Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 16-20 rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claims do not fall within at least one of the four categories of patent eligible subject matter because claims 16-20 recite “one or more sensors on compute instances in an enterprise network; an administrative console” the sensors on compute instances and administrative console recited in these claims can all be interpreted as software. Therefore, claims 16-20 are rejected under 101 because the claimed features are directed towards software per se. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-14 and 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over BERRINGTON (US-20210334821-A1) based on its priority date from application no.16/527515 filed on 7/31/2019, in view of ABADI (US-20110283360-A1), hereinafter BERRINGTON-ABADI.
Regarding claim 1, BERRINGTON teaches “A computer program product comprising computer executable code embodied in a non- transitory computer readable medium that, when executing on one or more computing devices, performs the steps of: receiving an event stream including security events from an enterprise network at a stream service; ([BERRINGTON, para. 0163] “Further, many embodiments are described in terms of sequences of actions to be performed by, for example, elements of a computing device. It will be recognized that various actions described herein can be performed by specific circuits (e.g., application specific integrated circuits (ASICs)), by program instructions being executed by one or more processors, or by a combination of both. Additionally, these sequences of actions described herein can be considered to be embodied entirely within any form of computer readable storage medium having stored therein a corresponding set of computer instructions that upon execution would cause an associated processor to perform the functionality described herein. Thus, the various aspects of the invention may be embodied in a number of different forms”) ([BERRINGTON, para. 0094] “The testing and analyzing system may be configured to detect unauthorized software being used in the IT environment of the companies, to monitor vulnerability of the IT environment, to monitor backups (and perform any other resilience monitoring and testing, as appropriate, such as testing backups performed to identify failed backups), as well as monitor patch management to identify software that requires remediation and updates to the current installed version. The audit techniques may be simultaneously executed, continuous and carried out in near real-time, allowing for automated and near real-time IT audit services. The testing and analyzing system may be configured to moderate consistent audit quality which is aligned to best practice standards or company policy. The testing and analyzing system may include focused security modules which conduct vulnerability scanning as one component of testing and analysis.”) ([BERRINGTON, para. 0096] “Once collected, the data audited by the platform may be reviewed, and, if desired, may be overridden. In certain exemplary embodiments, the data audited by the platform may be selectively overridden, or may be overridden if manually uploaded data dealing with similar aspects of the IT infrastructure is too different from the automatically collected data.”) ([BERRINGTON, para. 0042] “It may further be contemplated that, while exemplary embodiments of the platform may be tailored to particular users or sets of users, or particular organizations or sets of organizations, the platform may not be limited to corporate applications, and may be used by all other entities, optionally with additional functionality or different functionality based on the nature of the organization.”) ([BERRINGTON, para. 0059] “According to an exemplary embodiment, data may be gathered by a collecting system. The collecting system may include connectors (essentially, links between one type of data structure or format and another type) and may also include a web user interface (UI) for manual collection of data.”) storing the event stream in a data lake; ([BERRINGTON, para. 0080] “According to an exemplary embodiment, the collection system may be configured to specifically target and collect data relating to the IT environment based on the connectors the administrator selects, downloads and implements, which may then be combined with the data being submitted manually by the user. This data may then be stored in the backend, and may be tested and analyzed by a testing and analyzing system which may be integrated with the backend.”) ([BERRINGTON, para. 0111] “According to an exemplary embodiment, the platform may be further configured to provide remediation alerts and notifications in order to remediate the data collected, tested and analyzed. The alerts and notifications may be based on continuous monitoring conducted by the platform. The platform may be configured to detect global anomalies, establish trends in those anomalies, and then respond to the anomalies. The platform may have an extensive database of real-time data that allows for industry, company and/or user profiling for both trending and anomaly detection purposes. The platform may also include filtered alert mechanisms.”) ……. queries for execution against the event stream, the plurality of queries configured to investigate security issues within the enterprise network based on the event stream; ([BERRINGTON, para. 0094] “monitor vulnerability of the IT environment, to monitor backups (and perform any other resilience monitoring and testing, as appropriate, such as testing backups performed to identify failed backups)”) ([BERRINGTON, para. 0072] “In addition to the above, user account information may also include any other connected information for the employee, such as human resource information like termination dates ……. In an exemplary embodiment, the platform may further collect information about the user account creation process, such as the speed of creation and approval of new user accounts, the history of modification of user accounts”) monitoring a usage of the plurality of queries at one or more administrative consoles to a threat management facility for the enterprise network; ……. ([BERRINGTON, para. 0042] “An administrator may be a user provided with special permissions to access, manage and monitor the platform in a manner not permitted to regular users. Various forms of administrator may be contemplated. For example, in an exemplary embodiment, an administrator may be an authorized user of one of an authorized group of companies. The platform may include a portal which allows for management of the platform by the administrator.”) ([BERRINGTON, para. 0072] “In an exemplary embodiment, the connectors may be used to collect user account information, security configurations data, application-specific information, or system-specific information. User account information may include, for example, staff numbers, login data, username, permissions, name and surname, and status. In addition to the above, user account information may also include any other connected information for the employee, such as human resource information like termination dates, email, engagement dates and title. Such information may be used by the platform in order to, for example, identify unused or seldom-used user accounts, or duplicate user accounts, such as may be desired. In an exemplary embodiment, the platform may further collect information about the user account creation process, such as the speed of creation and approval of new user accounts, the history of modification of user accounts, the speed with which the organization eliminates the user accounts of (or the privileges of, or otherwise controls access for) users that have left the organization. This may allow risk to be determined for the process as a whole, as well as on a per-user basis, if desired.”).
However, BERRINGTON does not teach “storing a plurality of queries …… determining a usage history based on the usage of the plurality of queries; and initiating an action by the threat management facility based on the usage history.”
In analogous teaching, ABADI teaches; “storing a plurality of queries ([ABADI, claim 12] “the search logs including records each containing a query, a time at which the query was issued, a set of results returned, a user agent, and an IP (Internet protocol) address that issued the query;”) ……. determining a usage history based on the usage of the plurality of queries; ([ABADI, para. 0024] “The seed malicious queries 200 are applied to the search logs 122 to expand the number of the malicious queries under examination. For example, the seed malicious queries 200 may be applied to the search logs 122 to find exact query matches. For each record in the search logs 122 where the queries exactly match to one or more of the seed malicious queries 200, the IP address that issued the matching query is extracted. The IP address may be used as the seed query IP address(es) 201, whereby the queries found in the search logs 122 that were issued by the seed query IP address(es) 201 are extracted to create the expanded query set 203. In cases where the IP address of the attacker is already known, the use of the seed malicious queries 200 may not be necessary, as the IP address itself may be used to extract all queries from the search logs 122 to create the expanded query set 203.”) ([ABADI, para. 0024] “The expansion takes advantage of a likelihood that if the IP address issued a matching query to one of the seed malicious queries 200, then it is likely that most of the other queries from this IP address would also be malicious. For example, most attackers typically issue not just a single query, but rather multiple queries. Thus, after the expansion process, the search audit framework 124 may obtain most, if not all, of the queries which were issued from malicious IP addresses.”) and initiating an action by the threat management facility based on the usage history. ([ABADI, para. 0021] “FIG. 2 is a block diagram of the components of an implementation of a search audit framework, such as the search audit framework 124.”) ([ABADI, para. 0022] “he second stage may include an analysis of the malicious queries and results 205 to reveal the correlations and other security attacks. The second stage may include an attack analysis engine 206 to determine types of attacks implicated by the malicious queries and results 205 and to understand the behavior of the different malicious entities submitting the malicious queries. The second stage may indicate the type of attack as an output 208. The output 208 includes information used for prediction, prevention, and data dissemination in accordance with a type of attack. For example, the output 208 may be provided to security applications such that remedial actions may be implemented on identified vulnerable servers. The attack analysis engine 206 may also provide information for continued monitoring by external systems. A more detailed discussion of the second stage is provided below with reference to FIG. 6.”) ([ABADI, claim 11] “The method of claim 1, further comprising providing information regarding the malicious queries to security applications for remedial actions to be taken by vulnerable servers.”).
Thus, given the teaching of ABADI, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of determining usage history of queries and initiating an action by ABADI into the teaching of a monitoring a usage of the plurality of queries at one or more administrative consoles as taught by BERRINGTON. One of ordinary skill in the art would have been motivated to do so because ABADI recognizes the need to detect attackers through the use of queries. ([ABADI, para. 0001] “carefully crafted search queries can be used by attackers to gather information such as email addresses or password files or information about misconfigured or even vulnerable servers. As such, the amount of malicious Web search traffic has been increasing. Search bots are submitting malicious searches to identify victims for spreading infections, supporting phishing attacks, determining compromised legitimate domains, spamming, and launching Denial of Service (DoS) attacks. Some of these search bots are stealthy.”) ([ABADI, para. 0003] “A framework identifies malicious queries contained in search logs to uncover relationships between the malicious queries and the potential attacks launched by attackers submitting the malicious queries …… Upon identifying the malicious queries, the framework may be used to detect attacks on vulnerable websites, spamming attacks, and phishing attacks.”).

Regarding claim 2, BERRINGTON-ABADI teach all limitations of claim 1. BERRINGTON further teaches of “wherein the event stream includes security events from one or more sensors on compute instances in the enterprise network” ([BERRINGTON, para. 0060] “In particular, in an exemplary embodiment, the collecting system may be configured such that information may be collected in such a manner as to provide continuous auditing, such that information is collected and evidence is audited simultaneously, without pausing information collection for evidence auditing or vice-versa. (In some cases, this may be a function of the collection system or of individual connectors defined therein.”) ([BERRINGTON, para. 0061- 0063] “According to an exemplary embodiment, the connectors may utilize a buffer system such as the publish/subscribe pattern (or PUB SUB) to feed data into the cloud. The connectors may be run based on a schedule configured by the user via the frontend. The connectors may be centrally deployed and may remotely access the applications/computers as necessary to pull relevant data utilizing relevant remote technologies such as WMI, API, SQL or Remote Registry. According to an exemplary embodiment, the connectors may form a connector framework which is connected to the backend. The connector framework may function as the primary mechanism for receiving data. All connectors may be based on a standard open source framework. The platform may support the addition of new connectors, which may be written or uploaded by the user, administrator or companies. The platform may support the addition of new standards, with the standards being provided in writing. All connectors set up may be viewed and managed via a user interface. The user interface may be the same web UI described above. In an exemplary embodiment, the platform may be configured to operate in IT environments enabled virtually, through deployment of the connectors into the IT environment, with the data processing being performed in the cloud. In such an embodiment, the platform may be connected to new connectors regularly, wherein the new connectors are deployed regularly.”)

Regarding claim 3, this claim recites a method that corresponds to the features of claims 1 and 2. Therefore, claim 3 is rejected in a similar manner as in the rejection of claim 1 and 2. 


Regarding claim 4, BERRINGTON-ABADI teach all limitations of claim 3. BERRINGTON further teaches “wherein storing the event stream includes storing the event stream in a data lake.” ([BERRINGTON, para. 0080] “According to an exemplary embodiment, the collection system may be configured to specifically target and collect data relating to the IT environment based on the connectors the administrator selects, downloads and implements, which may then be combined with the data being submitted manually by the user. This data may then be stored in the backend, and may be tested and analyzed by a testing and analyzing system which may be integrated with the backend.”) ([BERRINGTON, para. 0111] “According to an exemplary embodiment, the platform may be further configured to provide remediation alerts and notifications in order to remediate the data collected, tested and analyzed. The alerts and notifications may be based on continuous monitoring conducted by the platform. The platform may be configured to detect global anomalies, establish trends in those anomalies, and then respond to the anomalies. The platform may have an extensive database of real-time data that allows for industry, company and/or user profiling for both trending and anomaly detection purposes. The platform may also include filtered alert mechanisms.”).

Regarding claim 5, BERRINGTON-ABADI teach all limitations of claim 3. BERRINGTON further teaches “wherein monitoring the usage includes monitoring queries initiated at one or more administrative consoles for the threat management facility.” ([BERRINGTON, para. 0042] “An administrator may be a user provided with special permissions to access, manage and monitor the platform in a manner not permitted to regular users. Various forms of administrator may be contemplated. For example, in an exemplary embodiment, an administrator may be an authorized user of one of an authorized group of companies. The platform may include a portal which allows for management of the platform by the administrator.”) ([BERRINGTON, para. 0043] “the platform may be used to provide an IT audit, or certain IT audit services”) ([BERRINGTON, para. 0039] “The presently contemplated platform thus may provide an always-on audit, compliance and monitoring system and method.”) ([BERRINGTON, para. 0050] “In an exemplary embodiment, an audit performed by the platform may include the automated collection, storage, analysis and reporting of IT environment and cyber security data, which may include steps of comparing this data against various IT best practice standards and/or company policies.”) ([BERRINGOTN, para. 0072] “In an exemplary embodiment, the platform may further collect information about the user account creation process, such as the speed of creation and approval of new user accounts, the history of modification of user accounts, the speed with which the organization eliminates the user accounts of (or the privileges of, or otherwise controls access for) users that have left the organization. This may allow risk to be determined for the process as a whole, as well as on a per-user basis, if desired.”)

Regarding claim 6, BERRINGTON-ABADI teach all limitations of claim 3. BERRINGTON further teaches “wherein monitoring the usage includes monitoring queries for a plurality of enterprise networks.” ([BERRINGOTN, para. 0042] “A variety of users and user types may be contemplated, such as one or more administrators. An administrator may be a user provided with special permissions to access, manage and monitor the platform in a manner not permitted to regular users. Various forms of administrator may be contemplated. For example, in an exemplary embodiment, an administrator may be an authorized user of one of an authorized group of companies. The platform may include a portal which allows for management of the platform by the administrator. In an exemplary embodiment, administrator rights may be restricted to one user, or a small number of users, within the company, with “users” encompassing the administrator(s) and other employees of the one or more companies. It may further be contemplated that, while exemplary embodiments of the platform may be tailored to particular users or sets of users, or particular organizations or sets of organizations, the platform may not be limited to corporate applications, and may be used by all other entities, optionally with additional functionality or different functionality based on the nature of the organization. The platform may also be operated by a subcomponent of an organization, without equivalent rights being shared by the organization as a whole. As such, where reference is made to a company, the term company should be considered to include entities including businesses, divisions, departments, or the like, which may form part of a larger group thereof. In certain cases, it may also be contemplated to have rights be shared between organizations, such that, for example, a platform is managed by an administrator employed by a government organization and an administrator at a government contractor retained by the government organization to develop their IT infrastructure.”).

Regarding claim 7, BERRINGTON-ABADI teach all limitations of claim 3. ABADI further teaches “The method of claim 3 wherein monitoring the usage includes monitoring changes to one or more of the plurality of queries.” ([ABADI, para. 0002] “malicious queries used by attackers are previously unknown and can change frequently.”) ([ABADI, para. 0029] “In some implementations, the search audit framework 124 may use regular expressions to match potentially unknown malicious queries in the search logs 122. Regular expressions are more general than exact query matches and may match malicious searches even if attackers slightly change the search terms. For example, hackers may add restrictions to the query terms, e.g., adding “site:cn” which will obtain search results in the .cn domain only. Also, as many of the queries are generated using scripts, regular expressions can capture the structure of the queries and therefore are able to match future malicious queries.”) ([ABDI, para. 0023] “the search audit framework 124 may monitor the hosts that conducted these malicious queries to obtain additional queries.”)

Regarding claim 8, BERRINGTON-ABADI teach all limitations of claim 3. BERRINGTON further teaches “wherein monitoring the usage includes monitoring post-query remediation activity initiated at one or more administrative consoles.” ([BERRINGOTN, para. 0094] “The testing and analyzing system may be configured to detect unauthorized software being used in the IT environment of the companies, to monitor vulnerability of the IT environment, to monitor backups (and perform any other resilience monitoring and testing, as appropriate, such as testing backups performed to identify failed backups), as well as monitor patch management to identify software that requires remediation”) ([BERRINGOTN, para. 0126] “According to such a method, the platform may further use the data collected, tested and analyzed to generate a textual report detailing the analysis, and may further be configured to make remediation recommendations based on the results.”) ([BERRINGOTN, para. 0136] “The step of generating and outputting the at least one recommendation may include steps of selecting the remediation solution from a list of available remediation solutions based on constraints provided by the user; conducting a first test of a network component with the remediation solution simulated as being in place; conducting a second test of a network component with the alternative solution simulated as being in place, and comparing a result of the first test and a result of the second test.”) ([BERRINGOTN, para. 0042] “for example, a platform is managed by an administrator employed by a government organization and an administrator at a government contractor retained by the government organization to develop their IT infrastructure.”).

Regarding claim 9, BERRINGTON-ABADI teach all limitations of claim 3. ABADI further teaches “wherein the usage history includes a popularity of one or more of the plurality of queries.” ([ABADI, para. 0028] “As such the proxy filter 202 may implement a geographical profile instead of a single global user-profile. The search audit framework 124 may apply a granularity to the geographical profile based on an IP prefix. For each /16 IP prefix, a behavioral profile may be created, which includes, e.g., a set of the 100 most popular queries from all the IPs in that prefix. Other granularities may be used, such as a country code. The search audit framework 124 may determine that the set of queries issued from a proxy has a large overlap with the profile of that prefix, whereas queries issued by an aggressive attacker have little or no overlap.”)
The same motivation to modify BERRINGTON with ABADI as in the rejection of claim 1, applies. 

Regarding claim 10, BERRINGTON-ABADI teach all limitations of claim 3. ABADI further teaches “wherein the usage history includes a pattern of changes to one or more of the plurality of queries.” ([ABADI, para. 0002] “malicious queries used by attackers are previously unknown and can change frequently.”) ([ABADI, para. 0029] “In some implementations, the search audit framework 124 may use regular expressions to match potentially unknown malicious queries in the search logs 122. Regular expressions are more general than exact query matches and may match malicious searches even if attackers slightly change the search terms. For example, hackers may add restrictions to the query terms, e.g., adding “site:cn” which will obtain search results in the .cn domain only. Also, as many of the queries are generated using scripts, regular expressions can capture the structure of the queries and therefore are able to match future malicious queries.”).
The same motivation to modify BERRINGTON with ABADI as in the rejection of claim 1, applies. 

Regarding claim 11, BERRINGTON-ABADI teach all limitations of claim 3. BERRINGTON further teaches “wherein the usage history includes a pattern of post-query activities initiated from an administrative console.” ([BERRINGTON, para. 0112] “The platform may be configured to provide remediation recommendations through the reporting system. For example, in an exemplary embodiment, the platform may identify a particular user that presents a high risk in the current user configuration, and may identify this user as a high risk. (For example, as discussed to some extent above, it may identify that a user in a senior management role has certain IT or network security credentials which they no longer need because of their new role. The platform may then generate a recommendation for the user that this senior management figure should be removed from certain systems or granted a lower level of access.) In an exemplary embodiment, all of these recommendations may be consolidated on a single view, such that all of the recommendations may be reviewed and enacted, or not enacted (if desired), at once. This may provide an improvement over existing tools that require IT management personnel to review individual users, or other individual issues, on an application-by-application view, sometimes even requiring that different tools be used in order to review successive issues.”) ([BERRINGOTN, para. 0113] “In an exemplary embodiment, the remediation recommendations may be customized to suite the user's needs based on factors such as measurable metrics, the best product fit for the user, and benchmarking available to compare solutions to one another.”) ([BERRINGOTN, para. 0135] “Further, the method may include generating and outputting at least one recommendation to the user for remediation of the at least one actionable item based on at least one comparison of a remediation solution to an alternative solution by the processing platform.”)


Regarding claim 12, BERRINGTON-ABADI teach all limitations of claim 3. BERRINGTON further teaches “wherein the usage history includes a context for executing one or more of the plurality of queries.” ([BERRINGOTN, para. 0095] “the present platform may be configured to add identifying information to collected data, such that information may be identified as belonging to a particular system type. Likewise, the present platform may be configured to add a layer of context to collected data, identifying the significance of the data or the applicability of the data to specific other systems. In an exemplary embodiment, collected data may be provided with this layer of context prior to testing, allowing the test to be performed with this context in mind. According to an exemplary embodiment, collected data may be provided with this layer of context at any time prior to the conclusion of testing, such that results may be clearly associated with a particular system. This may allow the platform to run audit evaluations once on a particular system, or particular subset of system components”).

Regarding claim 13, BERRINGTON-ABADI teach all limitations of claim 3. BERRINGTON further teaches “…… and generating a recommendation for one or more responsive actions.” ([BERRINGTON, para. 0111] “The platform may have an extensive database of real-time data that allows for industry, company and/or user profiling for both trending and anomaly detection purposes. The platform may also include filtered alert mechanisms.”) ([BERRINGTON, para. 0112] “The platform may be configured to provide remediation recommendations through the reporting system. For example, in an exemplary embodiment, the platform may identify a particular user that presents a high risk in the current user configuration, and may identify this user as a high risk. (For example, as discussed to some extent above, it may identify that a user in a senior management role has certain IT or network security credentials which they no longer need because of their new role. The platform may then generate a recommendation for the user that this senior management figure should be removed from certain systems or granted a lower level of access.)”).
However, BERRINGTON does not explicitly teach “wherein initiating the action includes identifying a pattern of queries associated with a known threat”.
In analogous teaching, ABADI teaches “wherein initiating the action includes identifying a pattern of queries associated with a known threat”. ([ABADI, para. 0076] “it may be determined that queries are indicative of, for example, an attack on website vulnerabilities (610), spamming (612), phishing (614), or other attacks (616). The other attacks 616 may be more specifically identified in accordance with the implementations described above.”) ([ABADI, para. 0077] “Thus, the search audit framework 124 may identify malicious queries and prevent potential attacks. An analysis of the queries output by the search audit framework 124 may provide information to a search engine, such that the search engine may intelligently choose not to return results to these malicious queries, making it harder for attackers to obtain useful information.”)
The same motivation to modify BERRINGTON with ABADI as in the rejection of claim 1, applies. 

Regarding claim 14, BERRINGTON-ABADI teach all limitations of claim 3. BERRINGTON further teaches “wherein initiating the action includes evaluating a usefulness of one of the plurality of queries based on a pattern of post-query activity.” ([BERRINGTON, para. 0095] , “According to an exemplary embodiment, collected data may be provided with this layer of context at any time prior to the conclusion of testing, such that results may be clearly associated with a particular system. This may allow the platform to run audit evaluations once on a particular system, or particular subset of system components, and then later rerun an identical evaluation on a different system. The results of these analyses may then be presented to the user simultaneously. This may, for example, be used to audit portions of an IT system taken alone or with only select other components of the system being included, allowing certain specific faults to be identified and allowing recommendations to be tailored”) ([BERRINGTON, para. 0117] “According to an exemplary embodiment, once a recommended tool or service has been implemented, further actions may be taken in order to interact with the tool or service in the context of an exemplary embodiment of the platform. For example, according to an exemplary embodiment, following the implementation of a recommended tool or service, a business operating a platform may be able to provide a rating based on the ease of implementation of the tool or service, or may alternatively be able to provide other feedback through an interface provided via the platform. In an exemplary embodiment, this may be used in order to improve future recommendations involving the type of issue that the business has encountered and the applicable remediation plan …… For example, in an exemplary embodiment, a tool with the highest rating or the highest rating by similarly-situated businesses may be automatically recommended, or a set of top three tools may be automatically recommended, which may be based on lifetime feedback and user ratings or may be based on limited-time feedback and user ratings, such as feedback corresponding to the last several versions of the tool or which has been taken over the past year or another such time period.”)

Regarding claim 16, this claim recites a method that corresponds to the features of claims 1 and 2. Therefore, claim 16 is rejected in a similar manner as in the rejection of claim 1 and 2. 

Regarding claim 17, BERRINGTON-ABADI teach all limitations of claim 16. Furthermore, this claim recites features similar to those of claim 9. Therefore, claim 17 is rejected in a similar manner as in the rejection of claim 9. 

Regarding claim 18, BERRINGTON-ABADI teach all limitations of claim 16. Furthermore, this claim recites features similar to those of claim 10. Therefore, claim 18 is rejected in a similar manner as in the rejection of claim 10. 

Regarding claim 19, BERRINGTON-ABADI teach all limitations of claim 16. Furthermore, this claim recites features similar to those of claim 11. Therefore, claim 19 is rejected in a similar manner as in the rejection of claim 11. 

Regarding claim 20, BERRINGTON-ABADI teach all limitations of claim 16. Furthermore, this claim recites features similar to those of claim 12. Therefore, claim 20 is rejected in a similar manner as in the rejection of claim 12. 

Claims 15 are rejected under 35 U.S.C. 103 as being unpatentable over BERRINGTON-ABADI in view of CIEMIEWICZ (US-20110202522-A1).
Regarding claim 15, BERRINGTON-ABADI teach all limitations of claim 3. However, BERRINGTON-ABADI does not teach “wherein initiating the action includes evaluating a usefulness of one of the plurality of queries based on a pattern of query modifications by users.”
In analogous teaching, CIEMIEWICZ teaches “wherein initiating the action includes evaluating a usefulness of one of the plurality of queries based on a pattern of query modifications by users.” ([CIEMIEWICZ, para. 0021] “As is mentioned above, in one embodiment of the invention, the behavioral navigation trail data that the search engine collects includes revised queries that users submit to the search engine after submitting an original query. Users may submit revised queries to the search engine after submitting an original query because those users believe (perhaps mistakenly) that the search results that have been returned by the search engine in response to the original query do not contain the search results in which the users are interested. In one embodiment of the invention, the last revised query (if any) that the user submitted after submitting the original query (in between which the user might have also submitted one or more intervening revised queries) before a “success” occurred (e.g., due to the user selecting a search result and then not performing additional activity like selecting another search result or returning to the search results page using the browser's “back” control) is specially marked by the search engine. This is the revised query that produced the revised search result page on which the user discovered a “successful” search result.”)
Thus, given the teaching of CIEMIEWICZ, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of determining usefulness of modified queries by CIEMIEWICZ into the teaching of a receiving event streams and monitoring a usage of the plurality of queries at one or more administrative consoles as taught by BERRINGTON-ABADI. One of ordinary skill in the art would have been motivated to do so because CIEMIEWICZ recognizes the need to optimize queries ([CIEMIEWICZ, para. 0021] “the last revised query (if any) that the user submitted after submitting the original query (in between which the user might have also submitted one or more intervening revised queries) before a “success” occurred (e.g., due to the user selecting a search result and then not performing additional activity like selecting another search result or returning to the search results page using the browser's “back” control) is specially marked by the search engine. This is the revised query that produced the revised search result page on which the user discovered a “successful” search result. Therefore, an embodiment of the invention recognizes that such a revised query may be usefully suggested to the user as one of possibly several search engine-suggested queries after the search engine has received the original query from the user.”)


The prior art made of record and not relied upon is considered pertinent to applicant's
disclosure.
SAMDADIYA (US-20120136921-A1): This prior art teaches of a method which includes receiving, at a server system, event data that was sent over a network to the server system. The event data reflects one or more application events generated by at least one hosted application. The hosted application is executed on one or more servers and being accessible by a user over a network using a user client device. The method further includes storing the event data at the server system. The method further includes receiving, at the server system and from an administrator client device over a network, a request to view information regarding events generated by the hosted application. The method further includes retrieving the stored event data. The method further includes causing, at the administrator client device and based on the retrieved event data, a display of information regarding application events generated by the hosted application.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AFAQ ALI whose telephone number is (571)272-1571. The examiner can normally be reached Mon - Fri 7:30am - 5:30pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AFAQ ALI/Examiner, Art Unit 2434                             

/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434