Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1.	Claims 1, 11 and 18 have been amended. Claims 6 and 16 have been canceled. Claims 21-22 have been newly added. Claims 1-5, 7-15 and 17-22 have been examined.

Response to Arguments
2.	Applicant’s arguments with respect to claims 1 and 11 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Interpretation
3.	For claims 1, 3, 7-11, 13 and 17-20, the phrases “one or more”, “one or more of” and “or” have been given the broadest, reasonable interpretation of only requiring a single element from the given list in order to satisfy the requirements of the limitation.

4.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

5.	The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.

Claim Rejections - 35 USC § 103
6.	Claims 1-5, 7-8, 10-15, 17-18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Jamail et al. (U.S. Patent 9,910,874; hereafter “Jamail”), and further in view of Neuman et al. (U.S. Patent Application Publication 2014/0173618; hereafter “Neuman”), and further in view of Harlacher et al. (U.S. Patent Application Publication 2014/0101763; hereafter “Harlacher”).
For claim 1, Jamail teaches a system that implements a Re-Run Dropped Detections Tool, the system comprising:
a processor (note column 4, lines 1-15, CEP alerter includes processing unit); and
a memory storing executable instructions that, when executed by the processor (note column 4, lines 28-39, memory stores software instructions), cause the processor to implement:
an interactive Re-Run Dashboard (note column 3, lines 30-32; column 4, lines 1-7, user console with display communicates with CEP alerter output module) that generates re-run data and impact scope responsive to an outage (note column 7, lines 8-41, replay of event stream is requested after outage and events are retrieved from a repository, i.e. generates re-run data, and are compared against every rule in a rule repository, i.e. impact scope) and further provides real-time monitoring of re-run status and visualization of one or more metrics (note column 2, lines 21-23, Complex Event Processing alerter is configured with rules to provide real-time monitoring of event stream), wherein the interactive Re-Run Dashboard provides one or more alerts to one or more predetermined recipients (note column 3, lines 30-35 and column 7, lines 49-54, output module provides alert to user console); and
a Dispatch Engine comprising a computer processor that is programmed to process the re-run data, perform job generation and perform re-run monitor data generation over an outage window associated with the impact scope (note column 7, lines 8-14, 33-44 and 49-54, CEP alerter processes replay of event stream, calls main data store to recall and reprocess them, i.e. perform job generation, and sends alerts for events that match a rule over outage time frame),

Jamail differs from the claimed invention in that they fail to teach:
wherein the job generation comprises calculating job execution times and utilizing the job execution times to send a search job to the interactive Re-Run Dashboard

Neuman teaches:
wherein the job generation comprises calculating job execution times and utilizing the job execution times to send a [search] job to the interactive [Re-Run Dashboard] (note paragraphs [0076] and [0084], prediction engine calculates job execution times; paragraphs [0077] and [0088]-[0089], calculated job execution times are used to send the job for execution)

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the event replay in response to an outage of Jamail and the job execution time calculation of Neuman to form a combination that generates event replay jobs (Jamail) where execution times of the jobs are calculated as part of sending the jobs for execution (Neuman). One of ordinary skill would have been motivated to combine Jamail and Neuman because it would provide simple method of determining execution times of jobs for resource management when dealing with big data sets (note paragraphs [0004]-[0005] of Neuman).


The combination of Jamail and Neuman differs from the claimed invention in that they fail to teach:
wherein the interactive Re-Run Dashboard communicates with the Dispatch Engine via an application program interface (API).

Harlacher teaches:
an interactive Re-Run Dashboard that generates re-run data and impact scope (note paragraphs [0092]-[0093], detection system generates event replay data and aggregate attack score, i.e. re-run data and impact scope)
wherein the interactive Re-Run Dashboard communicates with the Dispatch Engine via an application program interface (API) (note paragraphs [0025] and [0028], administrator devices communicates with capture module server using API calls).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the combination of Jamail and Neuman and the administrator device interface that issues replay commands to and receives alerts from a server using an API of Harlacher. It would have been obvious because combining prior art elements according to known methods would yield the predictable results of a user console that receives replay alerts from a CEP alerter in response to an outage (Jamail) where the user console and the CEP alerter communicate using an API (Harlacher).


For claim 11, the combination of Jamail, Neuman and Harlacher teaches a method that implements a Re-Run Dropped Detections Tool, the method comprising the steps of:
generating, via an interactive Re-Run Dashboard (note column 3, lines 30-32; column 4, lines 1-7 of Jamail, user console with display communicates with CEP alerter output module), re-run data and impact scope responsive to an outage (note column 7, lines 8-41 of Jamail, replay of event stream is requested after outage and events are retrieved from a repository, i.e. generates re-run data, and are compared against every rule in a rule repository, i.e. impact scope);
providing real-time monitoring of re-run status and visualization of one or more metrics (note column 2, lines 21-23 of Jamail, Complex Event Processing alerter is configured with rules to provide real-time monitoring of event stream), wherein the interactive Re-Run Dashboard provides one or more alerts to one or more predetermined recipients (note column 3, lines 30-35 and column 7, lines 49-54 of Jamail, output module provides alert to user console);
processing, via a Dispatch Engine, the re-run data (note column 7, lines 8-14, 33-44 and 49-54 of Jamail, CEP alerter processes replay of event stream, calls main data store to recall and reprocess them, i.e. perform job generation, and sends alerts for events that match a rule over outage time frame);
performing, via the Dispatch Engine, job generation (note column 7, lines 8-14, 33-44 and 49-54 of Jamail, CEP alerter processes replay of event stream, calls main data store to recall and reprocess them, i.e. perform job generation, and sends alerts for events that match a rule over outage time frame), wherein the job generation comprises calculating job execution times and utilizing the job execution times to send a search job to the interactive Re-Run Dashboard (note paragraphs [0076] and [0084] of Neuman, prediction engine calculates job execution times; paragraphs [0077] and [0088]-[0089] of Neuman, calculated job execution times are used to send the job for execution); and
performing, via the Dispatch Engine, re-run monitor data generation over an outage window associated with the impact scope (note column 7, lines 8-14, 33-44 and 49-54 of Jamail, CEP alerter processes replay of event stream, calls main data store to recall and reprocess them, i.e. perform job generation, and sends alerts for events that match a rule over outage time frame);
wherein the interactive Re-Run Dashboard communicates with the Dispatch Engine via an application program interface (API) (note paragraphs [0025] and [0028] of Harlacher, administrator devices communicates with capture module server using API calls).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the event replay in response to an outage of Jamail and the job execution time calculation of Neuman to form a combination that generates event replay jobs (Jamail) where execution times of the jobs are calculated as part of sending the jobs for execution (Neuman). One of ordinary skill would have been motivated to combine Jamail and Neuman because it would provide simple method of determining execution times of jobs for resource management when dealing with big data sets (note paragraphs [0004]-[0005] of Neuman).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the combination of Jamail and Neuman and the administrator device interface that issues replay commands to and receives alerts from a server using an API of Harlacher. It would have been obvious because combining prior art elements according to known methods would yield the predictable results of a user console that receives replay alerts from a CEP alerter in response to an outage (Jamail) where the user console and the CEP alerter communicate using an API (Harlacher).



For claims 2 and 12, the combination of Jamail, Neuman and Harlacher teaches claims 1 and 11, wherein the Dispatch Engine enriches the re-run data (note paragraph [0092] of Harlacher, scores for algorithm outputs may be weighted) and executes search jobs via the API (note column 7, lines 33-44 of Jamail, user makes request for replay of time frame, i.e. search job; paragraphs [0057] and [0064] of Harlacher, user issues command for replay, i.e. search job).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the event replay in response to an outage of Jamail and the enriched data of algorithm outputs of Harlacher. It would have been obvious because combining prior art elements according to known methods would yield the predictable results of a user console that receives replay alerts from a CEP alerter in response to a user request (Jamail) where the output data has been enriched by weighted the different algorithms applied to the data (Harlacher).


For claims 3 and 13, the combination of Jamail, Neuman and Harlacher teaches claims 1 and 11, wherein the re-run data relates to one or more of: a datafeed, a platform and one or more custom tasks (note column 3, lines 49-58 of Jamail, replayed data events may include network platform, datafeeds or custom tasks).

For claims 4 and 14, the combination of Jamail, Neuman and Harlacher teaches claims 1 and 11, wherein the re-run data relates to impacted infrastructure data (note column 8, lines 16-18 of Jamail, replayed data includes data from event logs of network infrastructure).

For claims 5 and 15, the combination of Jamail, Neuman and Harlacher teaches claims 1 and 11, wherein the re-run data includes impact data comprising start data and end data of the outage (note column 7, lines 33-44 of Jamail, replayed data includes data missed during time period of outage, i.e. start and end time).

For claims 7 and 17, the combination of Jamail, Neuman and Harlacher teaches claims 1 and 11, wherein the job generation comprises calculating earliest or latest time offsets (note paragraph [0061] of Harlacher, offset start and end times are calculated to fill sub-buffer with events).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the event replay in response to an outage of Jamail and offset calculations of Harlacher. It would have been obvious because combining prior art elements according to known methods would yield the predictable results of a user console that receives replay alerts from a CEP alerter in response to a user request (Jamail) where offsets have been calculated for the event data to fill a sub-buffer for data operations (Harlacher).


For claims 8 and 18, the combination of Jamail, Neuman and Harlacher teaches claims 1 and 11, wherein the job generation comprises one or more dispatch operations (note column 7, lines 33-44 of Jamail, user makes request for replay of time frame, i.e. dispatch operation).

For claims 9 and 19, the combination of Jamail, Neuman and Harlacher teaches claims 1 and 11, wherein the job generation comprises one or more polling operations (note paragraphs [0094], [0103], [0105], [0113]-[0118] of Neuman, polling operations are used by system components for sending messages as part of job generation).

For claims 10 and 20, the combination of Jamail, Neuman and Harlacher teaches claims 1 and 11, wherein the interactive Re-Run Dashboard receives one or more inputs from a user (note column 3, lines 35-37 and column 7, lines 33-44 of Jamail, user loads rules and makes request for replay of time frame through user console). 


7.	Claims 21-22 are rejected under 35 U.S.C. 103 as being unpatentable over the combination of Jamail, Neuman and Harlacher as applied to claims 1 and 11 above, and further in view of Ferdous et al. (U.S. Patent Application Publication 2012/0222032; hereafter “Ferdous”).
	For claims 21-22, the combination of Jamail, Neuman and Harlacher teaches:
	wherein: the Dispatch Engine executes the search job (note column 7, lines 8-14, 33-44 and 49-54 of Jamail, CEP alerter processes replay of event stream, calls main data store to recall and reprocess them, and sends alerts for events that match a rule over outage time frame; note paragraph [0089] of Neuman, job is executed);

	The combination of Jamail, Neuman and Harlacher differs from the claimed invention in that they fail to teach:
	the interactive Re-Run Dashboard is further programmed to poll an application for resource utilization in order to guide dispatch operations.

	Ferdous teaches:
	the interactive [Re-Run Dashboard] is further programmed to poll an application for resource utilization in order to guide dispatch operations (note paragraphs [0035] and [0038]-[0040], resource monitor probes computer for resource consumption to determine future resource requirements and guide job operations).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the combination of Jamail, Neuman and Harlacher and the probing resource monitor of Ferdous. One of ordinary skill would have been motivate to combine Jamail, Neuman, Harlacher and Ferdous because real-time resource monitoring of a job execution would allow for detection of resource deficiency and prevention of job failure (note paragraphs [0005]-[0006] of Ferdous).

Conclusion
8.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

9.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAVID J PEARSON whose telephone number is (571)272-0711. The examiner can normally be reached 6:00 - 5:30 pm; Monday through Thursday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/David J Pearson/Primary Examiner, Art Unit 2438