Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Detailed Action
This is a first Office Action in response to application 17/342,986 filed on 06/09/2021. Claims 1-20 are pending and examined below.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-10, 12-20 are rejected under 35 U.S.C. 103 as being unpatentable over Givental et al. (US Pub. 2021/0281592) in view of Blewett et al. (US Pub. 2019/0268361) and Rostambadi et al. (US Pat. 9,634,992).
Regarding claim 1, Givental teaches 
A computer program product comprising computer executable code embodied in a non- transitory computer readable medium (Fig. 6 #606-8; Par. [0005]) that, when executing on one or more computing devices, performs the steps of: storing a data lake containing a first plurality of data objects representing security events and a plurality of descriptions for the first plurality of data objects, wherein the first plurality of data objects include security events from one or more data recorders on endpoints in an enterprise network, and wherein each of the plurality of descriptions is organized according to one or more schemas; (Fig. 1; (Par. [0042-5, 58]) security events logs are transmitted from monitored computing system environment (i.e. security events from one or more data recorders on endpoints; #102) to the system via resource log data (#104) into the data cleaning and feature engineering log (#110), where its features (i.e. description) are extracted, supplemented, and stored in the training data database (i.e. data lake; #160))
augmenting each of the second plurality of data objects with a corresponding description organized according to at least one of the one or more schemas; (Fig. 1; (Par. [0042-5, 58]) security events logs are transmitted from monitored computing system environment to the system via resource log data into the data cleaning and feature engineering log, where its features are extracted and supplemented (i.e. augmented))
and storing the second plurality of data objects and a corresponding plurality of descriptions according to the one or more schemas with the first plurality of data objects in the data lake. (Fig. 1; (Par. [0042-5, 58]) security events logs are transmitted from monitored computing system environment to the system via resource log data into the data cleaning and feature engineering log, where its features (i.e. description) are extracted, supplemented, and stored in the training data database (i.e. data lake; #160))
Givental does not explicitly teach 
receiving a second plurality of data objects in an asynchronous stream of security events from the enterprise network, the asynchronous stream including a combination of batch transfers including groups of security events and streaming transfers of individual security events; 
filtering the second plurality of data objects to remove duplicate data objects already included in the first plurality of data objects, wherein filtering includes applying at least one bloom filter to identify one of the second plurality of data objects that might be in the data lake and performing a deduplication lookup in the data lake for the one of the second plurality of data objects;
	However, from the same field, Blewett teaches 
receiving a second plurality of data objects in an asynchronous stream of security events from the enterprise network, the asynchronous stream including a combination of batch transfers including groups of security events and streaming transfers of individual security events; (Par. [0019, 29, 206] security events can be received by the system in streams or batches, synchronously or asynchronously)
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to combine the reception modalities of Blewett into the security event processing of Givental. The motivation for this combination would have been to help filter and classify security related events for a user as explained in Blewett (Par. [0019]).
The combination of Givental and Blewett do not explicitly teach 
filtering the second plurality of data objects to remove duplicate data objects already included in the first plurality of data objects, wherein filtering includes applying at least one bloom filter to identify one of the second plurality of data objects that might be in the data lake and performing a deduplication lookup in the data lake for the one of the second plurality of data objects;
However, from the same field, Rostambadi teaches 
filtering the second plurality of data objects to remove duplicate data objects already included in the first plurality of data objects, wherein filtering includes applying at least one bloom filter to identify one of the second plurality of data objects that might be in the data lake and performing a deduplication lookup in the data lake for the one of the second plurality of data objects; (Fig. 3. (Col. 5 [Line 50] - Col. 6 [Line 6]) a first set of bloom filters (#342-4) is used in conjunction with a second set of bloom filters (i.e. deduplication lookup #346-8) is used to further deduplicate the logged information)
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art combine the deduplication of Rostambadi into the security event processing of Givental. The motivation for this combination would have been to deduplicate the relevant records before sending it to a third party security service as explained in Rostambadi (Col. 6 [Lines 2-6]).
Regarding claim 2, Givental, Blewett and Rostambadi teach claim 1 as shown above, and Givental further teaches 
The computer program product of claim 1 further comprising code that performs the steps of: searching the data lake for one or more security events of interest; (Fig. 2 #214; (Par. [0068]) a subset of the log data having anomaly scores equal to or greater than a threshold are selected (i.e. queried) for user feedback)
and in response to data obtained while searching the data lake, directly querying at least one of the endpoints for additional information. (Fig. 2 #216; (Par. [0068]) a subset of the log data having anomaly scores equal to or greater than a threshold are selected for user feedback (i.e. endpoint queried for additional information))
	Regarding claim 3, Givental teaches 
	 A method comprising: storing a data lake containing a first plurality of data objects representing security events and a plurality of descriptions for the first plurality of data objects, each of the plurality of descriptions organized according to one or more schemas; (Fig. 1; (Par. [0042-5, 58]) security events logs are transmitted from monitored computing system environment (i.e. security events from one or more data recorders on endpoints; #102) to the system via resource log data (#104) into the data cleaning and feature engineering log (#110), where its features (i.e. description) are extracted, supplemented, and stored in the training data database (i.e. data lake; #160))
	augmenting each of the second plurality of data objects with a corresponding description organized according to at least one of the one or more schemas; (Fig. 1; (Par. [0042-5, 58]) security events logs are transmitted from monitored computing system environment to the system via resource log data  into the data cleaning and feature engineering log , where its features are extracted and supplemented (i.e. augmented))
	and storing the second plurality of data objects and a corresponding plurality of descriptions according to the one or more schemas with the first plurality of data objects in the data lake. (Fig. 1; (Par. [0042-5, 58]) security events logs are transmitted from monitored computing system environment to the system via resource log data into the data cleaning and feature engineering log, where its features (i.e. description) are extracted, supplemented, and stored in the training data database (i.e. data lake; #160))
	Givental does not explicitly teach 
receiving a second plurality of data objects in an asynchronous stream of security events from an enterprise network; 
filtering the second plurality of data objects to remove duplicate data objects already included in the first plurality of data objects; 
	However, from the same field Blewett teaches
	receiving a second plurality of data objects in an asynchronous stream of security events from an enterprise network; (Par. [0019, 29, 206] security events can be received by the system in streams or batches, synchronously or asynchronously)
	It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to combine the reception modalities of Blewett into the security event processing of Givental. The motivation for this combination would have been to help filter and classify security related events for a user as explained in Blewett (Par. [0019]). 
	The combination of Givental and Blewett does not explicitly teach filtering the second plurality of data objects to remove duplicate data objects already included in the first plurality of data objects; 
	However, from the same field Rostambadi teaches
	filtering the second plurality of data objects to remove duplicate data objects already included in the first plurality of data objects; (Fig. 3. (Col. 5 [Line 50] - Col. 6 [Line 6]) a first set of bloom filters (#342-4) is used in conjunction with a second set of bloom filters (i.e. deduplication lookup #346-8) is used to further deduplicate the logged information)
	It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art combine the deduplication of Rostambadi into the security event processing of Givental. The motivation for this combination would have been to deduplicate the relevant records before sending it to a third party security service as explained in Rostambadi (Col. 6 [Lines 2-6]). 
	Regarding claim 4, Givental, Blewett and Rostambadi teach claim 3 as shown above, and Givental further teaches 
	The method of claim 3 wherein the data objects include security events from one or more endpoints in the enterprise network. (Fig. 1 #102; (Par. [0042]) monitored computing system environment (#102) is made of a plurality of computing system resources)
	Regarding claim 5, Givental, Blewett and Rostambadi teach claim 3 as shown above, and Givental further teaches 
	The method of claim 3 wherein at least one of the first plurality of data objects and the second plurality of data objects include security events from one or more data recorders on endpoints in the enterprise network. (Fig. 1 #102; (Par. [0042]) monitored computing system environment (#102) is made of a plurality of computing system resources, including computing devices, data storage systems, data network components)
	Regarding claim 6, Givental, Blewett and Rostambadi teach claim 3 as shown above, and Blewett further teaches
	The method of claim 3 wherein the asynchronous stream includes at least one of a batch transfer including a group of security events, a streaming transfer of one or more individual security events, and a connectivity-dependent transfer. (Par. [0019, 29, 206] security events can be received by the system in streams or batches, synchronously or asynchronously)
	Regarding claim 7, Givental, Blewett and Rostambadi teach claim 3 as shown above, and Rostambadi further teaches 
	The method of claim 3 wherein filtering includes applying a bloom filter to detect a first group of the second plurality of data objects that are definitely not in the data lake and a second group of the second plurality of data objects that might be in the data lake. (Fig. 3. (Col. 5 [Line 50] - Col. 6 [Line 6]) a first set of bloom filters (i.e. first group #342-4) is used in conjunction with a second set of bloom filters (i.e. second group #346-8) is used to further deduplicate the logged information)
	Regarding claim 8, Givental, Blewett and Rostambadi teach claim 7 as shown above, and Rostambadi further teaches 
	The method of claim 7 further comprising performing a deduplication lookup in the data lake on each of the second group. (Fig. 3. (Col. 5 [Line 50] - Col. 6 [Line 6]) a first set of bloom filters (#342-4) is used in conjunction with a second set of bloom filters ( #346-8) is used to further deduplicate the logged information, which is then run through a third set of bloom filter (i.e. deduplication lookup #350-4))
	Regarding claim 9, Givental, Blewett and Rostambadi teach claim 3 as shown above, and Givental further teaches 
	The method of claim 3 wherein one of the schemas includes a global schema for all of the data objects in the data lake. (Fig. 1 #110; (Par. [0044]) the data cleaning and feature engineering engine (#110) converts log data of different formats into a predetermined common format (i.e. global schema))
	Regarding claim 10, Givental, Blewett and Rostambadi teach claim 3 as shown above, and Givental further teaches 
	The method of claim 3 wherein one of the schemas includes a device-dependent schema selected for one of the data objects according to a source of the one of the data objects when received in the asynchronous stream. (Fig. 1 #110; (Par. [0044-5]) the data cleaning and feature engineering engine (#110) converts log data of different formats into a predetermined common format, which can be contingent on the type of device being monitored (i.e. device dependent schema))
	Regarding claim 12, Givental, Blewett and Rostambadi teach claim 3 as shown above, and Givental further teaches 
	The method of claim 3 further comprising programmatically listening to each of the second plurality of data objects based on at least one of the one or more schemas as each of the data objects is stored in the data lake to identify one or more security events of interest. (Fig. 1 #110; (Par. [0044-5]) the data cleaning and feature engineering engine (#110) converts log data of different formats into a predetermined common format, and performs feature engineering contingent on the specific device (i.e. programmatically listening to each of the second plurality of data objects based on the schema))
	Regarding claim 13, Givental, Blewett and Rostambadi teach claim 12 as shown above, and Givental further teaches 
	The method of claim 112 further comprising, in response to identifying a security event of interest, directly querying at least one endpoint in the enterprise network for additional information. (Fig. 2 #216; (Par. [0068]) a subset of the log data having anomaly scores equal to or greater than a threshold are selected for user feedback (i.e. endpoint queried for additional information))
	Regarding claim 14, Givental, Blewett and Rostambadi teach claim 3 as shown above, and Givental further teaches 
	The method of claim 3 further comprising searching the data lake for one or more security events of interest. (Fig. 2 #214; (Par. [0068]) a subset of the log data having anomaly scores equal to or greater than a threshold are selected (i.e. searched) for user feedback)
	Regarding claim 15, Givental, Blewett and Rostambadi teach claim 14 as shown above, and Givental further teaches 
	The method of claim 14 further comprising, in response to data obtained while searching the data lake, directly querying at least one endpoint in the enterprise network for additional information. (Fig. 2 #216; (Par. [0068]) a subset of the log data having anomaly scores equal to or greater than a threshold are selected for user feedback (i.e. endpoint queried for additional information))
	Regarding claim 16, see the rejection for claim 1.
	Regarding claim 17, see the rejection for claim 6.
	Regarding claim 18, see the rejection for claim 7.
	Regarding claim 19, see the rejection for claim 8.
	Regarding claim 20, see the rejection for claim 14.

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Givental et al. (US Pub. 2021/0281592) in view of Blewett et al. (US Pub. 2019/0268361) and Rostambadi et al. (US Pat. 9,634,992), and further in view of Sampaio et al. (US Pub. 2020/0366699).
Regarding claim 11, the combination of Givental, Blewett and Rostambadi do not explicitly teach 
The method of claim 3 wherein the one or more schemas are columnar schemas.
However, from the same field, Sampaio teaches
The method of claim 3 wherein the one or more schemas are columnar schemas. (Fig. 11 #1108; Par. [0130] a table containing feature values used by the machine learning model are in columns ordered from left to right by importance)
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art combine the columnar table structure of Sampaio into the security event processing of Givental. The motivation for this combination would have been to improve monitoring of a security attack as explained in Sampaio (Par. [0026]).


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Iliofotou et al. (US Pub. 2019/0238574) teaches a method of validating server group data
Heimann et al. (US Pat. 10,685,293) teaches using a bloom filter while analyzing security threats
Giorgio et al. (US Pat. 11,057,414) teaches streams and batch processing using bloom filters while analyzing events

Any inquiry concerning this communication or earlier communications from the examiner should be directed to J MITCHELL CURRAN whose telephone number is (469)295-9081. The examiner can normally be reached M-F 8:00am - 5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, James Trujillo can be reached on (571) 272-3677. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/J MITCHELL CURRAN/Examiner, Art Unit 2157                                                                                                                                                                                                        /MOHAMED ABOU EL SEOUD/Primary Examiner, Art Unit 2174