DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 3/30/2022 has been entered.

Information Disclosure Statement
The 5/31/2022 IDS document has been considered by the examiner.

Response to Amendment / Arguments
Regarding claims rejected under 35 USC 103:
Applicant’s arguments, in view of the amended claim language, have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Chauhan (US 2016/0127401 A1).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-15 and 17-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Allen (US 9,727,726 B1) in view of Chauhan (US 2016/0127401 A1).

Regarding claim 1, Allen discloses: A computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of: 
instrumenting an endpoint managed by a threat management facility with a local agent  (e.g., computing system and monitoring device as per at least FIG. 4 of Allen) to detect a plurality of types of changes to a plurality of computing objects; 
Refer to at least Col. 1, Ll. 65-Col. 2, Ll. 25 of Allen with respect to the monitoring device and associated monitoring.
creating an event stream from the local agent including each type of change to each of the plurality of computing objects detected on the endpoint; 
Refer to at least Col. 2, Ll. 49-60, Col. 4, Ll. 38-44, and Col. 11, Ll. 2-6 of Allen with respect to creating an event stream associated with the monitoring.
storing the event stream in a data recorder on the endpoint; 
Refer to at least Col. 8, Ll. 21-23 of Allen with respect to explicitly storing the events for later publishing. However, it is noted that any recorded events are necessarily stored as part of being published. 
processing the event stream with a filter at the endpoint to provide a filtered event stream including a subset of the types of changes to a subset of the plurality of computing objects; 
Refer to at least Col. 8, Ll. 2-12 and Col. 11, Ll. 2-11 of Allen with respect to additional information about the events being appended to the event stream transmission. 
transmitting the filtered event stream to the threat management facility; 
Refer to at least Col. 2, Ll. 58-60 and Col. 4, Ll. 41-43 of Allen with respect to publishing the event stream to an administrative service. 
processing the filtered event stream at the threat management facility to evaluate a security state of the endpoint; and 
in response to a predetermined security state indicating a malware threat detected by the threat management facility (e.g., “malicious attack” in the abstract and Col. 13, Ll. 26-37 of Allen), requesting additional data from the data recorder on the endpoint;
correlating the additional data with the malware threat;
transmitting an adjustment to the endpoint.
Refer to at least the abstract, Col. 3, Ll. 3-22, Col. 4, Ll. 48-59, Col. 8, Ll. 13-52, and Col. 13, Ll. 25-50 of Allen with respect to the administrative service performing analysis of the received event stream and remedial actions resultant therefrom. For instance, “[t]he administrative service may request from the monitoring device 104 additional data” in Col. 4, Ll. 55-59 of Allen and “[t]he administrative service 402 may transmit one or more commands causing the monitoring service to transmit the requested information” in Col. 8, Ll. 61-67 of Allen. The administrative service uses received information from the monitoring devices to determine, e.g., malicious attacks. 
Allen does not specify: the endpoint being managed by a threat management facility for a user associated with an enterprise network; transmitting an adjustment to the endpoint for use in filtering the event stream, the adjustment associated with at least one of the types of changes in the additional data correlated with the malware threat; transmitting a second adjustment to one or more other endpoints managed by the threat management facility, the second adjustment based on the adjustment transmitted to the endpoint and the second adjustment controlling one or more other filters on the one or more other endpoints to communicate the types of changes in the additional data correlated with the malware threat; selecting events for a second event stream on a second endpoint of the one or more other endpoints based on the second adjustment to facilitate detection by the threat management facility of the malware threat. However, Allen in view of Chauhan discloses: the endpoint being managed by a threat management facility for a user associated with an enterprise network;
Refer to at least 140 in FIG. 1, [0009], [0044], and [0057] of Chauhan with respect to a cloud network for customers.
Refer to at least FIG. 1 and [0042]-[0043] of Chauhan with respect to the configuration server(s).
transmitting an adjustment to the endpoint for use in filtering the event stream, the adjustment associated with at least one of the types of changes in the additional data correlated with the malware threat; transmitting a second adjustment to one or more other endpoints managed by the threat management facility, the second adjustment based on the adjustment transmitted to the endpoint and the second adjustment controlling one or more other filters on the one or more other endpoints to communicate the types of changes in the additional data correlated with the malware threat; selecting events for a second event stream on a second endpoint of the one or more other endpoints based on the second adjustment to facilitate detection by the threat management facility of the malware threat. 
Refer to at least [0052]-[0054], [0060]-0063], [0082]-[0084], and [0123]-[0124] of Chauhan with respect to remote capture agents being dynamically reconfigured to generate events and event streams. For instance, the agents can be reconfigured to generate events and event streams as described in [0062]-[0063]. 
Refer to at least [0049] of Chauhan with respect to determining the types of data collected and/or processed by each remote capture agent; i.e., different agents can focus on different types of data collection and be reconfigured accordingly.
The teachings of both Allen and Chauhan concern monitoring devices / agents for collecting event data for an administrative service / configuration server. They are both considered to be within the same field of endeavor and combinable as such. 
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Allen to further include the monitoring devices implemented on a cloud network for customers because design incentives or market forces provided a reason to make an adaptation, and the invention resulted from application of the prior knowledge in a predictable manner (in this case, expanding to additionally cover cloud computing use cases). It also would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to further modify the teachings to include dynamically reconfiguring monitoring devices for at least the purpose of improving security through more efficient detection and remediation (i.e., the system being better adapted to quickly retrieve any required information either automatically or based on an analyst’s specific configuration; avoiding event overload by only feeding useful information). 

Regarding claims 2-4, Allen-Chauhan is considered to disclose said claims in at least Col. 8, Ll. 2-12 of Allen concerning i.e., one or more operations, one or more computing resources, the application responsible, and so forth. 

Regarding claim 5, Allen-Chauhan discloses: The computer program product of claim 1 wherein the plurality of computing objects includes at least one of an electronic communication, a registry of system settings, and a secure kernel cache.
Refer to at least Col. 2, Ll. 2-25 of Allen with respect to monitoring communications. 

Regarding independent claim 19, it is substantially similar to elements of independent claim 1 above, and is therefore likewise rejected for substantially the same reasons (i.e., the citations and obviousness rationale). 

Regarding claim 20, it is substantially similar to elements of claim 1 above (i.e., concerning remediation), and is therefore likewise rejected. 

Regarding claim 6, it is substantially similar to elements of claim 1 above (i.e., concerning remediation), and is therefore likewise rejected. 

Regarding claim 7, it is rejected for substantially the same reasons as claims 2-4 above.

Regarding claim 8, it is rejected for substantially the same reasons as claim 5 above.

Regarding claim 9, Allen-Chauhan discloses: The method of claim 6 further comprising correlating the filtered event stream to a malware event on the endpoint and searching for the malware event on one or more other endpoints coupled to the enterprise network based on a pattern of events in the filtered event stream.
Refer to at least Col. 13, Ll. 26-29, FIG. 4, and Col. 8, Ll. 13-53 of Allen with respect to comparison to malware and with respect to multiple monitored computing systems 406 which may continue to be monitored as part of remediation. 

Regarding claim 10, it is rejected for substantially the same reasons as claim 6 above (i.e., receiving the event stream at the administrative service).

Regarding claim 11, Allen-Chauhan discloses: The method of claim 6 further comprising storing an unfiltered event stream on the data recorder at the endpoint, the unfiltered event stream including additional ones of the plurality of types of changes to the plurality of computing objects.
Refer to at least [0047]-[0048] of Chauhan with respect to storing event streams. Refer to at least [0062]-[0063] of Chauhan with respect to exemplary monitoring and recording. 
This claim would have been obvious for substantially the same reasons as claim 1 above.

Regarding claim 12, it is rejected for substantially the same reasons as claim 1 above (i.e., the citations and obviousness rationale).

Regarding claims 13-14, they are rejected for substantially the same reasons as claim 9 above (i.e., monitoring computing systems as part of remediation).

Regarding claim 15, it is rejected for substantially the same reasons as claim 6 above (i.e., remedial actions).

Regarding claims 17-18, they are rejected for substantially the same reasons as claims 11-12 above. 

Claim 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Allen-Chauhan as applied to claims 1-15 and 17-20 above, and further in view of Curtiss (US 8,779,921 B1).

Regarding claim 16, Allen-Chauhan does not disclose: wherein processing the filtered event stream includes securely verifying a status of the endpoint. However, Allen-Chauhan in view of Curtiss discloses: wherein processing the filtered event stream includes securely verifying a status of the endpoint.
Refer to at least Col. 10, Ll. 26-35 and Col. 28, Ll. 44-Col. 29, Ll. 4 of Curtiss with respect to node statuses transmitted to a control system. Further refer to at least Col. 30, Ll. 1-14 of Curtiss with respect to diagnostics.
The teachings of Allen-Chauhan and Curtiss concern event monitoring and analysis, and are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Allen-Chauhan to further include support for node status information and diagnostics for at least the purpose of identifying malfunctioning nodes for repair such that monitoring runs as intended. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        




/V.S/Examiner, Art Unit 2432