DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office correspondence is in response to the application number 17/505891 filed on October 20, 2021.  Claims 1 – 20 are pending.
Priority
This application is claiming the benefit of prior-filed application 16/296753 (now Patent 11,159,360) under 35 U.S.C. 120, 121,365(c), or 386(c).  Co-pendency between the current application and the prior application is required.  Since the applications were co-pending at the time of the filing date of the current application, the applicant is entitled to the benefit claim to the prior-filed application, which claimed benefit to provisional application 62/792501.  Therein the current application is entitled to a priority date of 1/15/2019.
Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted on 10/20/2021 was filed concurrently with the mailing date of the application on 10/20/2021.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.
Double Patenting
The non-statutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A non-statutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on non-statutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based e-Terminal Disclaimer may be filled out completely online using web-screens. An e-Terminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about e-Terminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1, 4, 10, 14, 18 and 19 are rejected on the ground of non-provisional non-statutory anticipatory-type double patenting as being unpatentable over claims 1, 10, and 15 of U.S. Patent 11,159,360.  Although the conflicting claims are not identical, they are not patently distinct from each other because both sets of claims are directed to the same invention.  This is a non-provisional anticipatory-type double patenting rejection since the claims directed to the same invention have in fact been patented.
In regard to claim 1:
Application 17/505891
U.S. Patent 11,159,360
1. A method comprising:
1. A method of managing resources, the method comprising:
receiving events from a plurality of users in an event stream;
receiving a first request to detect a first event in a computer network;
collecting a plurality of events for a first user from the event stream;
detecting a first element of the first event at a first computing resource of the computer network
performing a lookup in a directed graph representing computing resources of a computing network for a first computing resource in the computing network associated with a first event of the plurality of events;
determining a first vertex corresponding to the first computing resource in a directed graph representing the computer network, and determining a second vertex corresponding to the second computing resource by traversing a first edge originating from the first vertex, the first edge representing a first correlation between the first computing resource and the second computing resource,
determining that a first condition defined in the first event of the plurality of events is observed at the first computing resource; and
wherein the detection of the first element indicates the presence of one or more conditions regarding the first computing resource, as defined in the first element by a tenant utilizing the computer network; wherein the first correlation between the first computing resource and the second computing resource is received from the tenant in the first request;

determining, after detecting the first element of the first event at the first computing resource, a second computing resource of the computer network, wherein determining the second computing resource of the computer network comprises:
collecting, in response to determining that the first condition defined in the first event of the plurality of events is observed at the first computing resource, first statistical information to be collected related to the first event from the first computing resource, wherein the first statistical information to be collected is defined in the first event.
providing first data corresponding to the first event from the first computing resource to the second computing resource, 
wherein providing the first data corresponding to the first event from the first computing resource to the second computing resource comprises: collecting statistical information to be collected related to the first element at the first computing resource, 
wherein the statistical information to be collected is defined in the first element of the first event, and providing the statistical information collected at the first element to the second computing resource;

 determining that a second element of the first event is detected at the second computing resource, wherein the detection of the second element indicates the presence of one or more conditions regarding the second computing resource, as defined by the tenant, and the second element is only detected at the second computing resource after the detection of the first element at the first computing resource; and 
provide, in response to determining that the second element is detected at the second computing resource, the first data corresponding to the first element and second data corresponding to the second element to the tenant.


It is clear that all of the elements of the instant application 17/505891 (herein ‘891) claim 1 are to be found in U.S. Patent 11,159,360 (herein ‘360) claim 1 (as the instant application ‘891 claim 1 fully encompasses ’360 claim 1).  The differences between the ‘891 claim 1 and ‘360 claim 1 lies in the fact that the ‘360 claim includes many more elements and is thus much more specific.  Thus the invention of claim 1 of the ‘360 patent is in effect a “species” of the “generic” invention of ‘891 claim 1. It has been held that the generic invention is “anticipated” by the “species”. See In re Goodman, 29 USPQ2d 2010 (Fed. Cir. 1993). Since ‘891 claim 1 is anticipated by claim 1 of ’360, it is not patentably distinct from the 360 claim 1.
In regard to claim 4, see claim 1 of ‘360.
In regard to claim 10:
Application 17/505891
U.S, Patent 11,159,360
10. A system comprising:
 a memory storage; and 
a processing unit coupled to the memory storage, wherein the processing unit is operative to:
10. A system comprising: 
a memory storage; and 
a processing unit coupled to the memory storage, wherein the processing unit is operative to:
receive a first correlation policy from a first user;
receive a first request to detect a first event in a computer network; wherein the correlation between the first computing resource and the second computing resource is received from the tenant in the first request; provide first data corresponding to the first element from the first endpoint to the second endpoint,
collect a plurality of events for the first user from an event stream based on the first correlation policy;
determine a first endpoint of the computer network where a first element of the first event occurred, wherein the first endpoint is associated with a first element of the first event, and the first element indicates the presence of one or more conditions regarding a first computing resource by a tenant utilizing the computer network;  determine a second endpoint of the computer network based on a first correlation between the first endpoint and the second endpoint, wherein the processing unit being operative to determine a second computing resource of the computer network comprises the processing unit being operative to:
perform a first lookup in a directed graph representing computing resources of a computing network to determine a first computing resource associated with a first event of the plurality of events, wherein the first computing resource Is defined in the first event by the first user;
determine a first vertex corresponding to the first computing resource in a directed graph representing the computer network, and determine a second vertex corresponding to the second computing resource by traversing a first edge originating from the first vertex, the first edge representing the first correlation between the first computing resource and the second computing resource, 

collect first statistical information to be collected related to the first event from the first computing resource, wherein the first statistical information to be collected is defined in the first event: and
wherein the processing unit being operative to provide the first data corresponding to the first event from the first computing resource to the second computing resource comprises the processing unit being operative to: collect statistical information to be collected related to the first element at the first computing resource, 
wherein the statistical information to be collected is defined in the first element of the first event, and provide the statistical information collected at the first element to the second computing resource; determine that a second element of the first event is detected at the second endpoint,
 wherein the detection of the second element indicates the presence of one or more conditions regarding the second computing resource, as defined by the tenant, and the second element is only detected at the second computing resource after the detection of the first element at the first computing resource; and
report the first statistical information to be collected related to the first event at the first computing resource to the first user
provide, in response to determining that the second element is detected at the second endpoint, the first data corresponding to the first element and second data corresponding to the second element to a first user

It is clear that all of the elements of the instant application 17/505891 (herein ‘891) claim 10 are to be found in U.S. Patent 11,159,360 (herein ‘360) claim 10 (as the instant application ‘891 claim 10 fully encompasses ’360 claim 10).  The differences between the ‘891 claim 10 and ‘360 claim 10 lies in the fact that the ‘360 claim includes many more elements and is thus much more specific.  Thus the invention of claim 10 of the ‘360 patent is in effect a “species” of the “generic” invention of ‘891 claim 10. It has been held that the generic invention is “anticipated” by the “species”. See In re Goodman, 29 USPQ2d 2010 (Fed. Cir. 1993). Since ‘891 claim 10 is anticipated by claim 10 of ’360, it is not patentably distinct from the 360 claim 10.
In regard to claim 14, see claim 10 of  ‘360.
In regard to claim 18:
Application 17/505891
U.S. Patent 11,159,360
18. A non-transitory computer readable medium that stores a set of instructions which when executed perform a method comprising:
15.  A non-transitory computer readable medium that stores a set of instructions which when executed perform a method executed by the set of instructions comprising:
receiving events from a plurality of users in an event stream;
receiving a first request to detect a first event in a computer network;
collecting a plurality of events for a first user from the event stream;
determining that a first element of the first event is detected at a first endpoint of the computer network, wherein the first element indicates the presence of one or more conditions regarding a first computing resource by a tenant utilizing the computer network; and
performing a lookup in a directed graph representing computing resources of a computing network to determine a first computing resource in the computing network associated with a first event of the plurality of events;
determining, in response to determining that the first element of the first event is detected at the first endpoint, a second endpoint in the computer network, wherein determining the second endpoint of the computer network comprises: 
determining a first vertex corresponding to the first endpoint in a directed graph representing the computer network, and determining a second vertex corresponding to the second endpoint by traversing a first edge originating from the first vertex, the first edge representing a first correlation between the first endpoint and the second endpoint, 
wherein the first correlation between the first endpoint and the second endpoint is received from the tenant in the first request, providing first data corresponding to the first event from the first endpoint to the second endpoint, 
wherein the first endpoint is associated with a first computing resource and the second endpoint is associated with a second computing resource, and providing the first data corresponding to the first event from the first computing resource to the second computing resource comprises:
collecting first statistical information to be collected related to the first event from the first computing resource, wherein the first statistical information to be collected is defined in the first event: and
collecting statistical information to be collected related to the first element at the first computing resource, wherein the statistical information to be collected is defined in the first element of the first event, and
reporting the first statistical information collected from the first computing resource to the first user.
providing the statistical information collected at the first element to the second computing resource;

It is clear that all of the elements of the instant application 17/505891 (herein ‘891) claim 18 are to be found in U.S. Patent 11,159,360 (herein ‘360) claim 15 (as the instant application ‘891 claim 18 fully encompasses ’360 claim 15).  The differences between the ‘891 claim 18 and ‘360 claim 15 lies in the fact that the ‘360 claim includes many more elements and is thus much more specific.  Thus the invention of claim 15 of the ‘360 patent is in effect a “species” of the “generic” invention of ‘891 claim 18. It has been held that the generic invention is “anticipated” by the “species”. See In re Goodman, 29 USPQ2d 2010 (Fed. Cir. 1993). Since ‘891 claim 18 is anticipated by claim 15 of ’360, it is not patentably distinct from the 360 claim 15.
In regard to claim 19, see claim 15 of ‘360.

35 USC § 101 Analysis
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. 

Claims 1 – 20 are directed to statutory subject matter and are not rejected under 35 USC 101 because of a judicial exception..  The claims are directed to non-abstract improvements in computer related technology.  A claim is non-statutory when it is directed to a judicial exception (e.g. either one of mathematical concepts, mental processes, or certain methods of organizing human activity) without significantly more.  The claimed invention is not directed to a judicial exception.  Instead, the claimed invention is directed to a technological improvement for managing resources in a multi-tenant computerized cloud environment by using a computing device that implements statistical correlation when a first request to detect a first event (e.g. a fault) is received from a tenant that has created a correlation policy, and the first event includes a first element (e.g. sub-event) at a first computing resource  that is detected so that afterward a second resource is determined by the correlation policy (aka  the first event  may include a first element comprising detecting fault at a first Ethernet port of a first switch. Upon detection of the fault, the first event may require to determine a VLAN attached to the first Ethernet port at fault).  Thence, first data (e.g. statistical information) corresponding to the first computing resource is provided to the second computing resource, where it may be determined that a second element of the first event is detected at the second computing resource.  The ordered combination of the limitations and elements recited in the claimed invention bounds the claimed invention to specific improvements to managing shared resources within a cloud infrastructure and addresses a problem known in the art when using statistics correlation to manage a multi-tenant infrastructure by enabling user defined policies to provide statistics correlation for resources being used by the tenant.  

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1 – 16 and 18 - 19 are rejected under 35 U.S.C. 103 as being unpatentable over Biswas et al. (U.S. 2020/0128047 A1; herein referred to as Biswas) in view of Kamath et al. (U.S. 2020/0067783 A1; herein referred to as Kamath)
In regard to claim 1, Biswas teaches a method comprising (see abstract “. . Provided are systems and methods for analyzing actions performed by users in using a cloud service, and adjusting the configuration of a security management and control system based on the analysis.. . . “):
receiving events from a plurality of users in an event stream (see ¶ [0024] “. . . a security monitoring and control and control system can monitor the use of cloud services by the users of an organization. Monitoring of users' activities as they use cloud services can be important for several reasons. Monitoring can, for example, detect security policy violations. In these examples, inclusion of a policy-driven alerting mechanism can allow tenants for the cloud service to monitor high-risk events. This is can done by creating a set of policies to proactively monitor certain activities that have potential high impact on the operation of the tenant's networks. . . .”’ see ¶ [0027] “. . . , monitoring can be accomplished using various techniques. For example, security monitoring can include supervised or knowledge-based monitoring. In this example, high-risk events are monitored by defining a set of policies to detect specific events and remediate the events, if necessary. In addition, security best practices can be modeled and applied to a set of events to detect specific threats. As another example, security monitoring and may include unsupervised or automated anomaly detection. In this example, abnormal events or unusual pattern of events can be identified based on activities performed in the cloud service. . . .”);
collecting a plurality of events (e.g. actions) for a first user from the event stream (see ¶ [0037] “. . . provided are systems and methods for analyzing actions performed by users in using a cloud service, and adjusting the configuration of a security management and control system based on the analysis. In various examples, the analysis may include generating a weighted directed graph that reflects a user's use of the cloud service, and/or reflects the tenant's overall use of the cloud service. In various examples, when the security monitoring and control system generates security alerts, the actions that resulted in the alerts can be compared to the graph to determine whether the actions are in accordance with prior behavior of the users. . . .”);
performing a lookup (e.g. extract activity data) (see  ¶ [0186] “. . . the actions performed by a user, U, may be determined from activity data obtained from the cloud service provider. For example, the cloud service provider may provide at least a portion of the audit trail log described above. Activity data for a particular user may be extracted from the audit trail log is a list of events. In the activity data, the user may have been found to have performed a series of actions, S. These actions may be extracted from the parameters of the event in the audit trail log. The different actions that make up the series can be characterized as a set of vertices (v.sub.1 . . . v.sub.n)  . . .”) in a directed graph (see Fig. 4,  ¶ [0188] “. . . FIG. 4 illustrates a weighted directed graph representing the series of actions with assigned weights, according to some embodiments. The series of actions, with these assigned weight values, can then be represented in a weighted directed graph, by connecting the vertices representing actions using the sequence in which the actions occur in the log. In this example a first action may be represented by a first vertex 401. A second action may be represented by a second vertex 402. When the first action is followed sequentially by the second action in the event log, the first vertex may be connected to the second vertex through an edge in the graph. . . . “) representing computing resources  of a computing network for a first computing resource (e.g. an entity on which an action was performed) in the computing network associated with a first event of the plurality of events see  ¶ [0183] “. . the monitoring system may maintain an audit trail log that includes events that are detected in the cloud system. Each time an event is detected by the system, a corresponding event can be logged in the audit trail log. For example, if a user sends an email through the cloud system, an event may be recorded that includes the details of the transmission. An event in the audit trail log may include a number of different parameters. In some embodiments, an event in the audit trail log may include a timestamp indicating the date and time of the event. The event may also include an action performed by the event, such as sending an email, creating a new directory, opening a document, requesting a file transfer, and so forth. The events in the audit trail log may further include a resource representing an entity on which the action was performed, such as a computer system, a document, an email server, a file system, and/or any other resource. The event in the audit trail log may also include a subject representing the user or entity who performed the action on the resource, including a user ID, a client device ID, and organizational ID, a username, and/or any other information that may identify a user and/or an entity. The events in the audit trail log may also include additional contextual information, such as a network address, a geolocation, a user role, security authorizations, other users involved in the event, and/or any other information that may be descriptive or related to the event. . . “);
Biswas fails to explicitly teach determining that a first condition defined in the first event of the plurality of events is observed at the first computing resource; and
collecting, in response to determining that the first condition defined in the first event of the plurality of events is observed at the first computing resource, first statistical information to be collected related to the first event from the first computing resource, wherein the first statistical information to be collected is defined in the first event.  However Kamath teaches determining that a first condition (e.g. network statistics attribute) defined in the first event (e.g. bandwidth usage, workload movement, data traffic direction) of the plurality of events is observed at the first computing resource (e.g. a node and a data path) (see ¶¶ [0025-0026]” . . . receive a network statistics request from a computing device (not shown). In some examples, the computing device may implement a network infrastructure management platform which can provide reports depicting patterns of bandwidth usage, workload movement, data traffic direction, etc., based on network statistics sourced from the network device 100, for managing the network infrastructure. . . The network statistics request may indicate a network resource, such as at least one of a node and a data path in a layer of a network stack in the network infrastructure, for which a network statistics attribute is to be determined. Each protocol in the network stack may be considered as an abstraction layer (or a layer) in a stack of protocols. For example, in the Open Systems Interconnection (OSI) model, there are seven layers, such as datalink layer, network layer, and transport layer. The network statistics request may indicate a node or a data path corresponding to any of the layers and a network statistics attribute to be determined for the indicated node or data path . . .”); and
collecting (see ¶ [0026] “ . . . the network statistics request may indicate multiple nodes and data paths, and multiple network statistics attributes to be determined for the indicated nodes/data paths. In some examples, the network statistics request may indicate network resources which may be pre-configured, based on user inputs, as managed network resources. The network statistics request may indicate the managed network resources for which network statistics attributes are to be determined . . .”), in response to determining that the first condition defined in the first event of the plurality of events is observed at the first computing resource(see ¶ [0027] “. . . a node may be specified in the network statistics request by mentioning a network segment under which the node is grouped and a unique identifier, such as a MAC address, an IP address, or a TCP/UDP port number. A data path may be a connected route between two nodes through which data packets may be transferred. In an example, a data path may be specified in the network statistics request by mentioning addresses of two nodes and a subnetwork under which the two nodes are grouped. One of the two nodes may act as a source node while the other acts as a destination node . . .”), first statistical information to be collected related to the first event from the first computing resource (e.g. node or data path) (see ¶ [0043] “. . . the network statistics request may indicate multiple nodes or data paths and multiple network statistics attributes to be determined for the indicated nodes or data paths. The network statistics request may indicate a node of a subnetwork, such as an endpoint of a VLAN, or a host of an IP subnet, for which network statistics attributes are to be determined . . .”), wherein the first statistical information to be collected is defined in the first event  (see ¶ [0045] “. . . Network statistics attributes may represent information associated with flow of data packets at the node and/or the data path. Examples of the network statistics attributes for a node include Tx packets, Rx packets, Tx jumbo frames, Rx jumbo frames, Tx traffic volume, Rx traffic volume, broadcast Tx, broadcast Rx, multicast Tx, multicast Rx, dropped Tx, dropped Rx, Internet Small Computer System Interface (ISCSI) Tx packets, and ISCSI Rx packets . . .”).
It would have been obvious to one with ordinary skill in the art before the effective filing date of the applicant’s invention to incorporate a system and method for network infrastructure management using network statistic requests targeted to a network resource where a graph is generated to depict vertices corresponding to nodes in a network segment associated with the network resource and edges corresponding to communication links between pairs of adjacent nodes in the network segment, as taught by Kamath, into a system and method  for analyzing actions performed by users in using a cloud service, and adjusting the configuration of a security management and control system based on the analysis, wherein the analysis can include generating a weighted directed graph that reflects a user's use of the cloud service, and/or reflects the tenant's overall use of the cloud service, as taught by Biswas, into.  Such incorporation enables the incorporation of tenant activity to be used for the fault analysis and resource identification when an event is detected in the system.
In regard to claim 2, the combination of Biswas and Kamath teaches further comprising:
determining that there is another computing resource (e.g. an adjacent node) in the computing network that is associated with the first event (e.g. packet count and the traffic volume) of the plurality of events (see Kamath ¶¶ [0058-0059] “. . . the network statistics request may indicate a specific VLAN, say VLAN 100 for which network statistics attributes, viz., the packet count and the traffic volume, is to be determined . . . The count computation module 218 may determine the network statistics attribute for each pair of adjacent nodes. Each pair of adjacent nodes may be represented as a bidirectional data path between two nodes. With reference to FIG. 3A, the Packet count and Traffic volume may be determined for each of the data paths (M1:M2), (M1:M3), (M2:M3), and (M3:M4), which are a set of adjacent nodes that constitute the VLAN 100. . .”) ; and
collecting, in response to determining that there is the another computing resource in the computing network that is associated with the first event (see Kamath ¶¶ [0058-0059] as described above), another statistical information to be collected related to the first event from the another computing resource (see Kamath ¶ ¶ [0060 - 0061] “ . . . the network statistics request may indicate a list of VLANs for which multiple network statistics attributes are to be determined. Similar methods, as described above, may be used for determining the network statistics attributes for each VLAN in the list of VLANS.  Although in the description of the FIGS. 3A-3C, a packet count and traffic volume is determined, other network statistics attributes, such as Broadcast Tx, multicast Rx, dropped Rx, Rx jumbo frames etc., may also be determined in a similar manner .  . .”).
The motivation to combine Kamath with Biswas is described for the rejection of claim 1 and is incorporated herein.  Additionally, Kamath can identify multiple resources for a first event.
In regard to claim 3, the combination of Biswas and Kamath teaches further comprising:
determining that there is another computing resource in the computing network that is associated with the first event of the plurality of events (see Kamath ¶¶ [0058-0059] “. . . the network statistics request may indicate a specific VLAN, say VLAN 100 for which network statistics attributes, viz., the packet count and the traffic volume, is to be determined . . . The count computation module 218 may determine the network statistics attribute for each pair of adjacent nodes. Each pair of adjacent nodes may be represented as a bidirectional data path between two nodes. With reference to FIG. 3A, the Packet count and Traffic volume may be determined for each of the data paths (M1:M2), (M1:M3), (M2:M3), and (M3:M4), which are a set of adjacent nodes that constitute the VLAN 100. . .”); and
determining, in response to determining that there is no other computing resource in the computing network that is associated with the first event (see Kamath ¶ [0063] “. . ., the graph generation module 216 may identify that the network resource for which the network statistics attributes are to be determined, is a specific data path between the source node having address IP1 and the destination node having address IP2. The graph generation module 216 may generate a graph 400, as shown in FIG. 4A, which provides a relationship between the source and the destination node and associated TCP/UDP ports. The graph may be implemented as an adjacency matrix or an adjacency list. . . .”) a second computing resource of the computer network associated with a second event of the plurality of events (see Kamath  ¶ [0064]” . . . With reference to FIG. 4A, the graph 400 depicts vertices P1, P2, P3, P4, P5, P6, and P7 corresponding to the TCP/UDP ports and edges 402, 404, 406, and 408 corresponding to communication links between the TCP/UDP ports. The graph generation module 216 may determine a set of edges that links the source node having IP address IP1 with the destination node having IP address IP2. With reference to FIG. 4A, each of the set of edges are represented by a corresponding pair of adjacent nodes, viz. [(P1:P5), (P2:P5), (P3:P6), (P4:P7) . . .”).
The motivation to combine Kamath with Biswas is described for the rejection of claim 1 and is incorporated herein.  Additionally, Kamath can identify a resource associated with a second event.
In regard to claim 4, the combination of Biswas and Kamath teaches further comprising determining a second computing resource of the computer network associated with a second event of the plurality of events (see Kamath  ¶ [0064]” . . . With reference to FIG. 4A, the graph 400 depicts vertices P1, P2, P3, P4, P5, P6, and P7 corresponding to the TCP/UDP ports and edges 402, 404, 406, and 408 corresponding to communication links between the TCP/UDP ports. The graph generation module 216 may determine a set of edges that links the source node having IP address IP1 with the destination node having IP address IP2. With reference to FIG. 4A, each of the set of edges are represented by a corresponding pair of adjacent nodes, viz. [(P1:P5), (P2:P5), (P3:P6), (P4:P7) . . .”), 
wherein determining the second computing resource of the computer network associated with a second event of the plurality of events comprises (see Kamath ¶ [0044] “. . . a data path may be specified in the network statistics request by mentioning an address of the source node and an address of the destination node and a subnetwork to which the source and destination node belongs . . . “):
determining a first vertex corresponding to the first computing resource in the directed graph representing the computer network (see Kamath ¶ [0030] “. . On receiving the network statistics request, a graph may be generated. The graph depicts vertices corresponding to nodes in a network segment associated with the network resource and edges, where each edge corresponds to a communication link between a pair of adjacent nodes in the network segment. . . “); and
determining a second vertex (e.g. node 304) corresponding to the second computing resource by traversing a first edge (e.g. edge 310) originating from the first vertex (e.g. node 302) (see Kamath Fig. 3A ¶ [0048] “. . . The graph generation module 216 generates a graph 300, as shown in FIG. 3A, depicting the nodes of the network segment, VLAN 100. The graph generation module 216 may generate the graph 300 using adjacency lists or adjacency matrices. The adjacency lists or adjacency matrices may be implemented through a linked list datastructure, such as a singly linked list or a doubly linked list. The vertices 302, 304, 306, and 308 of the graph 300, correspond to nodes grouped under VLAN 100 and edges 310, 312, 316, and 318 correspond to communication links between each pair of adjacent nodes. . .”), the first edge (see Biswas Fig. 4, ¶ [0190] “. . . the size or thickness of each of the edges in the directed graph may represent a frequency with which one action follows the other action. For example, the directed edge 412 between the first vertex 401 and the second vertex 402 is very thick, indicating that the second action is often performed after the first action . . .”)  representing a first correlation (the actions are performed sequentially) between the first computing resource (e.g. the first vertex 401) and the second computing resource (e.g. second vertex 402) ( see Biswas ¶ [0006] “ . . . The activity data may describe actions performed during use of a cloud service. The actions may be performed by one or more users associated with a tenant. The service provider system may provide the tenant with a tenant account. The tenant account may enable the one or more users to access the cloud service. The method may also include determining, from the activity data, actions performed by a particular user. The method may additionally include generating, using the actions, a directed graph. Each node in the directed graph may represent an action performed by the particular user. Each connection between two nodes may represent a sequence in performance of actions represented by the two nodes . . .”;  Biswas ¶ [0186] “. . . the actions performed by a user, U, may be determined from activity data obtained from the cloud service provider. For example, the cloud service provider may provide at least a portion of the audit trail log described above. Activity data for a particular user may be extracted from the audit trail log is a list of events. In the activity data, the user may have been found to have performed a series of actions, S. These actions may be extracted from the parameters of the event in the audit trail log. The different actions that make up the series can be characterized as a set of vertices (v.sub.1 . . . v.sub.n . . .” see Biswas Fig. 4 ¶ [0188]” . . .  a first action may be represented by a first vertex 401. A second action may be represented by a second vertex 402. When the first action is followed sequentially by the second action in the event log, the first vertex may be connected to the second vertex through an edge in the graph), wherein the first correlation between the first computing resource and the second computing resource is received from the first user (e.g. tenant) (see Biswas ¶ [0194] “. . . the security monitoring and control system can use graphs such as the graph illustrated in FIG. 4 to perform autonomous policy monitoring. In some examples, a predefined set of policies can be automatically applied to bootstrap a tenant whenever the tenant registers a cloud services with the security monitoring and control system. In some examples, additional policies can be added for the tenant automatically on an ongoing basis, where these additional policies can be for detecting risky events. New policies can be added, for example, as new threat scenarios are identified by the operations of the security management and control system. In various examples, tenants can also add new policies, and these policies can be tuned similarly . . . “).
The motivation to combine Kamath with Biswas is described for the rejection of claim 1 and is incorporated herein.  Additionally, the combination enables the incorporation of tenant activity to be used for the fault analysis and resource identification when an event is detected in the system.
In regard to claim 5, the combination of Biswas and Kamath teaches further comprising:
providing the first statistical information collected from the first computing resource to the second computing resource (e.g. M1 to M2, M3, M4) (see Kamath ¶¶ [0047-0048] “ . . . the graph generation module 216 may identify that the network resource for which the network statistics request is to be determined is a specific node with a MAC address, say M1, and is grouped under a network segment, say VLAN 100. In an example, the network segment associated with the network resource may be specified in the network statistics request and the graph generation module 216 may identify the network segment associated with the network resource from the network statistics request. In some examples, the graph generation module 216 may identify the network segment associated with the network resource having MAC address M1 by referring to MAC-VLAN mapping tables which may be stored as part of control plane of the network device 202. The control plane includes architecture of the network device 202 that performs the functions related to determining the route of data packets passing through the network device 202.  The graph generation module 216 generates a graph 300, as shown in FIG. 3A, depicting the nodes of the network segment, VLAN 100. The graph generation module 216 may generate the graph 300 using adjacency lists or adjacency matrices. The adjacency lists or adjacency matrices may be implemented through a linked list datastructure, such as a singly linked list or a doubly linked list. The vertices 302, 304, 306, and 308 of the graph 300, correspond to nodes grouped under VLAN 100 and edges 310, 312, 316, and 318 correspond to communication links between each pair of adjacent nodes. With reference to FIG. 3, the nodes 302, 304, 306, and 308 has MAC addresses M1, M2, M3, and M4, respectively. The network statistics attribute(s) are to be determined for the node 302, as per the network statistics request . . . “).
The motivation to combine Kamath with Biswas is described for the rejection of claim 1 and is incorporated herein.  Additionally, the combination enables linkage of statistical information between different resources. 
In regard to claim 6, the combination of Biswas and Kamath teaches further comprising:
collecting second statistical information to be collected related to the second event from the second computing resource (e.g. adjacent node), wherein the second statistical information to be collected is defined in the second event (e.g. change in network infrastructure) (see Kamath ¶¶ [0049-0050] “ . . . the graph may be updated based on subsequent network statistics requests or based on changes in the network infrastructure, such as creation and/or deletion of additional nodes, data paths, and network segments. In an example, the graph generation module 216 may update the graph on receiving a user input to add/delete a node to the network segment. The graph generation module 216 may also dynamically update the graph based on detecting the change in the network infrastructure 200. In an example, the graph generation module 216 may detect the change in the network infrastructure 200 by analyzing data packet headers of data packets passing through the network device 202.   The graph generation module 216 may determine a plurality of edges in the graph 300 which are incident to the vertex corresponding to the node 302. An edge incident to the node 302 is any edge which has the node 302 as an endpoint, i.e., the node 302 is either a source node or a destination node. Thus, with reference to FIG. 3, the plurality of edges incident on the node 302 are, the edges 310 and 312. Each of such incident edges may be represented by a corresponding pair of adjacent nodes, such as (M1:M2) and (M1:M3). Here the pair of adjacent nodes are represented by their respective MAC addresses.
The motivation to combine Kamath with Biswas is described for the rejection of claim 1 and is incorporated herein.  Additionally, the combination supports statistics compiled from two or more resources.
In regard to claim 7, the combination of Biswas and Kamath teaches further comprising:
providing the first statistical information collected from the first computing resource and the second statistical information collected from the second computing resource to the first user  (see Kamath ¶ [0068] “ . . . . Once, the network statistics attributes for the nodes and/or data paths are determined, the values of the network statistics attributes are transmitted to the computing device 204. In an example, when multiple network statistics attributes are determined for multiple nodes and/or data paths, snapshots of the values of the network statistics attributes may be captured. A snapshot is a point in time image of the values of the network statistics attributes for a set of nodes or data paths. Such snapshots may be periodically transmitted to the computing device 204 for further processing. The network manager 206 in the computing device 204 may analyze and process the received snapshots to provide patterns of network usage. In another example, the snapshots may be processed within the network device 202, to obtain patterns of network usage and then the patterns may be forwarded to the network manager 206 in the computing device 204 . . . “).
The motivation to combine Kamath with Biswas is described for the rejection of claim 1 and is incorporated herein.  Additionally, the combination provides reporting to a user / administrator of statistics for one or more resources. 
In regard to claim 8, the combination of Biswas and Kamath teaches wherein collecting the plurality of events for the first user from the event stream (see Biswas ¶ [0037] as described for the rejection of claim 1 and is incorporated herein)  comprises collecting the plurality of events from the event stream based on a correlation policy (the actions are performed sequentially) between the plurality of events(e.g., activity data) ) ( see Biswas ¶ [0006] “ . . . The activity data may describe actions performed during use of a cloud service. The actions may be performed by one or more users associated with a tenant. The service provider system may provide the tenant with a tenant account. The tenant account may enable the one or more users to access the cloud service  . . .”) defined by the first user (e.g. tenant) (see  Biswas ¶ [0194] “. . . the security monitoring and control system can use graphs such as the graph illustrated in FIG. 4 to perform autonomous policy monitoring. In some examples, a predefined set of policies can be automatically applied to bootstrap a tenant whenever the tenant registers a cloud services with the security monitoring and control system. In some examples, additional policies can be added for the tenant automatically on an ongoing basis, where these additional policies can be for detecting risky events. New policies can be added, for example, as new threat scenarios are identified by the operations of the security management and control system. In various examples, tenants can also add new policies, and these policies can be tuned similarly . . . “).
In regard to claim 9, the combination of Biswas and Kamath teaches further comprising creating a graph comprising the plurality of events ( see Biswas ¶ [0006] “ . . . The method may also include determining, from the activity data, actions performed by a particular user. The method may additionally include generating, using the actions, a directed graph. Each node in the directed graph may represent an action performed by the particular user. Each connection between two nodes may represent a sequence in performance of actions represented by the two nodes . . .”)  based on the correlation policy between the plurality of events defined by the user (see Biswas ¶ [0186] “. . . the actions performed by a user, U, may be determined from activity data obtained from the cloud service provider. For example, the cloud service provider may provide at least a portion of the audit trail log described above. Activity data for a particular user may be extracted from the audit trail log is a list of events. In the activity data, the user may have been found to have performed a series of actions, S. These actions may be extracted from the parameters of the event in the audit trail log. The different actions that make up the series can be characterized as a set of vertices (v.sub.1 . . . v.sub.n . . .” see Biswas Fig. 4 ¶ [0188]” . . .  a first action may be represented by a first vertex 401. A second action may be represented by a second vertex 402. When the first action is followed sequentially by the second action in the event log, the first vertex may be connected to the second vertex through an edge in the graph) .
In regard to claim 10, Biswas teaches a system comprising  (see abstract “. . Provided are systems and methods for analyzing actions performed by users in using a cloud service, and adjusting the configuration of a security management and control system based on the analysis.. . . “):
 a memory storage (see ¶ [0270] “. . . The storage subsystem 1018 may include one or more non-transitory memory devices, including volatile and non-volatile memory devices. As shown in FIG. 10, the storage subsystem 1018 includes a system memory 1010 and a computer-readable storage media 1022. The system memory 1010 may include a number of memories including a volatile main random access memory (RAM) for storage of instructions and data during program execution and a non-volatile read only memory (ROM) or flash memory in which fixed instructions are stored. In some implementations, a basic input/output system (BIOS), containing the basic routines that help to transfer information between elements within the computer system 1000, such as during start-up, may typically be stored in the ROM. The RAM typically contains data and/or program modules that are presently being operated and executed by the processing subsystem 1004. In some implementations, the system memory 1010 may include multiple different types of memory, such as static random access memory (SRAM) or dynamic random access memory (DRAM), and the like . . .”); and 
a processing unit coupled to the memory storage (see ¶ [0263] “. . . The processing subsystem 1004 controls the operation of the computer system 1000 and may comprise one or more processors, application specific integrated circuits (ASICs), or field programmable gate arrays (FPGAs). The processors may include be single core or multi-core processors. The processing resources of computer system 700 can be organized into one or more processing units 1032, 1034. A processing unit may include one or more processors, including single core or multi-core processors, one or more cores from the same or different processors, a combination of cores and processors, or other combinations of cores and processors. In some examples, the processing subsystem 1004 can include one or more special purpose co-processors such as graphics processors, digital signal processors (DSPs), or the like. In some examples, some or all of the processing units of the processing subsystem 1004 can be implemented using customized circuits, such as application specific integrated circuits (ASICs), or field programmable gate arrays (FPGAs), wherein the processing unit is operative to (see ¶ [0264] “ . . . the processing units in the processing subsystem 1004 can execute instructions stored in the system memory 1010 or on the computer readable storage media 1022. In various examples, the processing units can execute a variety of programs or code instructions and can maintain multiple concurrently executing programs or processes. At any given time, some or all of the program code to be executed can be resident in the system memory 1010 and/or on the computer-readable storage media 1022 including potentially on one or more storage devices. Through suitable programming, the processing subsystem 1004 can provide various functionalities described above. In instances where computer system 700 is executing one or more virtual machines, one or more processing units may be allocated to each virtual machine . . .”) :
receive a first correlation policy (e.g. security policy) from a first user (see ¶ [0037]” . . . the system can recommend that the security control or security policy that triggered the alert be modified. In various examples, the graphs can also be used to determine whether any user's actions are anomalous as compared to earlier behavior . . .”);
collect a plurality of events (e.g. actions) for the first user from an event stream (see ¶ [0037] as described for the rejection of claim 1 and is incorporated herein)  based on the first correlation policy (see ¶ [0081] “ . . . the control manager 172 can also maintain security policies for the organization 130. A security policy can define an action or set of actions that, when detected, constitute a security violation or an event that otherwise requires attention. In some examples, actions that are defined by a policy as a security violation can occur through use of one service, meaning that all the actions were performed while using the same service. In some examples, the actions can have occurred during use of more than one service, where the services are provided by one service provider or multiple service providers. In some examples, a security policy can also define one or more remediation actions to perform when a violation of the policy is detected. A remediation action can include, for example, sending a notification to the user who caused the violation, to network administrators of the organization 130, to administrators of the security management and control system 102, and/or to another entity. . . .”);
perform a first lookup (e.g. extract activity data) (see  ¶ [0186] as described for the rejection of claim 1 and is incorporated herein) in a directed graph  (see Fig. 4,  ¶ [0188] as described for the rejection of claim 1 and is incorporated herein) representing computing resources of a computing network to determine a first computing resource (e.g. an entity on which an action was performed)  associated with a first event of the plurality of events see  ¶ [0183] as described for the rejection of claim 1 and is incorporated herein), wherein the first computing resource Is defined in the first event by the first user (see  ¶¶ [0184-0185] “ . . . the parameters for each event can be combined with the knowledge base and detection algorithms to provide autonomous techniques for monitoring policies, security controls and threats. For example, an event attributed to a particular user ID may use the user ID to reference additional information in the knowledge base related to the event type, the user, security credentials for the user, and so forth. Therefore, the knowledge base may be used to augment information received by the audit trail log to generate a complete picture of all the details surrounding a particular event.  In various examples, different models can be developed from users' activities in using a cloud service. These activities may be monitored in real time and/or by analyzing the audit trail log described above. For example, some embodiments may generate user-specific models for the users associated with a particular tenant. User specific models may be applied to a particular user ID to describe the model behavior of that particular user. Some embodiments may also generate cloud-service-specific models that encompass use of the cloud service by all users across various tenants. Additionally, some embodiments may also generate tenant-specific models that model usage by all users assigned to a particular tenant (e.g. for all the tenant's users). There are many techniques for developing models for a particular user that are used by various embodiments. In some of the examples described below, these techniques may also be used to develop a model for the tenant by considering all the activity data for the users of the tenant . . . “);
Biswas fails to explicitly teach collect first statistical information to be collected related to the first event from the first computing resource, wherein the first statistical information to be collected is defined in the first event: and 
report the first statistical information to be collected related to the first event at the first computing resource to the first user.  However Kamath teaches collect (see ¶ [0026] as disclosed for the rejection of claim 1 and is incorporated herein) first statistical information to be collected related to the first event from the first computing resource(e.g. node or data path) (see ¶ [0043] as disclosed for the rejection of claim 1 and is incorporated herein), wherein the first statistical information to be collected is defined in the first event (see ¶ [0045] as disclosed for the rejection of claim 1 and is incorporated herein): and 
report the first statistical information to be collected related to the first event at the first computing resource to the first user (see ¶ [0068] “ . . . . Once, the network statistics attributes for the nodes and/or data paths are determined, the values of the network statistics attributes are transmitted to the computing device 204. In an example, when multiple network statistics attributes are determined for multiple nodes and/or data paths, snapshots of the values of the network statistics attributes may be captured. A snapshot is a point in time image of the values of the network statistics attributes for a set of nodes or data paths. Such snapshots may be periodically transmitted to the computing device 204 for further processing. The network manager 206 in the computing device 204 may analyze and process the received snapshots to provide patterns of network usage. In another example, the snapshots may be processed within the network device 202, to obtain patterns of network usage and then the patterns may be forwarded to the network manager 206 in the computing device 204 . . . “).
The motivation to combine Kamath with Biswas is described for the rejection of claim 1 and is incorporated herein.
In regard to claim 11, the combination of Biswas and Kamath teaches wherein the processing device is further operative to raise a fault (e.g. failure) in the first computing resource (see Biswas ¶ [0112] “ . . . the data loader application 206 can pre-generate system reports. The system reports can be generated by jobs (e.g., processes) that are scheduled to run on the data set at periodic intervals. Data stored in an application catalog database 208 and/or analytics and threat intelligence repository 211 can be used to generate a variety of reports. Categories of reports can include, for example, authentication and authorization, network and device, systems and change data, resource access and availability, malware activity, and failures and critical errors, among others. Reports can be based on various attributes such as, for example, per application, per user, per secured resource, and per device used for access, among others. Reports may highlight recent changes such as updated features in a cloud application or newly modified policies. Reports may be pre-generated by scheduled jobs (e.g., for performance reasons) or may be requested by a user or administrator. . . “). 
In regard to claim 12, the combination of Biswas and Kamath teaches wherein the processing device is further operative to (see Biswas ¶ [0264] as described for the rejection of claim 10 and is incorporated herein): 
determine if there is another computing resource (e.g. an adjacent node) associated with the first event (e.g. packet count and the traffic volume) (see Kamath ¶¶ [0058-0059] as described for the rejection of claim 2 and is incorporated herein): and
collect, in response to determining that there is the another computing resource associated with the first event(see Kamath ¶¶ [0058-0059] as described above), the first statistical information to be collected related to the first event at the another computing resource(see Kamath ¶ ¶ [0060 - 0061] as described for the rejection of claim 2 and is incorporated herein).
The motivation to combine Kamath with Biswas is described for the rejection of claim 2 and is incorporated herein.
In regard to claim 13, the combination of Biswas and Kamath teaches wherein the processing device is further operative to (see Biswas ¶ [0264] as described for the rejection of claim 10 and is incorporated herein):
determine if there is another computing resource(e.g. an adjacent node) associated with the first event(e.g. packet count and the traffic volume) (see Kamath ¶¶ [0058-0059] as described for the rejection of claim 3 and is incorporated herein): and
determine, in response to determining that there is no other computing resource associated with the first event(see Kamath ¶ [0063] as described for the rejection of claim 3 and is incorporated herein), a second computing resource of the computer network associated with a second event of the plurality of events(see Kamath  ¶ [0064] as described for the rejection of claim 3 and is incorporated herein).
The motivation to combine Kamath with Biswas is described for the rejection of claim 3 and is incorporated herein.
In regard to claim 14, the combination of Biswas and Kamath teaches wherein the processing unit being operative to determine the second computing resource of the computer network associated with the second event of the plurality of events (see Kamath  ¶ [0064] as described for the rejection of claim 4 and is incorporated herein) comprises the processing unit being operative to (see Biswas ¶ [0264] as described for the rejection of claim 10 and is incorporated herein): 
determine a first vertex corresponding to the first computing resource in the directed graph representing the computer network (see Kamath ¶ [0030] as described for the rejection of claim 4 and is incorporated herein), and
determine a second vertex (e.g. node 304) corresponding to the second computing resource by traversing a first edge (e.g. edge 310) originating from the first vertex(e.g. node 302) (see Kamath Fig. 3A ¶ [0048] as described for the rejection of claim 4 and is incorporated herein), the first edge  (see Biswas Fig. 4, ¶ [0190] as described for the rejection of claim 4 and is incorporated herein) representing a first correlation(the actions are performed sequentially) between the first computing resource e.g. the first vertex 401)  and the second computing resource (e.g. second vertex 402) ( see Biswas ¶ [0006], ¶ [0186] Fig. 4 ¶ [0188] as described for the rejection of claim 4 and is incorporated herein) wherein the first correlation between the first computing resource and the second computing resource is received in the first correlation policy from the first user  (e.g. tenant) (see Biswas ¶ [0194] as described for the rejection of claim 4 and is incorporated herein).
The motivation to combine Kamath with Biswas is described for the rejection of claim 4 and is incorporated herein.
In regard to claim 15, the combination of Biswas and Kamath teaches wherein the processing unit is further operative to provide the first statistical information collected from the first computing resource to the second computing resource (e.g. M1 to M2, M3, M4) (see Kamath ¶¶ [0047-0048] as described for the rejection of claim 5 and is incorporated herein).
The motivation to combine Kamath with Biswas is described for the rejection of claim 5 and is incorporated herein.
In regard to claim 16, the combination of Biswas and Kamath teaches wherein the first computing resource comprises a first switch device of the computing network (see Kamath ¶ [0019] “ . . . . Based on the network statistics request, a graph may be generated. The graph refers to a non-linear data structure, which contains a set of points called vertices and a set of lines or edges connecting the vertices. The graph may depict a network segment associated with the network resource. The graph includes vertices corresponding to nodes in the network segment and edges corresponding to communication links between pairs of adjacent nodes in the network segment. Thus, the graph defines a relationship between nodes and communication links in the network segment associated with the network resource for which the network statistics attribute is to be determined. The network segment refers to a portion of the network infrastructure that is separated from the network infrastructure by network devices, such as switches, hubs, bridges, routers, etc. Each network segment may include multiple computers and other device . . . “).
The motivation to combine Kamath with Biswas is described for the rejection of claim 1 and is incorporated herein.  Additionally Kamath can identify certain switches as a computer resource.
In regard to claim 18, Biswas teaches a non-transitory computer readable medium (see ¶ [0270] “ . . . The storage subsystem 1018 may include one or more non-transitory memory devices, including volatile and non-volatile memory devices. As shown in FIG. 10, the storage subsystem 1018 includes a system memory 1010 and a computer-readable storage media 1022. The system memory 1010 may include a number of memories including a volatile main random access memory (RAM) for storage of instructions and data during program execution and a non-volatile read only memory (ROM) or flash memory in which fixed instructions are stored. In some implementations, a basic input/output system (BIOS), containing the basic routines that help to transfer information between elements within the computer system 1000, such as during start-up, may typically be stored in the ROM. The RAM typically contains data and/or program modules that are presently being operated and executed by the processing subsystem 1004. In some implementations, the system memory 1010 may include multiple different types of memory, such as static random access memory (SRAM) or dynamic random access memory (DRAM), and the like. . . “) that stores a set of instructions which when executed perform a method comprising (“ . . . The computer-readable storage media 1022 may store programming and data constructs that provide the functionality of some examples. The computer-readable media 1022 may provide storage of computer-readable instructions, data structures, program modules, and other data for the computer system 1000. Software (programs, code modules, instructions) that when executed by the processing subsystem 1004 provides the functionality described above that may be stored in the storage subsystem 1018. By way of example, the computer-readable storage media 1022 may include non-volatile memory such as a hard disk drive, a magnetic disk drive, an optical disk drive such as a CD ROM, DVD, a Blu-Ray® disk, or other optical media. The computer-readable storage media 1022 may include, but is not limited to, Zip® drives, flash memory cards, universal serial bus (USB) flash drives, secure digital (SD) cards, DVD disks, digital video tape, and the like. Computer-readable storage media 1022 may also include, solid-state drives (SSD) based on non-volatile memory such as flash-memory based SSDs, enterprise flash drives, solid state ROM, and the like, SSDs based on volatile memory such as solid state RAM, dynamic RAM, static RAM, DRAM-based SSDs, magnetoresistive RAM (MRAM) SSDs, and hybrid SSDs that use a combination of DRAM and flash memory based SSDs. The computer-readable storage media 1022 may provide storage of computer-readable instructions, data structures, program modules, and other data for the computer system 1000. . . . “):
receiving events from a plurality of users in an event stream (see ¶ [0024], [0027] as described for the rejection of claim 1 and is incorporated herein);
collecting a plurality of events (e.g. actions) for a first user from the event stream (see ¶ [0037] as described for the rejection of claim 1 and is incorporated herein);
performing a lookup (e.g. extract activity data) (see  ¶ [0186] as described for the rejection of claim 1 and is incorporated herein)  in a directed graph (see Fig. 4,  ¶ [0188] as described for the rejection of claim 1 and is incorporated herein) representing computing resources of a computing network to determine a first computing resource(e.g. an entity on which an action was performed)  in the computing network associated with a first event of the plurality of events see  ¶ [0183] as described for the rejection of claim 1 and is incorporated herein);
Biswas fails to explicitly teach collecting first statistical information to be collected related to the first event from the first computing resource, wherein the first statistical information to be collected is defined in the first event: and
reporting the first statistical information collected from the first computing resource to the first user.  However Kamath teaches collecting (see ¶ [0026] as described for the rejection of claim 1 and is incorporated herein) first statistical information to be collected related to the first event from the first computing resource  (e.g. node or data path) (see ¶ [0043] as described for the rejection of claim 1 and is incorporated herein), wherein the first statistical information to be collected is defined in the first event(see ¶ [0045] as described for the rejection of claim 1 and is incorporated herein): and
reporting the first statistical information collected from the first computing resource to the first user  (see ¶ [0068] as described for the rejection of claim 10 and is incorporated herein).
The motivation to combine Kamath with Biswas is described for the rejection of claim 1 and is incorporated herein. 
In regard to claim 19, the combination of Biswas and Kamath teaches further comprising:
determining if there is another computing resource associated with the first event (e.g. packet count and the traffic volume) (see Kamath ¶¶ [0058-0059] as described for the rejection of claim 2 and is incorporated herein); and
determining, in response to determining that there is no other computing resource associated with the first event(see Kamath ¶ [0063] as described for the rejection of claim 3 and is incorporated herein), a second computing resource of the computer network associated with a second event of the plurality of events (see Kamath  ¶ [0064] as described for the rejection of claim 3 and is incorporated herein), wherein determining the second computing resource of the computer network associated with the second event of the plurality of events comprises (see Kamath ¶ [0044] as described for the rejection of claim 4 and is incorporated herein):
determining a first vertex corresponding to the first computing resource in the directed graph representing the computer network (see Kamath ¶ [0030] as described for the rejection of claim 4 and is incorporated herein), and 
determining a second vertex (e.g. node 304) corresponding to the second computing resource by traversing a first edge (e.g. edge 310) originating from the first vertex(e.g. node 302) (see Kamath Fig. 3A ¶ [0048] as described for the rejection of claim 4 and is incorporated herein), the first edge (see Biswas Fig. 4, ¶ [0190] as described for the rejection of claim 4 and is incorporated herein) representing a first correlation (the actions are performed sequentially) between the first computing resource (e.g. the first vertex 401) and the second computing resource (e.g. second vertex 402) ( see Biswas ¶ [0006],  ¶ [0186] Fig. 4 ¶ [0188], as described for the rejection of claim 4 and is incorporated herein), wherein the first correlation between the first computing resource and the second computing resource is received in a first correlation policy from the first user (e.g. tenant) (see Biswas ¶ [0194] as described for the rejection of claim 4 and is incorporated herein).
The motivation to combine Kamath with Biswas is described for the rejection of claim 4 and is incorporated herein.
Claims 17 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Biswas et al. (U.S. 2020/0128047 A1; herein referred to as Biswas) in view of Kamath et al. (U.S. 2020/0067783 A1; herein referred to as Kamath) as applied to claims 1 – 16 and 18 – 19 in further view of Sudhakaran et al. (U.S. 2017/0031704 A1; herein referred to as Sudhakaran).
In regard to claim 17, the combination of Biswas and Kamath fails to expclitly teach wherein the first computing resource comprises a first Ethernet port of a first switch device and a second Ethernet port of a second switch device.  However Sudhakaran teaches wherein the first computing resource comprises a first Ethernet port (e.g. port 152a) of a first switch device and a second Ethernet port (e.g. port 152i) of a second switch device (see ¶ [0018] “. . . FIG. 1 is a block diagram of a system including a network controller capable of determining network port profiles to be stored for a virtual machine snapshot, according to an example. The system 100 can include a host machine 110 that includes virtual machines 112a-112n. The VMs 112 can use VM ports 114a, 114b-114m. One VM port 114a or additional ports (e.g., VM port 114b, etc.) can be used with particular VMs (e.g., VM 112a). A port group 116 can be used to configure settings in VM ports 114 in a particular port group. In some examples, the VM ports 114 can be thought of as virtual Network Interface Cards (NICs). Further, virtual switch(es) 117 can be implemented to use physical NICs 118a-118l. The NICs 118 can connect to a network of switches 150 via physical ports 152a-152i of the respective switches 150. The switches 150 may be controlled by a network controller 130. As noted above, it can be advantageous to take snapshots of VMs 112 . . .” see ¶ [0023] “. . . the state and configuration the port group(s) 116 can be captured. Example configurations that can be captured include Virtual Local Area Network (VLAN) tags (e.g., a Level 2 segment id), average bandwidth, peak bandwidth allowed, ingress and egress traffic limiting, traffic/flow priority settings, a number of dv-ports in the group . . . “).
It would have been obvious to one with ordinary skill in the art before the effective filing date of the applicant’s invention to incorporate a system and method for providing a virtual machine snapshot based on a request wherein the hardware components of the VM are extracted and their states collected, as taught by Sudhakaran,, into a system and method  for analyzing actions performed by users in using a cloud service, and adjusting the configuration of a security management and control system based on the analysis, wherein the analysis can include generating a weighted directed graph that reflects a user's use of the cloud service, and/or reflects the tenant's overall use of the cloud service, and the system processes network statistic requests targeted to a network resource where a graph is generated to depict vertices corresponding to nodes in a network segment associated with the network resource and edges corresponding to communication links between pairs of adjacent nodes in the network segment, as taught by the combination  of Biswas and Kamath.  Such incorporation enables the system to localize statistics for each virtual machine.
In regard to claim 20, the combination of Biswas and Kamath fails to expclitly teach wherein the first computing resource comprises a first Ethernet port of a first switch device and a second Ethernet port of a second switch device.  However Sudhakaran teaches wherein the first computing resource comprises a first Ethernet port (e.g. port 152a) of a first switch device and a second Ethernet port (e.g. port 152i) of a second switch device (see ¶ [0018], ¶ [0023] as described for the rejection of claim 17 and is incorporated herein).
The motivation to combine Sudhakaran with the combination of Biswas and Kamath is described for the rejection of claim 17 and is incorporated herein.
Conclusion
There are prior art made of record which are not relied upon but are considered pertinent to applicant’s disclosure.  They are listed on the PTO-892 accompanying this action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES N FIORILLO whose telephone number is (571)272-9909.  The examiner can normally be reached on 7:30 - 5 PM Mon - Fri..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, John A. Follansbee can be reached on 571-272-3964.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JAMES N FIORILLO/               Examiner, Art Unit 2444