DETAILED ACTION
This action is in response the communications filed on 09/14/2022 in which no claims are amended and therefore claims 1-20 are pending.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


Claims 1, 2, 3, 8, 11, 12 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Ghare (US 10129118 B1) in view of Leverich (US 10146609 B1).

In regard to claims 1, 11 and 17, Ghare teaches: A system comprising:a user device coupled to a communications network; (Ghare, col. 17 line 52 "computer system 1000 may be configured to implement storage and/or compute nodes of...  a client [a user]… Computer system 1000 may be any of various types of devices, including, but not limited to, a personal computer system, desktop computer, laptop..."; col. 6 line 3 "FIG. 2 is a logical block diagram illustrating a provider network that implements a stream management service... Clients 210 may access these various services offered by provider network 200 via network 260 [a communications network].")

an artificial intelligence engine in communication with the user device, the artificial intelligence engine comprising: (Ghare, "FIG. 1A is a logical block diagram that illustrates real time anomaly detection for data streams, according to at least some embodiments. Stream management system 110 [an AI engine] may provide a management platform for different streams... Streaming anomaly detection 120 may be implemented by stream management system 110 in order to detect, identify, and respond to anomalies found in streams of data records 102, utilizing streaming anomaly modeling 130."; col. 4 line 27 "Machine learning [artificial intelligence] and other dynamic modeling techniques may be employed to update (or generate) an anomaly detection model that would be particular to the period of time in which the data record indicating the high power utilization is detected..."; "Clients 210 may access these various services offered by provider network 200 via network 260")(Fig. 2, stream management system / service in communication with clients via network. SMS using machine learning techniques in the anomaly detection, i.e. an AI engine.)

a processor; a non-transitory computer readable medium comprising instructions executable by the processor to: (Ghare, col. 17 line 33 "the methods may be implemented by a computer system (e.g., a computer system as in FIG. 9) that includes one or more processors executing program instructions stored on a computer-readable storage medium...")

perform an action responsive to a trigger, based at least in part on one or more data inputs… (Ghare, col. 5 line 39 "Anomaly detection 120 may provide indications of anomalies 122 which may trigger the performance of various responsive actions by stream management system 110"; col. 14 line 23 "FIG. 7 is a high-level flowchart illustrating various methods and techniques to monitor a data stream for anomalies in real time... at 710, a data record of a stream of data records [data inputs] may be received... If however, an anomaly is detected [a trigger], then a responsive action for the anomaly may be performed, as indicated at 740.")(A trigger is anomaly detection, which is based on streaming data.)

… provide a learning application programming interface configured to allow one or more functions of the artificial intelligence engine to be accessed by the user device; (Ghare, col. 17 line 33 "A stream management system may provide programmatic interfaces (e.g., application programming interfaces (APIs), web pages or web sites, graphical user interfaces, or command-line tools) to enable the creation, configuration and deletion of streams. The programmatic interfaces may also enable the submission, storage, analysis, transformation and/or retrieval of streaming data records [e.g. functions of the AI engine] in some embodiments."; col. 12 line 57 "clients of SMS 220 can configure the performance of real time anomaly monitoring [e.g. functions of the AI engine] on data streams via an interface. FIG. 5 is an example of a graphical user interface for configuring the performance of real time anomaly detection for data streams...")(Clients can configure functions of stream management system [configuring functions of the artificial intelligence engine]) (Based on spec. [0078], functions of AI engine can be configuring actions related to the trigger, rules, user inputs, data inputs ...)

allow, via the learning application programming interface, the one or more data inputs to be defined; (Ghare, col. 12 line 62 "Monitoring interface 500 may implement a data stream selection element 510 [data inputs], which may provide various user interface elements, 512 a, 512 b, and 512 c, to present those data streams for which anomaly monitoring may be enabled and/or configured.")(Clients can select [define] which data stream [data inputs] to use.)

allow, via the learning application programming interface, the action responsive to the trigger to be defined. (Ghare, col. 13 line 27 "Monitoring interface 500 may implement responsive action selection element 530 [the action responsive to the trigger]. A drop down menu, such as selection action(s) menu 532 or various other user interface elements may be implemented which allows a user to specify one or more responsive actions to be performed when an anomaly is detected.")(Clients can select [define] the action responsive to the anomaly detection [the action responsive to the trigger].)

Ghare does not teach, but Leverich teaches: …wherein the trigger includes one or more user inputs; (Leverich [0032], "In the SPLUNK® ENTERPRISE system, a field extractor may be configured to automatically generate extraction rules for certain field values in the events [the trigger, i.e. trigger events] when the events are being created, indexed, or stored, or possibly at a later time. Alternatively, a user may manually define [user inputs] extraction rules for fields using a variety of techniques... Hence, as a user learns more about the data in the events, the user can continue to refine the late-binding schema by adding new fields, deleting fields, or modifying the field extraction rules for use the next time the schema is used by the system. [user inputs (defining extraction rules) are used as part of the trigger/event]"; also see [0025] - [0033] “an extraction rule comprises a regular expression where a sequence of characters form a search pattern, in which case the rule is referred to as a ‘regex rule.’”, [0098]-[0100], [0103]-[0104] [0099]; user can provide input such as field values or regular expressions for rules to identify the trigger events. Those user inputs are used as a part to identify the trigger events, i.e. this teaches [user inputs (included/used) in the trigger].)
allow, via the learning application programming interface, the one or more user inputs of the trigger to be defined (Leverich [0120],"alert setting control 608 can be, for example, a selectable button, checkbox, etc., or any other such selectable element or interface item that, upon selection (e.g., by a user) enables a user to select or define whether or not various alerts, notifications, etc. (e.g., email alerts, notable events, etc.), are to be generated and/or provided, e.g., upon identification of various anomalies."; i.e. Clients can select [define] which trigger events via alert control 608 [API].) as a separate action from inclusion of the one or more user inputs in the trigger; (under BRI, user inputs are interpreted as any input provided by a user, and in light of spec. Fig. 3, a trigger is interpreted as any trigger event. Therefore, citation from [0032] user can provide inputs such as field values or regular expressions for rules to identify the trigger events. In other words, those user inputs are used as a part to identify the trigger events by using those rules, i.e. this teaches user inputs (included/used) in the trigger. Paragraph [0120] teaches the user inputs of the trigger can be defined via API, and they are separate actions.)

It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified Ghare to incorporate the teachings of Leverich by including the anomaly detector search command. Doing so would allow each anomaly detection definition to be run based on its particular definition parameters. (Leverich, col. 28 line 32 "the anomaly detector search command 910 may also include search strings that instruct each anomaly detection definition... to run based on its particular definition parameters, providing an anomaly result (based on the required anomaly detection procedure and parameters)")

In regard to claims 2 and 12, reference is made to the rejection of claim 1, and further, Ghare teaches: wherein the instructions are further executable by the processor to:
allow, via the learning application programming interface, the one or more user inputs of the trigger, or the one or more data inputs, to be defined by the user device. (Ghare, col. 12 line 57 "clients of SMS 220 can configure the performance of real time anomaly monitoring on data streams via an interface. FIG. 5 is an example of a graphical user interface for configuring the performance of real time anomaly detection for data streams..."; col. 12 line 62 "Monitoring interface 500 may implement a data stream selection element 510 [data inputs])

In regard to claim 3, reference is made to the rejection of claim 1, and further, Ghare does not teach, but Leverich teaches: wherein the one or more user inputs include at least one of a query, command, or trigger event. (Leverich [0032], "In the SPLUNK® ENTERPRISE system, a field extractor may be configured to automatically generate extraction rules for certain field values in the events [the trigger, i.e. trigger events] when the events are being created, indexed, or stored, or possibly at a later time. Alternatively, a user may manually define extraction rules for fields using a variety of techniques..."; [0099] "During operation, SPLUNKO IT SERVICE INTELLIGENCE™ can recognize so-called 'notable events' that may indicate a service performance problem or other situation of interest. These notable events can be recognized by a 'correlation search' specifying trigger criteria for a notable event: every time KPI values satisfy the criteria, the application indicates a notable event. A severity level for the notable event may also be specified..."; also see [0025] - [0033], [0098]-[0100], [0103]-[0104])

The rationale for combining the teachings of Ghare and Leverich is the same as set forth in the rejection of claim 1.

In regard to claim 8, reference is made to the rejection of claim 1, and further, Ghare does not teach, but Leverich teaches: further comprising a database in communication with the artificial intelligence engine, wherein the instructions are further executable by the processor to:
receive, via the learning application programming interface, (Leverich, col. 29 line 63 "the API 1002 may provide an interface for a user to make requests to the configuration wrapper 1004... in order to quickly and easily identify, access, create, delete and modify information regarding anomaly detection definitions.") a definition of at least one of the one or more data inputs, (Leverich, col. 28 line 29 "Anomaly detection may be run for a particular anomaly detection definition in a variety of manners. In an embodiment, the anomaly detector search command 910 may also include search strings that instruct each anomaly detection definition (e.g., trending anomaly detection definitions 9141-914x and cohesive anomaly detection definitions 9161-916y) to run based on its particular definition parameters... the anomaly detection configuration for each anomaly detection definition or in an ad-hoc manner defined by user commands.")(User can define the data inputs 9141-914x or 9161-916y, which are signals from data streams 904 or 908.)

wherein the definition includes at least one data stream of the database; and (Leverich, col. 25 line 47 "As is depicted in FIG. 9, in an embodiment, inputs for anomaly detection may include a plurality of data streams 904 provided by a plurality of data sources 9021-902N [data stream of the database].")(User can define the data inputs 9141-914x or 9161-916y, which are signals from data streams 904 or 908.)

obtain, via the database, the at least one of the one or more data inputs from the at least one data stream of the database. (Leverich, col. 25 line 49 "Each data source [database] may provide numerous data streams 904 (e.g., tens, hundreds, or thousands) representing different aspects of data that is provided by the data source to a data intake and query system.")(A data intake and query system obtains data stream from data sources.)

The rationale for combining the teachings of Ghare and Leverich is the same as set forth in the rejection of claim 1.

Claims 4, 5, 13 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Ghare in view of Leverich in view of Bhuyan ("Network Anomaly Detection: Methods, Systems and Tools") in view of Johnson (US 20150089297 A1) in further view of Qureshi (US 8170975 B1).

In regard to claims 4, 13 and 18, reference is made to the rejection of claim 1, and further, Ghare and Leverich do not teach, but Bhuyan teaches: wherein the instructions are further executable by the processor to:
determine whether a decision to perform the action responsive to the trigger is a false positive; (Bhuyan, p. 314 "ADAM uses a classifier which has been trained to classify suspicious connections as either a known type of attack or an unknown type or a false alarm."; p. 321 "Each Snort rule has associated documentation with the potential for false positives and negatives, together with corrective actions to be taken when the rule raises an alert… Users can contribute rules when they observe new types of anomalous or malicious traffic.")(a classifier in ADAM  or Snort rule can be used to determine whether an alert to the anomalous detection is a false alarm.)

It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified Ghare and Leverich to incorporate the teachings of Bhuyan by including Bayesian networks or classification-based IDS. Doing so would allow the system to detect anomalies in a multi-class setting or to classify suspicious connections into different types. (Bhuyan, p. 312 "Bayesian networks [90] are capable of detecting anomalies in a multi-class setting…"; p. 314 "An example of classification-based IDS is Automated Data Analysis and Mining (ADAM)... ADAM uses a classifier which has been trained to classify suspicious connections...")

Ghare, Leverich and Bhuyan do not teach, but Johnson teaches: generate a snapshot of inputs responsive to a determination of the false positive, (Johnson, [0047] "A decision is made as to whether the input received is a false positive input (decision 525) [determination of the false positive]. If the input is a false positive input, then decision 525 branches to the 'yes' branch to process the false positive input... In addition, at step 545, the process adds the different element from raw data associated with the stored usage pattern as relevant for usage pattern")(After the decision at step 525, the false positive input [a snapshot of inputs] are generated/recorded at step 545.)
the snapshot including at least one of the one or more user inputs, one or more data inputs, or the action performed responsive to the trigger; (Johnson,  [0003] "... A typical error report includes a full stack trace and details about the context of the exception (e.g. values of all the local variables)... including log files and screenshots."; [0044] "At step 430, data is collected from user's system with the data collected including such elements such as other running applications, the process (e.g. API) in which the error was detected, the user's system environment [e.g. user inputs]... installation parameters used [e.g. data inputs] when the software was installed, etc.")(Error related input data can be log files or screenshots, which are collected from user's system, including user inputs or data inputs.)

It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified Ghare, Leverich and Bhuyan to incorporate the teachings of Johnson by including error reports and usage pattern. Doing so would allow a set of problematic usage patterns to be generated, and increase / adjust a confidence factor associated with usage patterns. (Johnson, abstract "Error reports are received from installed software systems in the user community. From these reports, a set of problematic usage patterns are generated, with each of the usage patterns having a confidence factor that is increased based on the number of problem reports that match the usage pattern.")

Ghare, Leverich, Bhuyan and Johnson do not to teach, but Qureshi teaches: providing, via the learning application programming interface, the snapshot to the user device. (Qureshi, col. 75 line 65 "the GUI 29 provides information to one or more human administrators of the meta-application 20. Such information can comprise, without limitation, a snapshot or… detected features, detected problems, predicted future problems...")
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified Ghare, Leverich, Bhuyan and Johnson to incorporate the teachings of Qureshi by including a snapshot or overview of detected features, detected problems, predicted future problems. Doing so would allow the administrator to take some corrective action before the problem manifests itself. (Qureshi, col. 75 line 67 "Such information can comprise, without limitation, a snapshot or overview of... detected features, detected problems, predicted future problems (so that the administrator can take some corrective action before the problem manifests itself)...")

In regard to claim 5, reference is made to the rejection of claim 4, and further, Ghare and Leverich do not teach, but Johnson teaches: wherein the instructions are further executable by the processor to:
flag the decision responsive to a determination of the false positive; (Johnson, [0047] "A decision is made as to whether the input received is a false positive input (decision 525). If the input is a false positive input, then decision 525 branches to the 'yes' branch  [flag the decision] to process the false positive input.")
store the flagged decision in a false positive register, wherein storing the flagged decision includes the snapshot of inputs; (Johnson, [0047] "For example, the usage pattern may have been using library version 'A.1' where the test environment that detected the false positive is using library version 'A.2' [a false positive register]... at step 545, the process records the different element from false positive input as a possible resolution tactic (e.g. use library 'A.2'... In addition, at step 545, the process adds the different element from raw data associated with the stored usage pattern as relevant for usage pattern (e.g. library 'A.1').... The possible usage pattern resolutions are stored in data store 550."; [0003] "... A typical error report includes a full stack trace and details about the context of the exception (e.g. values of all the local variables)... including log files and screenshots.")(If differences are noted between the false positive input and the usage pattern, the element from the false positive input are stored in the libraries or data stores 350 and 550. Error related input data can be log files or screenshots.)

The rationale for combining the teachings of Ghare, Leverich, Bhuyan and Johnson is the same as set forth in the rejection of claim 4.

Ghare, Leverich, Bhuyan and Johnson do not to teach, but Qureshi teaches: prevent the flagged decision to perform the action responsive to the trigger from being repeated via removal of the trigger. (Qureshi, col. 27 line 27 "Each feature preferably has an associated lifetime that the meta-application 20 uses to determine when it is appropriate to remove the feature from the feature list. Removal allows the meta-application 20 to prevent false positives and to clean out features that have not affected application performance or stability.")

The rationale for combining the teachings of Ghare, Leverich, Bhuyan, Johnson and Qureshi is the same as set forth in the rejection of claim 4.

Claims 6, 14 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Ghare in view of Leverich in view of Bhuyan in view of Johnson in view of Qureshi in further view of Tsironis (US 20180316705 A1).

In regard to claims 6, 14 and 19, reference is made to the rejection of claim 4, and further, Ghare, Leverich, Bhuyan, Johnson and Qureshi do not teach, but Tsironis teaches: wherein the artificial intelligence engine further comprises a validation engine, wherein the instructions are further executable by the processor to: (Tsironis, [0002] "network security tools [a validation engine], and more particularly, to intelligence generation by enabling users to customize anomaly action rules or threat rules for use in identifying security threats to a computer network."

receive, via the learning application programming interface, one or more rules for performing the action responsive to the trigger, (Tsironis, [0085] "When deployed, embodiments of the disclosed network security platform  provides a UI [interface] that facilitates creating, modifying, or deleting rules [rules for anomaly action / trigger] by users."; [0183] "FIG. 14 is an illustrative view of a first screen 1400 for a UI user to select an entity for a new custom threat rule.") wherein the one or more rules define at least one threshold for at least one of the one or more data inputs; (Tsironis, "FIG. 15 is an illustrative view of a second screen 1500 used by the UI user to set filters for the new custom threat rule… The UI user can then set criteria for the Anomalies Count, including selecting a threshold 1504 equal to greater, less, equal, or combinations thereof and inputting a value in a value field 1506.")

determine, via the validation engine, the existence of the false positive based, at least in part, on the one or more rules. (Tsironis, [0085] "By enabling customization of complex rules in an easy-to-use manner, the disclosed security techniques can avoid threats that are defined too broadly and reduce the risk of false positives…")(False positives in the results are reduced / determined based on the customized rules from users.)

It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified Ghare, Leverich, Bhuyan and Johnson and Qureshi to incorporate the teachings of Tsironis by including rules for their particular needs. Doing so would ensure reliable identification of potential or actual threats. (Tsironis, [0085] "Accordingly, users of different enterprise networks can readily customize rules for their particular needs. This ensures reliable identification of potential or actual threats.")

Claims 7, 15 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Ghare in view of Leverich in further view of Moghe (US 20080307493 A1).

In regard to claims 7, 15 and 20, reference is made to the rejection of claim 1, and further, Ghare and Leverich do not teach, but Moghe teaches: wherein the artificial intelligence engine further comprises a context engine, wherein the instructions are further executable by the processor to: (Moghe, abstract "This disclosure provides a policy specification framework [a context engine] to enable an enterprise to specify a given insider attack...")
determine, via the context engine, a context for the trigger, based at least in part on one or more factors, wherein the factors include at least one of a geographic location, user information, a type of the user device, service, or application associated with the trigger; (Moghe, [0044] "Data access is monitored and characterized by properties called 'Dimensions'. IIPL provides seven basic dimensions [factors], namely LOCATION [a geographic location], TIME, CONTENT, OPERATION, SIZE, RESPONSE, and USER  [user information].)

allow, via the learning application programming interface, at least one of the one or more factors to be defined; (Moghe, [0038] "Thus, the GUI [interface] in FIG. 3 implements the policy specification language to enable an administrator (or other authorized person or entity) to create a policy filter... The policy language allows signatures of specific accesses to be defined via multiple dimensions such as Content, User, Operation, Location, Time, and Size."; [0037] "Thus, for example, the administrator can specify a given dimension using the pull-down menu 326 and a given sub-dimension using the pull-down menu 328")(User can specify the dimension / the factors)

determine, via the context engine, the action responsive to the trigger based, at least in part, on the context. (Moghe, [0042] "Using these policies, the management layer can monitor given information assets in those data sources and generate audits on select events and/or alerts with respect to given anomalous behavior.")(Alerts are generated using policies, which includes user selections of dimensions, which includes context information.)

It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified Ghare and Leverich to incorporate the teachings of Moghe by including the policy specification. Doing so would provide the use of 'anomaly' and 'signature' attributes to capture characteristics of illegitimate data access. (Moghe, abstract "The policy specification provides for the use of 'anomaly' and 'signature' attributes that capture sophisticated behavioral characteristics of illegitimate data access. When the attack occurs, a previously-defined administrator (or system-defined) mitigation response (e.g., verification, disconnect, de-provision, or the like) is then implemented.")

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Ghare in view of Leverich in further view of Muddu (US 20180367551 A1).

In regard to claim 9, reference is made to the rejection of claim 1, and further, Ghare and Leverich do not teach, but Muddu teaches: further comprising a managed object in communication with the artificial intelligence engine, wherein the instructions are further executable by the processor to:
receive, via the learning application programming interface, a definition of at least one of the one or more data inputs, (Muddu, [0206] "However, using the format detector 804 to determine what data format the input data may be at run time may be a time- and resource-consuming process. At least in the cybersecurity space, it is typical that the formats of the machine data [definition for data inputs] are known in advance (e.g., an administrator would know what kind of firewall is deployed in the environment)... the security platform can prompt (e.g., through a user interface [interface]) the administrator to specify the data format...")(An administrator can define / specify the data formats [data inputs])

wherein the definition includes at least one data stream of the managed object; (Muddu, [0147] "... The real-time processing path is configured to continuously monitor and analyze the incoming event data (e.g., in the form of an unbounded data stream) to uncover anomalies and threats."; [0206] "the security platform can prompt (e.g., through a user interface) the administrator to specify the data format or the type of machine(s) the environment [the managed object] includes... the parsers 806 in the data intake and preparation stage for such machines."; [0207] "the administrator can create a new configuration file (e.g., a configuration 'snippet') to customize the data intake and preparation stage for the environment"; [0208] "through the configuration file (e.g., snippet), the administrator can also identify, for example, field mappings, decorators, parameters for identity resolution (IR), and/or other parameters of the data intake and preparation stage")(An administrator can define / specify the type of machine environment or the data intake and preparation engine [managed object], taking event data or machine data as input. Machine data can be an unbounded data stream.)(In Muddu, event data = machine data, the data intake and preparation stage = the data intake and preparation engine)

obtain, via the managed object, the at least one of the one or more data inputs from the data stream of the managed object, (Muddn, [0194] "The data output from the data intake and preparation stage 800 can also be referred to herein as 'decorated events' or 'event feature sets.' A decorated event includes the raw machine data associated with an event, plus any decoration, enrichment, information, or any other suitable intelligence that is generated based upon or extracted from the event during the data intake and preparation stage.")(Obtaining data inputs from the data intake and preparation engine.)

 wherein the data stream includes at least one of product or service attributes, usage and performance metrics, state and fault information, or metadata. (Muddu, [0188] "FIGS. 7A and 7B collectively show a table 700 listing example types of machine data that can be generated in different environments and the meaning of these data... In general, machine data can include performance data [performance metrics], diagnostic information and/or any of various other types of data indicative of performance or operation of equipment (e.g., an action such as upload, delete, or log-in) [usage] in a computing system. Such data can be analyzed to diagnose equipment performance problems, monitor user actions and interactions [state information], and to derive other insights like user behavior baseline, anomalies and threats [fault information].")

It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified Ghare and Leverich to incorporate the teachings of Muddu by including customize the data intake and preparation stage for the environment. Doing so would allow the system to perform without the need of data format detection. (Muddu, [0206] "Therefore, as long as the data source and the data format are specified, the data intake and preparation stage can map the data according to known data formats of a particular event source, without the need of performing data format detection.")

Claims 10 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Ghare in view of Leverich in further view of Sivasubramanian (US 10452675 B1).

In regard to claims 10 and 16, reference is made to the rejection of claim 1, and further, Ghare and Leverich do not teach, but Sivasubramanian teaches: wherein the instructions are further executable by the processor to: authenticate, via the learning application programming interface, a user accessing the artificial intelligence engine; (Sivasubramanian, col. 4 line 13 "The interface layer can include application programming interfaces (APIs) or other exposed interfaces enabling a user to submit requests to the provider environment… A resource manager 210 receiving the request can perform tasks such as to authenticate an identity of the user submitting the request")

authorize, via the learning application programming interface, a subset of the one or more user inputs of the trigger, the one or more data inputs, or the action responsive to the trigger to be defined by the user device, based at least in part on the user. (Sivasubramanian, col. 2 line 8 "a data discovery service can provide an automated method of identifying and indexing data sources associated with a user's account...."; see Fig. 5, col. 8 line 5 "Access information can be determined 504 for each data source associated with the account... A list of data sources can be generated 506 which includes the data sources associated with the account and each data source's corresponding access information."; col. 5 line 20 "The interface layer can be responsible for Web service front end features such as authenticating customers based on credentials, authorizing the customer, throttling customer requests to the API servers...")(Respective users can access respective data sources. Authorize the data sources to be accessed based on the user's account.)(Sivasubramanian, col. 8 line 23 "an index policy can be determined 508 for each data source... A user-specified index policy can be received through a policy customization interface and may include a selection of types of data, data fields, data formats, or other data features to be indexed.")(User can specify / define data inputs.)
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified Ghare and Leverich to incorporate the teachings of Sivasubramanian by including a data discovery service. Doing so would provide an automated method of identifying and indexing data sources associated with a user's account. (Sivasubramanian, col. 2 line 8 "a data discovery service can provide an automated method of identifying and indexing data sources associated with a user's account without requiring additional configuration by the user. This enables search services to be provided across various different types of data sources a user may utilize.")

Response to Arguments
Applicant's arguments with respect to the rejection under 35 U.S.C. 103 have been fully considered but they are not persuasive:
Applicant argues: (see p. 3 middle, claim 1): “…  (1) but there is not disclosure or suggestion that user inputs are a trigger or extraction rules for such events… Office Action… alleges that Leverich’s disclosure of a user manually defining extraction rules is the same as user input. However, if the user defining rules is the user input, then (2) the definition of rules in Leverich would have to be the trigger to suggest the claimed invention, but there is no disclosure or suggestion of such a trigger in Leverich… (3) Leverich explicitly discloses user input several times, but none of the user inputs have any relation to being a trigger…”
Examiner answers: (1) Leverich teaches in [0032] (“a user may manually define extraction rules… Hence, as a user learns more about the data in the events, the user can continue to refine the late-binding schema by adding new fields, deleting fields, or modifying the field extraction rules for use the next time the schema is used by the system.”) A user manually defining and further modifying the extraction rules for fields values in the events is the user input to the events [the trigger]. (2) The Office action has indicated that the event corresponds to the trigger in the claim, in light of Fig. 3 (e.g. 340b trigger event) in the specification and drawing. Because a trigger is interpreted as a trigger event, therefore Leverich teaches the trigger as ‘an event.’ (3) The examiner does not cite ‘user input’ from Leverich to teach ‘user inputs’ in the claim, instead paragraph [0032] is cited. Further under BRI, user inputs are interpreted as any input provided by a user, and in light of spec. Fig. 3, a trigger is interpreted as any trigger event. Therefore, citation from [0032] user can provide inputs such as field values or regular expressions for rules to identify the trigger events. In other words, those user inputs are used as a part to identify the trigger events by using those rules, i.e. this teaches user inputs (included/used) in the trigger. Paragraph [0120] teaches the user inputs of the trigger can be defined via API, and they are separate actions.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to SU-TING CHUANG whose telephone number is (408)918-7519.  The examiner can normally be reached on Monday - Thursday 8-5 PT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kakali Chaki can be reached on (571)272-3719.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/S.C./Examiner, Art Unit 2122
 
/KAKALI CHAKI/Supervisory Patent Examiner, Art Unit 2122