DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 8/23/2022 has been entered.
 
Response to Arguments
Double Patenting
The previously raised rejections on the ground of nonstatutory obviousness- type double patenting to claims 1-6, 8-12, and 15-30 have been overcome by Applicant’s Terminal Disclaimer and are therefore withdrawn.

Claim Rejections - 35 U.S.C. § 103
Applicant’s arguments filed on 8/23/2022, directed at the amended claims submitted on 8/23/2022 were considered, but are moot in view of new rejections made below in response to the latest amendments by applicant.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 9 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Claim 9 recites the limitation "the at least one component ".  Claim 9 depends upon claim 1, which recites “another component” and “at least one component”. It is unclear whether  "the at least one component " in claim 9 corresponds to “another component” or “at least one component” in claim 1. For the purpose of examination, the Examiner assumes that  "the at least one component " in claim 9 corresponds to “another component” in claim 1.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 8-12, 15, 17-19, 24-26 and 31 are rejected under 35 U.S.C. 103 as being unpatentable over Arnell (US 2018/0337943), further in view of Demopoulos (US 2005/0193429), and further in view of Baum (US 2015/0142842).

Regarding claims 1, 17 and 24, Arnell teaches A computer-implemented method, comprising: 
receiving input specifying an association between a threat (emphasis added to show the difference between the reference and the claim) and a data collection package (see [0028] and Fig. 2: “The threat handler 210, using the threat data 202, identifies a particular analytics operation for assisting with remediation of the potential threat and additional data to be used for performing the analytics operation. For example, the threat handler 210 may identify one playbook from a group of playbooks 217 stored on a playbook storage 215 device. The example playbooks indicate, for each of several different threats—threats A, B, C, and D—analytics operation(s) and data used for performing the analytics operation(s). For example, in a situation where the threat data 202 specifies a threat associated with “threat C,” the threat handler 210 may use the playbook associated with “threat C” to determine that “analytics C” should be performed to determine how to remediate the potential threat associated with “threat C,” and that “data C” should be gathered in order to perform “analytics C””. Also see [0007]: “Playbooks may be implemented in, for example, a list, table, or the like, or other data structure including the associated data, executable instructions for performing analytics and obtaining the information used to perform the analytics, or specification documents that include the associated data”. The Examiner interprets “executable instructions for … obtaining the information used to perform the analytics” (e.g., ‘data C’ should be gathered in order to perform ‘analytics C’) contained in a playbook as a data collection package. The Examiner further interprets the playbook associated with “threat C” indicating that “analytics C” should be performed to determine how to remediate the potential threat associated with “threat C,” and that “data C” should be gathered in order to perform “analytics C.”” as an association between a threat and a data collection package . And see [0009]: “resource intensive data collection and analytics techniques may be reserved for use in response to identification of particular potential threats that may be identified using relatively lightweight collection and analytics. In addition, a variety of playbooks for determining analytics and remedial actions may allow for handling potential threats in a variety of ways, and the ability to create new playbooks or change existing playbooks may allow network administrators to adapt to new threats and manage many threat handling procedures at a single point in the network”. The Examiner interprets “to create new playbooks” as receiving input specifying an association between a threat and a data collection package), 
wherein the data collection package identifies types of data to collect from an endpoint device when (see [0007]: “Playbooks include data associating a threat or threats with one or more analytics operations that may be used to analyze and/or remediate the threats and one or more types of information used to perform the analytics operations”. And see [0008]: “By way of example, a DNS analytics device may identify an anomaly in the DNS traffic sent by a particular computing device on a network. An alert, which may contain information about the anomaly, may be sent to the threat handler. The threat handler may use a playbook to determine that specific analytics should be performed to obtain more information about the threat. The specific analytics may make use of additional information not currently being collected or reviewed within the network, such as web proxy logs, user activity logs, and/or TCP/IP network samples and counters. The threat handler may notify a network device controller, such as software defined network (SDN) controller, to instruct one or more network devices, such as SDN routers and switches, to collect the additional information”. And see [0025] and FIG. 2: “The network device(s) 240 may be any intermediary network device suitable for transmitting network communications within and outside of the network 205, such as routers and switches, software defined or otherwise, and virtual or hardware. The client device(s) 250 may be any end-point computing device suitable for network communications, such as a personal computer, mobile computer, virtual machine, server computer, or any combination thereof”. And see [0031] and Fig. 2: “The reconfigured network devices 240 send, to the analytics device 220, the additional data 218 captured as a result of their reconfiguration. In the DNS query threat example, one or more of the network devices 240 may be reconfigured to send, to the analytics device 220, web proxy logs, user activity logs, and TCP/IP network samples and counters of the affected client device and, in some implementations, other client devices”. In the scenario that the network device 240 is software defined, the Examiner interprets “the affected client device” 250 together with the software defined network device 240 as an endpoint device. And see [0040]: “At least one of a set of SDN devices is reconfigured, the reconfiguration causing each reconfigured device to i) collect the additional data, and ii) provide the additional data to an analytics device (308). For example, reconfiguration instructions may be issued to a SDN switch to reconfigure the switch to send certain types of network packets from a particular client device to an analytics device”. And see [0018]: “The additional data may be a type of data not currently being collected by the network, e.g., the additional data may be different from the data being collected when the original potential threat was identified. In implementations where playbooks are used to determine analytics operations, playbooks may also specify the additional data used to perform the analytics operations”); 
(see [0008]: “By way of example, a DNS analytics device may identify an anomaly in the DNS traffic sent by a particular computing device on a network. An alert, which may contain information about the anomaly, may be sent to the threat handler”); 
sending a forensic data request to the endpoint device responsive to (see [0008]: “By way of example, a DNS analytics device may identify an anomaly in the DNS traffic sent by a particular computing device on a network. An alert, which may contain information about the anomaly, may be sent to the threat handler. The threat handler may use a playbook to determine that specific analytics should be performed to obtain more information about the threat. The specific analytics may make use of additional information not currently being collected or reviewed within the network, such as web proxy logs, user activity logs, and/or TCP/IP network samples and counters. The threat handler may notify a network device controller, such as software defined network (SDN) controller, to instruct one or more network devices, such as SDN routers and switches, to collect the additional information”. And see [0030] and Fig. 2: “The network device controller 230, in response to receiving the reconfiguration instructions 214, causes reconfiguration of at least one of the network devices 240. The reconfiguration instructions 216 provided by the network device controller may be the same instructions, or different instructions, from those provided by the threat handler 210. For example, the reconfiguration instructions 214 sent by the threat handler 210 may specify the additional data to be collected, while the reconfiguration instructions 216 sent by the network device controller 230 may be more specific instructions for multiple network devices 240”. The Examiner interprets the reconfiguration instructions 216 sent to “the affected client device” 250 together with the software defined network device 240 (the endpoint device) specifying the additional data to be collected responsive to threat data 202 in Fig. 2 as a forensic data request to the endpoint device responsive to identifying data indicating the potential security threat in the information technology or security environment), and wherein the forensic data request instructs the endpoint device to: 
obtain, based on the types of data identified by the data collection package, forensic data related to activity of the endpoint device in the information technology or security environment, and send the forensic data to another component in the information technology or security environment (see [0031] and Fig. 2: “The reconfigured network devices 240 send, to the analytics device 220, the additional data 218 captured as a result of their reconfiguration. In the DNS query threat example, one or more of the network devices 240 may be reconfigured to send, to the analytics device 220, web proxy logs, user activity logs, and TCP/IP network samples and counters of the affected client device and, in some implementations, other client devices”. The Examiner interprets the analytics device 220 as another component in the information technology or security environment); 
obtaining the forensic data related to activity of the endpoint device of the information technology or security environment (see [0031] and Fig. 2: “The reconfigured network devices 240 send, to the analytics device 220, the additional data 218 captured as a result of their reconfiguration. In the DNS query threat example, one or more of the network devices 240 may be reconfigured to send, to the analytics device 220, web proxy logs, user activity logs, and TCP/IP network samples and counters of the affected client device and, in some implementations, other client devices”).

Arnell fails to teach that identifying data indicating an occurrence of a potential security threat in the information technology or security environment is through executing a search query (emphasis added). In other words, Arnell fails to teach “wherein the search query is used to identify occurrences of a potential security threat in an information technology or security environment”, as recited by claims 1, 17 and 24. Arnell also fails to teach that the association to the data collection package is between the search query and the data collection package. Arnell also fails to teach that wherein the data collection package identifies types of data to collect from an endpoint device when execution of the search query  identifies an occurrence of the potential security threat (emphasis added). Arnell also fails to teach that sending a forensic data request to the endpoint device is responsive to execution of the search query identifying data indicating the potential security threat in the information technology or security environment (emphasis added).
In the same field of endeavor, Demopoulos teaches “executing the search query to identify data indicating an occurrence of the potential security threat in the information technology or security environment”, “wherein the search query is used to identify occurrences of a potential security threat in an information technology or security environment” (see [0161]: “If the event data message was generated by the virus detection module, then a virus attack detection operation 1018 is performed. The virus attack detection operation 1018 searches the event database event records indicating infected e-mails were previously received from the same source as the event data received in receive operation 1002. In an embodiment, a virus attack is presumed if a predetermined number of e-mails from the same source failed the virus detection module within a predetermined period of time. The number of e-mails and period used may be predetermined by the administrator of the computing system 300. In an embodiment, a virus attack is presumed if three or more virus-containing e-mails are received from the same source within a one-minute period. The SSI 312 makes the attack determination by searching the event database for records indicating receipt of the predetermined number of virus-containing e-mails within the period”).
Both Arnell and Demopoulos teach identifying data indicating a potential security threat in an information technology or security environment. Therefore, before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Arnell so that identifying data indicating a potential security threat in the information technology or security environment is through execution of a search query, as taught by Demopoulos. It would have been obvious because doing so predictably achieves the commonly understood benefit of automating the identification of a potential security threat by executing a search query. 
When such a modification is made, Arnell modified in view of Demopoulos would teach the following recited limitations of claims 1, 17 and 24:
A computer-implemented method, comprising: 
receiving input specifying an association between a search query and a data collection package , wherein the search query is used to identify occurrences of a potential security threat in an information technology or security environment, wherein the data collection package identifies types of data to collect from an endpoint device when execution of the search query identifies an occurrence of the potential security threat; 
executing the search query to identify data indicating an occurrence of the potential security threat in the information technology or security environment; 
sending a forensic data request to the endpoint device responsive to execution of the search query identifying data indicating the potential security threat in the information technology or security environment, and wherein the forensic data request instructs the endpoint device to: 
obtain, based on the types of data identified by the data collection package, forensic data related to activity of the endpoint device in the information technology or security environment, and 
send the forensic data to another component in the information technology or security environment;
obtaining the forensic data related to activity of the endpoint device of the information technology or security environment.

Arnell modified in view of Demopoulos fails to teach “obtaining non-forensic data related to activity of at least one component in the information technology or security environment that is not the endpoint device; segmenting the forensic data and the non-forensic data into a plurality of events; for each event of the plurality of events, determining a time stamp for the event, associating the time stamp with the event, and storing the event in a field- searchable data store; and correlating an event derived from the forensic data with an event derived from the non- forensic data”.
In the same field of endeavor, Baum teaches A computer-implemented method, comprising: 
obtaining the forensic data related to activity of the endpoint device of the information technology or security environment (see [0027] and Fig. 3: “In the collection step 305, the MD [machine data] 110 may be collected directly from its original source or consolidated over a number of sources. Machine data 110 can, and often does, arrive out of order. Collection 305 of MD 110 can be performed based on standard approaches to data access, for example, reading log files, examining message bus traffic, becoming a sync for logging systems like Syslog, or connecting to database auditing systems”. And see [0024]: “During the understanding process 275, ED 250 is analyzed to create dynamic links between events and build the MDW 290. As an example, consider that a log from a web server may contain specific types of events 250 with specific event data, but a log from an application server or database may contain different events 250 and event data specific to its own domain. A system administrator may, for example, locate the web server event by looking for a session ID found in a web server log”. The Examiner interprets “raw machine data 110” (see Fig. 3) that are “a web server log” (see [0024]) from “a web server” (interpreted by the Examiner as “an endpoint device”) as “forensic data related to activity of an endpoint device of an information technology or security environment” because claim 2 of instant application defines “wherein the forensic data related to activity of the endpoint device including one or more of: file system information, registry information, service information, process information, and file information, log data”. The Examiner interprets collecting “a web server log” from “the web server” as “obtaining forensic data related to activity of an endpoint device of an information technology or security environment”); 
obtaining non-forensic data related to activity of at least one component in the information technology or security environment that is not the endpoint device (see [0027] and Fig. 3: “In the collection step 305, the MD [machine data] 110 may be collected directly from its original source or consolidated over a number of sources. Machine data 110 can, and often does, arrive out of order. Collection 305 of MD 110 can be performed based on standard approaches to data access, for example, reading log files, examining message bus traffic, becoming a sync for logging systems like Syslog, or connecting to database auditing systems”. And see [0024]: “As an example, consider that a log from a web server may contain specific types of events 250 with specific event data, but a log from an application server or database may contain different events 250 and event data specific to its own domain. A system administrator may, for example, locate the web server event by looking for a session ID found in a web server log, locate the application server event by finding a process ID in the message queue”. The Examiner interprets “an application server” taught in [0024] as “at least one component of the information technology or security environment that is not the endpoint device” because the application server is not “a web server” (interpreted by the Examiner as “an endpoint device”). The Examiner interprets “raw machine data 110” (see Fig. 3) that are “a log from an application server” (see [0024) as “non-forensic data related to activity of at least one component in the information technology or security environment that is not the endpoint device” because claim 3 of instant application defines “wherein the non-forensic data includes one or more of: firewall data, router data, email server data, and user identity management system data, log data”. The Examiner interprets collecting “raw machine data 110” (see Fig. 3) that are “a log from an application server” (see [0024) as to “obtaining non-forensic data related to activity of at least one component in the information technology or security environment that is not the endpoint device”); 
segmenting the forensic data and the non-forensic data into a plurality of events (see [0034]: “Aggregation of Machine Data into Raw Events”. And see [0035] and Fig. 3: “Aggregation rules describe the manner in which MD 110, from a particular domain, is organized 325 into event data 330 by identifying the boundaries of events within a collection of MD, for example, how to locate a discrete event by finding its beginning and ending”. And see [0023]: “FIG. 2 represents one approach 200 to building a MDW 290 from MD 110. This approach includes an organization process 235 and an understanding process 275. During the organization process 235, the MD 110 is organized into collections of discrete events 250, referred to herein as event data (ED). Events 250 represent units of system activity. Examples of events 250 include, for example, a web server servicing an HTTP "get" request from a web browser, an application server servicing an API call, or a database updating records in a table”); 
for each event of the plurality of events, determining a time stamp for the event (see claim 24: “determining a time stamp for each event in the plurality of events”. And see [0037]: “Typically, lines starting with a time-stamp are the start of a new event”), associating the time stamp with the event (see [0056]: “For example, in an email-messaging information-processing environment, an event 250 may exist in the message transfer agent (MTA) indicating the receipt of a message from a sender, another event 250 may exist in the spam filtering software documenting that the sender is known and the message is safe to forward to a user's mailbox, and finally the mailbox authentication may contain an event 250 showing that the user attempted to login to their mailbox and retrieve their mail. These three events 250 may contain no common structure other than a timestamp”. And see [0023]: “One of the challenges in organizing 235 MD 110 into events 250 is that MD generally has little formal structure and typically includes not much more than a time stamp common across different sources of MD and different types of events”. Baum teaches in [0056] and [0023] that each of the events is associated with a time stamp), and storing the event (see title: “UNIFORM STORAGE AND SEARCH OF EVENTS DERIVED FROM MACHINE DATA FROM DIFFERENT SOURCES”) in a field-searchable data store (see title: “UNIFORM STORAGE AND SEARCH OF EVENTS DERIVED FROM MACHINE DATA FROM DIFFERENT SOURCES”. And see claim 10: “wherein performing a search on the plurality of events comprises identifying an event in the plurality of events that includes machine data that includes a particular extracted entity”. And see [0040] and Fig. 3: “Following aggregation 325 and before event segmentation 345, various extraction methods 335 can be applied to identify semantic entities 340 within the data. In one implementation, search trees or regular expressions can be applied to extract and validate, for example, IP addresses or email addresses”. The Examiner interprets extracted entities of an event, such as “IP addresses or email addresses” as values of a field. Because Baum teaches searching for “an event in the plurality of events that includes machine data that includes a particular extracted entity” (a particular field value) in a data store, Baum teaches “storing the event in a field-searchable data store”); and
correlating an event derived from the forensic data with an event derived from the non- forensic data (see [0024]: “During the understanding process 275, ED 250 is analyzed to create dynamic links between events and build the MDW 290. As an example, consider that a log from a web server may contain specific types of events 250 with specific event data, but a log from an application server or database may contain different events 250 and event data specific to its own domain. A system administrator may, for example, locate the web server event by looking for a session ID found in a web server log, locate the application server event by finding a process ID in the message queue, and locate a database table update event by searching for a transaction ID in the database audit trail. All three sources may contain events 250 that are part of a larger system activity, yet there is no obvious or explicit common structure or data shared among the MD 110 produced by each system. Common structure is manufactured across the three sources by analyzing the event data 250 so that connections between events can be identified”. The Examiner interprets creating links and identifying connections between the web server event (an event derived from the forensic data) and the application server event (an event derived from the non-forensic data) taught in [0024] as correlating an event derived from the forensic data with an event derived from the non- forensic data).

Both Baum and Arnell modified in view of Demopoulos teach collection of forensic data related to activity of an endpoint device of an information technology or security environment from the endpoint device. Therefore, before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Arnell modified in view of Demopoulos by adding the steps of “obtaining non-forensic data related to activity of at least one component in the information technology or security environment that is not the endpoint device; segmenting the forensic data and the non-forensic data into a plurality of events; for each event of the plurality of events, determining a time stamp for the event, associating the time stamp with the event, and storing the event in a field- searchable data store; and correlating an event derived from the forensic data with an event derived from the non- forensic data” taught by Baum. It would have been obvious because Baum teaches doing so achieves the following benefit: “Common structure is manufactured across the three sources by analyzing the event data 250 so that connections between events can be identified” (see Baum [0024]).

Regarding claims 2, 18 and 25, Arnell further teaches wherein the forensic data related to activity of the endpoint device includes one or more of: file system information, registry information, service information, process information, file information, log data (see [0008]: “By way of example, a DNS analytics device may identify an anomaly in the DNS traffic sent by a particular computing device on a network. An alert, which may contain information about the anomaly, may be sent to the threat handler. The threat handler may use a playbook to determine that specific analytics should be performed to obtain more information about the threat. The specific analytics may make use of additional information not currently being collected or reviewed within the network, such as web proxy logs, user activity logs, and/or TCP/IP network samples and counters. The threat handler may notify a network device controller, such as software defined network (SDN) controller, to instruct one or more network devices, such as SDN routers and switches, to collect the additional information”).

Regarding claims 3, 19 and 26, Baum further teaches wherein the non-forensic data includes one or more of: firewall data, router data, email server data, user identity management system data, log data (see [0024]: “As an example, consider that a log from a web server may contain specific types of events 250 with specific event data, but a log from an application server or database may contain different events 250 and event data specific to its own domain. A system administrator may, for example, locate the web server event by looking for a session ID found in a web server log, locate the application server event by finding a process ID in the message queue”. The Examiner interprets “a log from an application server” (see [0024) as “wherein the non-forensic data includes one or more of: … log data”).

Regarding claim 8, Arnell further teaches wherein the endpoint device is one of: a desktop computer, a workstation, a laptop computer, a tablet computer, a mobile device (see [0025] and FIG. 2: “The client device(s) 250 may be any end-point computing device suitable for network communications, such as a personal computer, mobile computer, virtual machine, server computer, or any combination thereof”).

Regarding claim 9, Arnell further teaches wherein the at least one component interacts with the endpoint device via a network (see [0031] and Fig. 2: “The reconfigured network devices 240 send, to the analytics device 220, the additional data 218 captured as a result of their reconfiguration. In the DNS query threat example, one or more of the network devices 240 may be reconfigured to send, to the analytics device 220, web proxy logs, user activity logs, and TCP/IP network samples and counters of the affected client device and, in some implementations, other client devices”. The Examiner interprets the analytics device 220 as the at least one component).

Regarding claim 10, Arnell further teaches wherein each event of the plurality of events includes a portion of raw machine data created by a component of the information technology or security environment and related to activity of the component in the information technology or security environment (see [0031] and Fig. 2: “The reconfigured network devices 240 send, to the analytics device 220, the additional data 218 captured as a result of their reconfiguration. In the DNS query threat example, one or more of the network devices 240 may be reconfigured to send, to the analytics device 220, web proxy logs, user activity logs, and TCP/IP network samples and counters of the affected client device and, in some implementations, other client devices”).

Regarding claim 11, Baum further teaches wherein correlating the event derived from the forensic data with the event derived from the non-forensic data includes executing a query identifying a relationship between the event derived from the forensic data and the event derived from the non-forensic data (see [0059]: “In one implementation, link analysis 405 takes place by creating a co-occurrence table with an entry for pairs of event types or event data values that occur within a predetermined window of each other. In one aspect, windows are bounded by a window threshold taking the form of time (e.g. 10 minutes), event types (e.g. 50 unique event types), or event instances (e.g. 1000 events). The value of the co-occurrence table entry is the distance between the pair (time, event types, or event instances). Pairs that co-occur often enough, and meet a distance standard deviation threshold are deemed relevant and reliable links. For example, assume that an event 250 of type A occurred 50 times, an event of type B occurred 40 times, an event of type A was followed by an event of type B 20% of the time, and the standard deviation of their distance was less than 5.0 (a predetermined threshold), then a link 410 is created between events 250 of type A and type B (represented as A->B)”).

Regarding claim 12, Arnell further teaches sending a forensic data request to the endpoint device (see [0030] and Fig. 2: “The network device controller 230, in response to receiving the reconfiguration instructions 214, causes reconfiguration of at least one of the network devices 240. The reconfiguration instructions 216 provided by the network device controller may be the same instructions, or different instructions, from those provided by the threat handler 210. For example, the reconfiguration instructions 214 sent by the threat handler 210 may specify the additional data to be collected, while the reconfiguration instructions 216 sent by the network device controller 230 may be more specific instructions for multiple network devices 240”), the forensic data request instructing the endpoint device to send the forensic data to another component in the information technology or security environment (see [0031] and Fig. 2: “The reconfigured network devices 240 send, to the analytics device 220, the additional data 218 captured as a result of their reconfiguration”).

Regarding claim 15, Baum further teaches wherein correlating the event derived from the forensic data with the event derived from the non-forensic data includes executing a query identifying a relationship between the event derived from the forensic data and the event derived from the non-forensic data (see [0059]: “In one implementation, link analysis 405 takes place by creating a co-occurrence table with an entry for pairs of event types or event data values that occur within a predetermined window of each other. In one aspect, windows are bounded by a window threshold taking the form of time (e.g. 10 minutes), event types (e.g. 50 unique event types), or event instances (e.g. 1000 events). The value of the co-occurrence table entry is the distance between the pair (time, event types, or event instances). Pairs that co-occur often enough, and meet a distance standard deviation threshold are deemed relevant and reliable links. For example, assume that an event 250 of type A occurred 50 times, an event of type B occurred 40 times, an event of type A was followed by an event of type B 20% of the time, and the standard deviation of their distance was less than 5.0 (a predetermined threshold), then a link 410 is created between events 250 of type A and type B (represented as A->B)”),
wherein executing the query includes searching for event data in the field-searchable data store (see title: “UNIFORM STORAGE AND SEARCH OF EVENTS DERIVED FROM MACHINE DATA FROM DIFFERENT SOURCES”. And see claim 10: “wherein performing a search on the plurality of events comprises identifying an event in the plurality of events that includes machine data that includes a particular extracted entity”. And see [0040]: “Following aggregation 325 and before event segmentation 345, various extraction methods 335 can be applied to identify semantic entities 340 within the data. In one implementation, search trees or regular expressions can be applied to extract and validate, for example, IP addresses or email addresses”. The Examiner interprets extracted entities of an event, such as “IP addresses or email addresses” as values of a field. Because Baum teaches searching for “an event in the plurality of events that includes machine data that includes a particular extracted entity” (a particular field value) in a data store, Baum teaches “searching for event data in the field-searchable data store”).

Regarding claim 31, Demopoulos further teaches wherein executing the search query includes searching for event data in a field-searchable data store (see [0161]: “If the event data message was generated by the virus detection module, then a virus attack detection operation 1018 is performed. The virus attack detection operation 1018 searches the event database event records indicating infected e-mails were previously received from the same source as the event data received in receive operation 1002. In an embodiment, a virus attack is presumed if a predetermined number of e-mails from the same source failed the virus detection module within a predetermined period of time. The number of e-mails and period used may be predetermined by the administrator of the computing system 300. In an embodiment, a virus attack is presumed if three or more virus-containing e-mails are received from the same source within a one-minute period. The SSI 312 makes the attack determination by searching the event database for records indicating receipt of the predetermined number of virus-containing e-mails within the period”).

Claims 4, 20 and 27 are rejected under 35 U.S.C. 103 as being unpatentable over Arnell (US 2018/0337943), further in view of Demopoulos (US 2005/0193429), further in view of Baum (US 2015/0142842), and further in view of Chandramouli (US 2012/0254333).

Regarding claims 4, 20 and 27, Arnell modified in view of Demopoulos and Baum fails to teach wherein the forensic data includes file information related to an endpoint device, and wherein the non-forensic data includes email server data, and wherein correlating the event derived from the forensic data with the event derived from the non-forensic data includes identifying events indicating a phishing attack against the endpoint device.
In the same field of endeavor, Chandramouli teaches wherein the forensic data includes file information related to an endpoint device, and wherein the non-forensic data includes email server data, and wherein correlating the event derived from the forensic data with the event derived from the non-forensic data includes identifying events indicating a phishing attack against the endpoint device (see abstract: “A method and apparatus for automatically identifying harmful electronic messages, such as those presented in emails, on Craigslist or on Twitter, Facebook and other social media websites, features methodology for discriminating unwanted garbage communications (spam) and unwanted deceptive messages (scam) from wanted, truthful communications based upon patterns discernable from samples of each type of electronic communication”. And see [0118]: “The most often reported email scams include phishing emails”. And see [0534]: “The user interface is the set of screen(s) presented to an end user analyzing text documents for deceptiveness. The dashboard may be used by a forensic analyst to obtain fine details such as the psycho-linguistic cues that triggered the deception detector, statistical significance of the cues, decision confidence intervals, IP geolocation of the origin of the text document (e.g., URL), spatiotemporal patterns of deceptive source, deception trends, etc. These interfaces also allow the end user and the forensic analyst to customize a number of outputs, graphs, etc. The following screens can be used for the user interface and the dashboard, respectively”. And see [0535]: “Opening screen: User chooses the text source domain : mail server, web browser, file folders, crawling (URLs, Tweets, etc.)”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Arnell modified in view of Demopoulos and Baum by letting the forensic data include file information related to an endpoint device, letting the non-forensic data include email server data, and letting correlating the event derived from the forensic data with the event derived from the non-forensic data include identifying events indicating a phishing attack against the endpoint device, as taught by Chandramouli. It would have been obvious because doing so achieves the commonly understood benefit of detecting a phishing attack.

Claims 5, 21 and 28 are rejected under 35 U.S.C. 103 as being unpatentable over Arnell (US 2018/0337943), further in view of Demopoulos (US 2005/0193429), further in view of Baum (US 2015/0142842), and further in view of Adams (US 9,729,572).

Regarding claims 5, 21 and 28, Arnell modified in view of Demopoulos and Baum fails to teach wherein the forensic data includes registry information related to the endpoint device, and wherein the non-forensic data includes a malware alert from a security application, and wherein correlating the event derived from the forensic data with the event derived from the non-forensic data includes identifying events indicating a malware attack against the endpoint device.
However, Adams teaches wherein the forensic data includes registry information related to the endpoint device, and wherein the non-forensic data includes a malware alert from a security application, and wherein correlating the event derived from the forensic data with the event derived from the non-forensic data includes identifying events indicating a malware attack against the endpoint device (see col. 8, lines 35-44 and Fig. 2: “In some implementations, security device 220 may determine information regarding client device 210 when determining information associated with the malicious file. For example, security device 220 may determine information regarding a registry of client device 210, a state of a peripheral associated with client device 210 (e.g., a state of a network adapter, a state of an external data structure, etc.), or the like that may be utilized to select a remediation action (e.g., from a set of remediation actions performable by security device 220) for remediating the malicious file”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Arnell modified in view of Demopoulos and Baum by letting the forensic data include registry information related to the endpoint device, letting the non-forensic data include a malware alert from a security application, and letting the correlating the event derived from the forensic data with the event derived from the non-forensic data include identifying events indicating a malware attack against the endpoint device, as taught by Adams. It would have been obvious because doing so achieves the commonly understood benefit of detecting a malware attack.

Claims 6, 7, 22, 23, 29 and 30 are rejected under 35 U.S.C. 103 as being unpatentable over Arnell (US 2018/0337943), further in view of Demopoulos (US 2005/0193429), further in view of Baum (US 2015/0142842), and further in view of Seigel (US 2017/0063884).

Regarding claims 6, 22 and 29, Arnell modified in view of Demopoulos and Baum fails to teach wherein the forensic data includes login history information related to the endpoint device, and wherein the non-forensic data includes information from a user identity management system, and wherein the correlating the event derived from the forensic data with the event derived from the non-forensic data includes identifying events indicating a brute-force login attack against the endpoint device.
In the same field of endeavor, Seigel teaches wherein the forensic data includes login history information related to the endpoint device, and wherein the non-forensic data includes information from a user identity management system, and wherein the correlating the event derived from the forensic data with the event derived from the non-forensic data includes identifying events indicating a brute-force login attack against the endpoint device (see [0027]: “For example, the agent 108(M) may generate the event log 114(Q) in response to determining that more than a threshold number of attempts were made to access the database 102(M) using incorrect credentials. … The agent 110(N) may generate the event log 114(Q) in response to determining that more than a threshold number of attempts were made to login to one (or more) of the user devices 104(1) to 104(N) within a predetermined period of time using incorrect credentials”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Arnell modified in view of Demopoulos and Baum by letting the forensic data include login history information related to an endpoint device, letting the non-forensic data include information from a user identity management system, and letting correlating the event derived from the forensic data with the event derived from the non-forensic data include identifying events indicating a brute-force login attack against the endpoint device, as taught by Seigel. It would have been obvious because doing so achieves the commonly understood benefit of detecting a brute-force login attack.

Regarding claims 7, 23 and 30, Arnell modified in view of Demopoulos and Baum fails to teach causing display, on a graphical user interface, of indications of the event derived from the forensic data and the event derived from the non-forensic data.
In the same field of endeavor, Seigel teaches causing display, on a graphical user interface, of indications of the event derived from the forensic data and the event derived from the non-forensic data (see [0045], [0046] and Fig. 3: “FIG. 3 is a block diagram illustrating a graphical user interface (GUI) 300 that includes a file created event according to some embodiments”. The Examiner further interprets the file created event 324 in Fig. 3 as “the event derived from the forensic data” because claim 2 of the instant application defines that the forensic data related to activity of the endpoint device includes file system information. And see [0049]: “The user then successfully logs on to the second network element 210 (e.g., one of the databases 102 or the servers 106) using the first credentials 204, causing an agent to generate an event log for the logon event 318. The user accesses a directory on the second network element 210, causing an agent to generate an event log for a directory accessed event 322. The user creates a file on the first network element 208, causing an agent to generate an event log for a file created event 324”. The Examiner further interprets the directory access event 322 in Fig. 3 as “the event derived from the non-forensic data” because the Examiner considers the directory access event 226 derived from log data and claim 3 of the instant application defines that the non-forensic data includes log data).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Arnell modified in view of Demopoulos and Baum by adding the step of causing display, on a graphical user interface, of indications of the event derived from the forensic data and the event derived from the non-forensic data taught by Seigel. It would have been obvious because Seigel explicitly teaches that “by displaying a context within which to interpret the event logs, a system administrator may see a more complete picture of the events” (see [0041], last sentence).

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Arnell (US 2018/0337943), further in view of Demopoulos (US 2005/0193429), and further in view of Baum (US 2015/0142842), and further in view of Chervets (US 2007/0124437).

Regarding claim 14, Arnell modified in view of Demopoulos and Baum fails to teach periodically executing a query used to correlate events derived from the forensic data with events derived from the non-forensic data.
In the same field of endeavor, Chervets teaches periodically executing a query (see [0014], last sentence: “the log server 28 makes data available through the interface 30 to the other modules/components 32 which may periodically poll the log server 28”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Arnell modified in view of Demopoulos and Baum by letting the executed query used to correlate events derived from the forensic data with events derived from the non-forensic data be executed periodically, as taught by Chervets. It would have been obvious because doing so achieves the commonly understood benefit of obtaining information at regular time intervals.

Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Arnell (US 2018/0337943), further in view of Demopoulos (US 2005/0193429), and further in view of Baum (US 2015/0142842), and further in view of Seward (US 2015/0180891).

Regarding claim 16, Baum further teaches wherein correlating the event derived from the forensic data with the event derived from the non-forensic data includes executing a query identifying a relationship between the event derived from the forensic data and the event derived from the non-forensic data (see [0059]: “In one implementation, link analysis 405 takes place by creating a co-occurrence table with an entry for pairs of event types or event data values that occur within a predetermined window of each other. In one aspect, windows are bounded by a window threshold taking the form of time (e.g. 10 minutes), event types (e.g. 50 unique event types), or event instances (e.g. 1000 events). The value of the co-occurrence table entry is the distance between the pair (time, event types, or event instances). Pairs that co-occur often enough, and meet a distance standard deviation threshold are deemed relevant and reliable links. For example, assume that an event 250 of type A occurred 50 times, an event of type B occurred 40 times, an event of type A was followed by an event of type B 20% of the time, and the standard deviation of their distance was less than 5.0 (a predetermined threshold), then a link 410 is created between events 250 of type A and type B (represented as A->B)”),
wherein executing the query includes searching for event data in the field-searchable data store (see title: “UNIFORM STORAGE AND SEARCH OF EVENTS DERIVED FROM MACHINE DATA FROM DIFFERENT SOURCES”. And see claim 10: “wherein performing a search on the plurality of events comprises identifying an event in the plurality of events that includes machine data that includes a particular extracted entity”. And see [0040]: “Following aggregation 325 and before event segmentation 345, various extraction methods 335 can be applied to identify semantic entities 340 within the data. In one implementation, search trees or regular expressions can be applied to extract and validate, for example, IP addresses or email addresses”. The Examiner interprets extracted entities of an event, such as “IP addresses or email addresses” as values of a field. Because Baum teaches searching for “an event in the plurality of events that includes machine data that includes a particular extracted entity” (a particular field value) in a data store, Baum teaches “searching for event data in the field-searchable data store”).
Arnell modified in view of Demopoulos and Baum fails to teach wherein executing the query includes searching for event data in the field-searchable data store using a late-binding schema.
In the same field of endeavor, Seward teaches wherein executing the query includes searching for event data in the field-searchable data store using a late-binding schema (see [0069]: “in a system using a late-binding schema, the schema can be developed on an ongoing basis up until the time it needs to be applied, e.g., at query or search time. In a query system using a late-binding schema, the query may specify, for example, a search for events that have certain criteria defined by the schema for specified fields and the events including such fields”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Arnell modified in view of Demopoulos and Baum by letting the searching for event data in the field-searchable data store use a late-binding schema, as taught by Seward. It would have been obvious because doing so achieves the commonly understood benefit of keeping the query flexible.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHIMEI ZHU whose telephone number is (571)270-7990. The examiner can normally be reached 10am-6pm Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ZHIMEI ZHU/Examiner, Art Unit 2495