pushing an app to the new device to detect malware associated with the new device ([0089], store a database 512 of devices that are known to the network. When a new device such as the device 510 appears on the network 502, compare the device 510 to the list of devices. Where the device 510 is not recognized, the portal 508 may initiate a number of steps to conditionally admit the device 510 to the network 502; ¶92 initiate steps such as download and execution of an antivirus scanner by the device, include download and installation of a local security agent by the device, scan of the device for compliance with a security policy, such as by checking for current application versions, security patches and so forth on the device).
	It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Grimm, which teaches to download and install anti-virus software and scanning a new device into the teaching of Farrell in view of Todd, JbcEdge, Hurwitz to result in the claimed limitations.	One of ordinary skilled would be motivated to do so as incorporating Grimm’s teaching would help improve security of the system disclosed by Farrell. In addition, both of the references (Grimm and Farrell) teach features that are directed to analogous art, such as, detecting a new device, searching for the device in a known list of devices and perform an action when the device identifier is not found. This close relation between both of the references highly suggests an expectation of success when combined.
		Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 20150370522 A1- Search a local or external database for the identification information of the external device, and determine whether the external device has been registered; and if the external device has been registered, then the flow proceeds to one operation; otherwise, the flow proceeds to another operation.
US 8769610 B1 - Search through the access control list database to determine if the requesting device matches any one of the known devices listed in the access control list database. If the requesting device matches one of the known devices listed in the database, the security manager will apply the access policy indicated in the database for that requesting device.
US 20080168531 A1 - An intrusion detection system logs a plurality of security events, a trouble ticket alerting system configured to store therein a plurality of trouble tickets and a security event aggregator and reporter tool configured to determine, at a pre-determined time interval, whether or not a recent security event corresponds to an existing trouble ticket among the plurality of trouble tickets.
US 10114947 B1 - process that monitors other processes and/or events and records information about those processes and/or events to a log. The term “log,” as used herein, generally refers to any file or collection of files that includes information recorded about events and/or processes.
US 20170286540 A1 - monitor entries of a first table and notify other tables of changes to the entries of the first table. In response to the notification, the other tables may note that the entries of the first table have changed and may thereby notify, in response to requests from agents or other entities, the agents or other entities that entries of the first table have changed.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Vy Huy Ho whose telephone number is (571) 272-3261.  The examiner can normally be reached on Monday - Friday 7:30 am-5:30 pm.
	Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
	If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Pierre Vital can be reached on (571) 272-4215.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

07/18/2022
/V.H.H/
Examiner, Art Unit 2162

/PIERRE M VITAL/Supervisory Patent Examiner, Art Unit 2162