DATA TAGS GENERATIONS IN NETWORK ENVIRONMENTS

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This written action is responding to the Requested Continued Education dated on 08/07/2025. Claims 1-8, 10, 12-13, 15 and 19-20 have been amended. Claims 1-20 are submitted for examination. Claims 1-20 are pending. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 08/07/2025 has been entered. Response to Arguments Applicant’s amendment filed on August 7, 2025 has claims 1-8, 10, 12-13, 15 and 19-20 have been amended, and all other claims are previously presented. Amended claims 1, 8 and 15 are independent ones. Applicant’s remark, filed on August 7, 2025 at pages 11-12, indicates, “Limitation: analyze, using an evaluation function selected based on a key received from the originating apparatus along with the input data item, the input data item to produce a processing result indicative of a structural or contextual characteristic of the input data item. Baldwin applies pre-defined rules to incoming data, but does not select evaluation logic based on a key received from the originating apparatus. Moreover, Baldwin's transformations are not described as producing results indicative of format or contextual structure. Chickerur, while it arguably applies classification tags to identify PII, this reference fails to disclose key-based selection of evaluation logic and focuses on structure or context (e.g., length, pattern, IP subnet). Perkins is directed to database format schemas and does not perform runtime analysis of live data inputs using evaluation functions. Christodoulou merely generates metadata tags associated with data items but lacks any discussion of key-based function selection or structural analysis. Limitation: derive, from the processing result, a tag that retains the structural or contextual characteristic of the input data item. Baldwin applies data transformation rules such as pseudonymization, but does not derive tags from an evaluation result, nor do the transformed outputs retain identifiable format or contextual attributes. Chickerur assigns semantic classification tags based on P11 type (e.g., email, SSN), but these are not structural or contextual characteristics, and they are applied directly from pattern matching, not from a processing result of an evaluation function. Perkins defines value tags related to database schema formatting, but those tags are pre- defined for static field compatibility and are not derived from dynamic runtime evaluation of individual data items. Christodoulou discloses metadata tagging, but its tags are not shown to be derived from analysis results nor do they retain the structure or context of the original data. Limitation: produce, from the input data item, an obfuscated data item comprising the content rendered inaccessible outside the network environment. Baldwin describes data transformation operations such as pseudonymization and contextualization within a trusted environment. Baldwin also contemplates mapping transformed tokens back to the original data. However, because Baldwin does not explicitly enforce that the original content is inaccessible outside the network, this reference fails to disclose irreversible obfuscation that precludes external access. Chickerur and Perkins do not address obfuscation at all. Christodoulou merely describes optional omission of data transmission … Allowance of the claims is respectfully requested.” Applicant’s argument has been considered, but are not found persuasive. Examiner respectfully traverses the Applicant’s argument regarding that the limitation, “analyze, using an evaluation function selected based on a key received from the originating apparatus along with the input data item, the input data item to produce a processing result indicative of a structural or contextual characteristic of the input data item”. Examiner acknowledge that Chickerur and Perkins do not disclose the presented limitation as amended. However, after a careful revision of previously applied prior arts, Examiner submits that the combination of Baldwin in view of Christodoulou discloses the presented amended limitation. Specifically, Baldwin describes at Parag. [0024-0033] a selection of a rule based on a key value in order to obfuscate a receive data item from an originating apparatus. For example, at Parag. [0024], “… tuple relating to the event and/or associated with the source apparatus, and which comprises a data item, and a data identifier (i.e., a key) related to the data item … processor 121 can update, transform or modify the data item (or a portion thereof) according to a set of rules in order to, for example, mask or pseudonymise private data, convert data fields into additional contextual information, or augment the data item with additional contextual information …” Thus, Examiner has interpreted that Baldwin discloses a set of rules (i.e., evaluation function) to be applied to an event (i.e., tuple, data item) in order to be obfuscated in order to protect data content. Regarding the second limitation, “derive, from the processing result, a tag that retains the structural or contextual characteristic of the input data item”, Examiner acknowledge that Chickerur and Perkins do not disclose the presented limitation as amended. However, Examiner submits that Christodoulou describes specifically, Parag. [0003], “generating tags, that may refer to the structure of the data. For example, the metadata associated with a text document may include a reference to the subject matter of the document, its author, the number of words, the size of the data item etc. As a further example, metadata associated with a graphical image such as a photograph may include tags identifying different elements of the image i.e. that the image is a sunrise/sunset, it includes people faces, it is a landscape, and so on.”. Thus, Examiner submits that Christodoulou teaches the amended limitation claimed at independent Claim 1. Please refer to detailed rejection below. Finally, Applicant argues that the limitation, “produce, from the input data item, an obfuscated data item comprising the content rendered inaccessible outside the network environment”, it is not disclosed by applied references. Examiner acknowledge that Chickerur and Perkins do not disclose the presented limitation as amended. However, Examiner submits that Baldwin discloses at Parag. [0015-0016] a “non-trusted environment is that to which personal and/or private data which forms part of an event generated by the source apparatus 103 should not be passed”. Therefore, Examiner has interpreted that a trust network will keep data content protected and cannot be rendered at devices that are outside the trusted network. User or devices that requires access to the data outside if the network should receive the data item obfuscated or anonymized. Finally, Examiner respectfully submits that previous applied references by Baldwin and Christodoulou discloses the additional amended claim limitations in independent claim 1 and would render the claim features obvious. Applicant further recites similar remarks as listed above for independent claims 8 and 15. See the aforementioned response on item 8, which addresses how the combination of prior-art references by Baldwin and Christodoulou would render the claimed limitations obvious. In addition, for independent claim 15, prior art by Bangalore et al. (US 2020/0192736) has been added. Bangalore teaches the feature limitation regarding couple a data tag to a system log and transmit it to a device in an external network. See rejection below. Claim Objections Claim 1 is objected to because of the following informalities: Claim 1 recites, “analyze, using an evaluation function selected based on a key received from the originating apparatus along with the input data item, the input data item to produce, a processing result indicative of a structural or contextual characteristic of the input data item.” Examiner submits that is not clear how the evaluation function is selected based on a key and how by analyzing a processing result that indicates a structural or contextual characteristic of the input data item is obtained. Further clarification is required. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-14 are rejected under 35 U.S.C. 103 as being unpatentable over Baldwin et al. (WO2020251587A1) hereinafter Baldwin in view of Christodoulou et al. (US 2003/0069898) hereinafter Christodoulou. As per Claim 1, Baldwin teaches a non-transitory machine-readable storage medium encoded with instructions, that when executed by a processor of a computing device, cause the computing device (Baldwin, Parag. [0057-0058]; “For example, the instructions may be provided on a non-transitory computer readable storage medium encoded with instructions, executable by a processor. With reference to figure 1 for example, processor 121 can be associated with a memory 152. The memory 152 can comprise computer readable instructions 154 which are executable by the processor 121.”) to: receive, from an originating apparatus an input data item comprising content accessible within a network environment (Baldwin, Abstract; “a method for modifying a data item from a source apparatus (i.e., received), the data item associated with an event” … Parag. [0015]; “A source apparatus 103 can be a node or endpoint in a network. For example, a source apparatus 103 can be an loT device, printer, PC and so on.” … Parag. [0018]; “In a runtime phase, according to an example, event data 109, such as that representing security event messages for example, are created by devices such as the source apparatus 103 of figure 1. The event data 109 is sent to the transformation module 105” … [0024] “… wherein the event data can be in the form of an event or event message.”); analyze, using an evaluation function selected based on a key received from the originating apparatus along with the input data item, the input data item to produce, a processing result indicative of a structural or contextual characteristic of the input data item (Baldwin, Parag. [0024]; “The transformation module 105 comprises a processor 121. In an example, processor 121 can transform or modify event data from source apparatus 103, wherein the event data can be in the form of an event or event message. In an example, the processor 121 can sort event data into fields, e.g. by parsing. A field can comprise a tuple relating to the event and/or associated with the source apparatus, and which comprises a data item, and a data identifier (i.e., a key) related to the data item. The processor 121 can update, transform or modify the data item (or a portion thereof) according to a set of rules in order to, for example, mask or pseudonymise private data, convert data fields into additional contextual information, or augment the data item with additional contextual information. The transformation module 105 operates within the trusted environment. In an example, processor 121 can be used to apply a transformation rule to a first tuple to pseudonymise a first data item in order to provide a pseudonymised data item, and/or generate a contextual supplement to the first data item.” … Parag. [0027]; “Analytics Engine 111 can be triggered upon selected rules (based on the fields available within the event message) when event messages are fed into the system of figure 1 and these may build on information already stored from previous events. Alternatively, analytic rules may run regularly to derive reports. The contextual information can enable analytics to be applied that would not otherwise be used. For example, a rule may look for large numbers of events such as failed logins, or security alerts occurring at one location or being triggered from a particular source IP address (or IP addresses within a given site).” … Parag. [0033]; “According to an example, and as described above, an event message can be subdivided or parsed into a set of fields or tuples each of which is described in terms of a fieldname (data identifier) and value (data item). In the examples below, a data item is re-represented with some token. This token can be in the form of a random string/GUID. It can be in the form of a known class (e.g.“admin”,’’California”) to provide context. It can also be a combination of these (e.g. a concatenation of strings that sufficiently represent context and preserve identity obfuscation across the trust boundary). The rules may apply differently depending on the fields. For example, for one field like user name, contextual pseudonymization can be applied. For another field like job name, anonymization (in the form of masking) can be applied. For a third field like source IP address, a hash function can be applied.”); [derive, from the processing result, a tag that retains the structural or contextual characteristic of the input data item]; produce, from the input data item, an obfuscated data item comprising the content rendered inaccessible outside the network environment (Baldwin, Parag. [0015-0016]; “Figure 1 is a schematic representation of a system according to an example. In the example of figure 1 , a trust boundary 101 is depicted. The trust boundary 101 defines a logical boundary between a trusted environment within which a source apparatus 103 is located, and a non-trusted environment. The non-trusted environment is that to which personal and/or private data which forms part of an event generated by the source apparatus 103 should not be passed (i.e., data cannot be rendered at devices that are outside the trusted network). … In an example, analytics can be generated within one boundary (such as a security service provider in a non-trusted environment to the right of the trust boundary 101 in figure 1) whilst personal and confidential information is retained within, for example, an enterprise (i.e. a trusted environment to the left of the trust boundary 101 in figure 1).” … Parag. [0017]; “According to an example, in a set up phase, analytics can be selected, and transformation rules to transform a data item, such as anonymization, pseudonymisation and contextualization rules, can be generated and sent to the transformation module 105.” … Parag. [0033]; “According to an example, and as described above, an event message can be subdivided or parsed into a set of fields or tuples each of which is described in terms of a fieldname (data identifier) and value (data item). In the examples below, a data item is re-represented with some token. This token can be in the form of a random string/GUID. It can be in the form of a known class (e.g.“admin”,’’California”) to provide context. It can also be a combination of these (e.g. a concatenation of strings that sufficiently represent context and preserve identity obfuscation across the trust boundary). The rules may apply differently depending on the fields. For example, for one field like user name, contextual pseudonymization can be applied. For another field like job name, anonymization (in the form of masking) can be applied. For a third field like source IP address, a hash function can be applied.”); and [provide, for transmission to a destination outside the network environment, the tag and the obfuscated data item]. Baldwin does not expressly teach: derive, from the processing result, a tag that retains the structural or contextual characteristic of the input data item; and provide, for transmission to a destination outside the network environment, the tag and the obfuscated data item. However, Christodoulou teaches: derive, from the processing result, a tag that retains the structural or contextual characteristic of the input data item (Christodoulou, Parag. [0003]; “Alternatively, the metadata may equally be much more complex comments, or tags, that may refer to the structure of the data. For example, the metadata associated with a text document may include a reference to the subject matter of the document, its author, the number of words, the size of the data item etc. As a further example, metadata associated with a graphical image such as a photograph may include tags identifying different elements of the image i.e. that the image is a sunrise/sunset, it includes people faces, it is a landscape, and so on.” … Parag. [0010]; “the data item acquisition unit including a data tag generator for generating a data tag associated with each data item, and the data item acquisition unit being arranged to transmit at least the data tag to the data store.” … Parag. [0019]; “According to a second aspect of the present invention there is provided a method of processing data, the method comprising generating a data tag associated with a data item, said data tag generation occurring at a data acquisition unit, and transmitting at least said data tag to a data store.” … Parag. [0035] “The metadata generator is arranged to process data items input from one or more of the data input devices to generate datatags or metadata for each data item.” … Parag. [0036]; “On receipt of the data items the metadata generator 12 will perform data processing to generate metadata associated with the input data items. The metadata may then be transmitted from the data acquisition unit 2 to the data store 4, together with, for example, a request from the data acquisition unit for the data store 4 to provide further data items that have similar metadata associated with them.”); provide, for transmission to a destination outside the network environment, the tag and the [obfuscated] data item (Christodoulou, Parag. [0010-0011]; “According to the present invention there is provided a data processing system comprising at least one data item acquisition unit and at least one data store, the data item acquisition unit including a data tag generator for generating a data tag associated with each data item, and the data item acquisition unit being arranged to transmit at least the data tag to the data store. The data item acquisition unit may also transmit the data item itself to the at least one data store.” … Claim 39; “A data processing system comprising at least one data item acquisition unit and at least one remote data store, the data item acquisition unit comprising a data tag generator for generating a data tag associated with each data item, and the data item acquisition unit being arranged to transmit at least the data tag to the remote data store, wherein said data tag generator is arranged to detect a failure to generate a data tag for a data item and in response to said failure to request the transmission of further configuration information held at the remote data store to allow successful data tag generation to occur.”). Baldwin and Christodoulou are from similar field of technology. Prior to the instant application’s effective filling date, there was a need to provide a secure data communication between trusted and non-trusted networks. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Christodoulou system into Baldwin system with a motivation to provide a method to generate a tag and associate the tag with the data item (Christodoulou, Parag. [0010]). As per Claim 2, the combination of Baldwin and Christodoulou teach the non-transitory machine-readable storage medium of claim 1. Baldwin teaches further comprising instructions, that when executed by the processor of the computing device, cause the computing device (Baldwin, Parag. [0057-0058]; “For example, the instructions may be provided on a non-transitory computer readable storage medium encoded with instructions, executable by a processor. With reference to figure 1 for example, processor 121 can be associated with a memory 152. The memory 152 can comprise computer readable instructions 154 which are executable by the processor 121.”) to: [provide, at the computing device, the tag and] the obfuscated data item [for transmission] (Baldwin, Parag. [0017]; “According to an example, in a set up phase, analytics can be selected, and transformation rules to transform a data item, such as anonymization, pseudonymisation and contextualization rules, can be generated and sent to the transformation module 105.”) In addition, Christodoulou teaches: provide, at the computing device, the tag and the [obfuscated] data item for transmission (Christodoulou, Parag. [0010-0011]; “According to the present invention there is provided a data processing system comprising at least one data item acquisition unit and at least one data store, the data item acquisition unit including a data tag generator for generating a data tag associated with each data item, and the data item acquisition unit being arranged to transmit at least the data tag to the data store. The data item acquisition unit may also transmit the data item itself to the at least one data store.”). As per Claim 3, the combination of Baldwin and Christodoulou teach the non-transitory machine-readable storage medium of claim 1. Baldwin teaches further comprising instructions, that when executed by the processor of the computing device, cause the computing device (Baldwin, Parag. [0057-0058]; “For example, the instructions may be provided on a non-transitory computer readable storage medium encoded with instructions, executable by a processor. With reference to figure 1 for example, processor 121 can be associated with a memory 152. The memory 152 can comprise computer readable instructions 154 which are executable by the processor 121.”) to: In addition, Christodoulou teaches: transmit the tag to a device of another network environment (Christodoulou, Parag. [0024]; “According to a third aspect of the present invention there is provided a data item acquisition device comprising a data tag generator and being arranged to transmit a generated data tag associated with an acquired data item to a data store.” … Parag. [0035]; “FIG. 1 shows a data acquisition device or unit 2 connected to a data store 4. The data acquisition unit 2 is connected to one or more data input devices. Examples of data input devices that are shown are a discrete data storage unit 6, for example a hard disk, a digital camera 8, and a document scanner 10. Other input devices such as video or sound recorders could also be provided. Located in the data acquisition unit 2 is a data tag generator 12 also known as a metadata generator. The metadata generator is arranged to process data items input from one or more of the data input devices to generate data tags or metadata for each data item. A data store 4 is connected to the data acquisition unit 2. The data store unit includes one or more data storage devices 14, such as known hard disk drives. Connected to the data storage devices 14 is a data query and/or indexing unit that is arranged to perform conventional data searching procedures. The data storage devices 14 are arranged to store either a plurality of data tags, a plurality of individual data items, or both data items and their associated data tags. The data acquisition unit 2 and data store 4 are connected by any suitable data transmission channel, for example by fibre optic cable, or by wireless connections.” … Claim 39; “A data processing system comprising at least one data item acquisition unit and at least one remote data store, the data item acquisition unit comprising a data tag generator for generating a data tag associated with each data item, and the data item acquisition unit being arranged to transmit at least the data tag to the remote data store, wherein said data tag generator is arranged to detect a failure to generate a data tag for a data item and in response to said failure to request the transmission of further configuration information held at the remote data store to allow successful data tag generation to occur.”). As per Claim 4, the combination of Baldwin and Christodoulou teach the non-transitory machine-readable storage medium of claim 1. Baldwin teaches further comprising instructions, that when executed by the processor of the computing device, cause the computing device (Baldwin, Parag. [0057-0058]; “For example, the instructions may be provided on a non-transitory computer readable storage medium encoded with instructions, executable by a processor. With reference to figure 1 for example, processor 121 can be associated with a memory 152. The memory 152 can comprise computer readable instructions 154 which are executable by the processor 121.”) to: transmit the obfuscated data item and the tag to a message rewriter, wherein the message rewriter obfuscates the input data item, and wherein the message rewriter associates the tag with the obfuscated data item (Baldwin, Parag. [0018]; “The event data 109 is sent to the transformation module 105 (i.e., rewriter) which applies one or more rules to transform or modify the data (i.e. by way of one or more of anonymization, pseudonymisation and contextualization rules in order to anonymise, pseudonymise and contextualise the data) before forwarding the messages to the analytics engine 111.” … Parag. [0024]; “The transformation module 105 comprises a processor 121. In an example, processor 121 can transform or modify event data from source apparatus 103, wherein the event data can be in the form of an event or event message. In an example, the processor 121 can sort event data into fields, e.g. by parsing. A field can comprise a tuple relating to the event and/or associated with the source apparatus, and which comprises a data item, and a data identifier related to the data item. The processor 121 can update, transform or modify the data item (or a portion thereof) according to a set of rules in order to, for example, mask or pseudonymise private data, convert data fields into additional contextual information, or augment the data item with additional contextual information.”). As per Claim 5, the combination of Baldwin and Christodoulou teach the non-transitory machine-readable storage medium of claim 1. Baldwin teaches further comprising instructions, that when executed by the processor of the computing device, cause the computing device (Baldwin, Parag. [0057-0058]; “For example, the instructions may be provided on a non-transitory computer readable storage medium encoded with instructions, executable by a processor. With reference to figure 1 for example, processor 121 can be associated with a memory 152. The memory 152 can comprise computer readable instructions 154 which are executable by the processor 121.”) to: receive, at the computing device, the evaluation function (Baldwin, Parag. [0017]; “According to an example, in a set up phase, analytics can be selected, and transformation rules to transform a data item, such as anonymization, pseudonymisation and contextualization rules, can be generated and sent to the transformation module 105.” … Parag. [0033]; “According to an example, and as described above, an event message can be subdivided or parsed into a set of fields or tuples each of which is described in terms of a fieldname (data identifier) and value (data item). In the examples below, a data item is re-represented with some token. This token can be in the form of a random string/GUID. It can be in the form of a known class (e.g.“admin”,’’California”) to provide context. It can also be a combination of these (e.g. a concatenation of strings that sufficiently represent context and preserve identity obfuscation across the trust boundary). The rules may apply differently depending on the fields. For example, for one field like user name, contextual pseudonymization can be applied. For another field like job name, anonymization (in the form of masking) can be applied. For a third field like source IP address, a hash function can be applied.” Examiner submits that the evaluation function is interpreted as the rule selected based on the field/key. For example contextual pseudonymization., masking or hashing.). As per Claim 6, the combination of Baldwin and Christodoulou teach the non-transitory machine-readable storage medium of claim 1. Baldwin teaches further comprising instructions, that when executed by the processor of the computing device, cause the computing device (Baldwin, Parag. [0057-0058]; “For example, the instructions may be provided on a non-transitory computer readable storage medium encoded with instructions, executable by a processor. With reference to figure 1 for example, processor 121 can be associated with a memory 152. The memory 152 can comprise computer readable instructions 154 which are executable by the processor 121.”) to: organize, at the computing device, the key and the input data item into a key-value pair (Baldwin, Parag. [0033]; “According to an example, and as described above, an event message can be subdivided or parsed (i.e., organized) into a set of fields or tuples each of which is described in terms of a fieldname (data identifier) and value (data item). In the examples below, a data item is re-represented with some token. This token can be in the form of a random string/GUID. It can be in the form of a known class (e.g.“admin”,’’California”) (i.e., key-value pair) to provide context.”). As per Claim 7, the combination of Baldwin and Christodoulou teach the non-transitory machine-readable storage medium of claim 1. Baldwin teaches wherein the processing result indicates the input data item is in a defined format Baldwin, Parag. [0024]; “The transformation module 105 comprises a processor 121. In an example, processor 121 can transform or modify event data from source apparatus 103, wherein the event data can be in the form of an event or event message. In an example, the processor 121 can sort event data into fields, e.g. by parsing. A field can comprise a tuple relating to the event and/or associated with the source apparatus, and which comprises a data item, and a data identifier (i.e., a key) related to the data item. The processor 121 can update, transform or modify the data item (or a portion thereof) according to a set of rules in order to, for example, mask or pseudonymise private data, convert data fields into additional contextual information, or augment the data item with additional contextual information. The transformation module 105 operates within the trusted environment. In an example, processor 121 can be used to apply a transformation rule to a first tuple to pseudonymise a first data item in order to provide a pseudonymised data item, and/or generate a contextual supplement to the first data item.” … Parag. [0027]; “Analytics Engine 111 can be triggered upon selected rules (based on the fields available within the event message) when event messages are fed into the system of figure 1 and these may build on information already stored from previous events. Alternatively, analytic rules may run regularly to derive reports. The contextual information can enable analytics to be applied that would not otherwise be used. For example, a rule may look for large numbers of events such as failed logins, or security alerts occurring at one location or being triggered from a particular source IP address (or IP addresses within a given site).” … Parag. [0033]; “According to an example, and as described above, an event message can be subdivided or parsed into a set of fields or tuples each of which is described in terms of a fieldname (data identifier) and value (data item). In the examples below, a data item is re-represented with some token. This token can be in the form of a random string/GUID. It can be in the form of a known class (e.g.“admin”,’’California”) to provide context. It can also be a combination of these (e.g. a concatenation of strings that sufficiently represent context and preserve identity obfuscation across the trust boundary). The rules may apply differently depending on the fields. For example, for one field like user name, contextual pseudonymization can be applied. For another field like job name, anonymization (in the form of masking) can be applied. For a third field like source IP address, a hash function can be applied.”), and In addition, Christodoulou teaches: wherein the tag comprises the processing result (Christodoulou, Parag. [0003]; “Alternatively, the metadata may equally be much more complex comments, or tags, that may refer to the structure of the data. For example, the metadata associated with a text document may include a reference to the subject matter of the document, its author, the number of words, the size of the data item etc. As a further example, metadata associated with a graphical image such as a photograph may include tags identifying different elements of the image i.e. that the image is a sunrise/sunset, it includes people faces, it is a landscape, and so on.” … Parag. [0010]; “the data item acquisition unit including a data tag generator for generating a data tag associated with each data item, and the data item acquisition unit being arranged to transmit at least the data tag to the data store.” … Parag. [0019]; “According to a second aspect of the present invention there is provided a method of processing data, the method comprising generating a data tag associated with a data item, said data tag generation occurring at a data acquisition unit, and transmitting at least said data tag to a data store.” … Parag. [0035] “The metadata generator is arranged to process data items input from one or more of the data input devices to generate datatags or metadata for each data item.” … Parag. [0036]; “On receipt of the data items the metadata generator 12 will perform data processing to generate metadata associated with the input data items. The metadata may then be transmitted from the data acquisition unit 2 to the data store 4, together with, for example, a request from the data acquisition unit for the data store 4 to provide further data items that have similar metadata associated with them.”). As per Claim 8, Baldwin teaches a non-transitory machine-readable storage medium encoded with instructions executable by a processor, the machine-readable storage medium comprising instructions (Baldwin, Parag. [0057-0058]; “For example, the instructions may be provided on a non-transitory computer readable storage medium encoded with instructions, executable by a processor. With reference to figure 1 for example, processor 121 can be associated with a memory 152. The memory 152 can comprise computer readable instructions 154 which are executable by the processor 121.”) to: receive, by a computing device having the processor and a memory executing in a network environment, data associated with an event from an originating apparatus (Baldwin, Abstract; “a method for modifying a data item from a source apparatus, the data item associated with an event” … Parag. [0018]; “In a runtime phase, according to an example, event data 109, such as that representing security event messages for example, are created by devices such as the source apparatus 103 of figure 1. The event data 109 is sent to the transformation module 105.”), wherein the data is accessible for processing in the network environment (Baldwin, Abstract; “a method for modifying a data item from a source apparatus, the data item associated with an event, in which the method comprises, within a trusted environment, parsing the data item to generate a set of tuples relating to the event and/or associated with the source apparatus, each tuple comprising a data item, and a data identifier related to the data item, applying a rule to a first tuple to pseudonymise a first data item to provide a transformed data item, and/or generate a contextual supplement to the first data item, generating a mapping between the transformed data item and the first data item, whereby to provide a link between the transformed data item and the first data item to enable subsequent resolution of the first data item using the transformed data item, and forwarding the transformed data item and the data identifier related to the first data item to an analytics engine situated logically outside of the trusted environment.” … Parag. [0015]; “A source apparatus 103 can be a node or endpoint in a network. For example, a source apparatus 103 can be an loT device, printer, PC and so on.” Examiner submits that the transformation process applied to the data is interpreted as data accessible to be processed.); parse, by the computing device, the data associated with the event to generate a tuple, wherein the tuple comprises a key and a data item paired with the key (Baldwin, Abstract; “a method for modifying a data item from a source apparatus, the data item associated with an event, in which the method comprises, within a trusted environment, parsing the data item to generate a set of tuples relating to the event and/or associated with the source apparatus, each tuple comprising a data item, and a data identifier (i.e., a key) related to the data item, applying a rule to a first tuple to pseudonymise a first data item to provide a transformed data item, and/or generate a contextual supplement to the first data item, generating a mapping between the transformed data item and the first data item, whereby to provide a link between the transformed data item and the first data item to enable subsequent resolution of the first data item using the transformed data item, and forwarding the transformed data item and the data identifier related to the first data item to an analytics engine situated logically outside of the trusted environment.” … Parag. [0015]; “A source apparatus 103 can be a node or endpoint in a network. For example, a source apparatus 103 can be an loT device, printer, PC and so on.”); apply, by the computing device, an evaluation function to the data item (Baldwin, Parag. [0024]; “The transformation module 105 comprises a processor 121. In an example, processor 121 can transform or modify event data from source apparatus 103, wherein the event data can be in the form of an event or event message. In an example, the processor 121 can sort event data into fields, e.g. by parsing. A field can comprise a tuple relating to the event and/or associated with the source apparatus, and which comprises a data item, and a data identifier (i.e., a key) related to the data item. The processor 121 can update, transform or modify the data item (or a portion thereof) according to a set of rules in order to, for example, mask or pseudonymise private data, convert data fields into additional contextual information, or augment the data item with additional contextual information. The transformation module 105 operates within the trusted environment. In an example, processor 121 can be used to apply a transformation rule to a first tuple to pseudonymise a first data item in order to provide a pseudonymised data item, and/or generate a contextual supplement to the first data item.” … Parag. [0027]; “Analytics Engine 111 can be triggered upon selected rules (based on the fields available within the event message) when event messages are fed into the system of figure 1 and these may build on information already stored from previous events. Alternatively, analytic rules may run regularly to derive reports. The contextual information can enable analytics to be applied that would not otherwise be used. For example, a rule may look for large numbers of events such as failed logins, or security alerts occurring at one location or being triggered from a particular source IP address (or IP addresses within a given site).” … Parag. [0033]; “According to an example, and as described above, an event message can be subdivided or parsed into a set of fields or tuples each of which is described in terms of a fieldname (data identifier) and value (data item). In the examples below, a data item is re-represented with some token. This token can be in the form of a random string/GUID. It can be in the form of a known class (e.g.“admin”,’’California”) to provide context. It can also be a combination of these (e.g. a concatenation of strings that sufficiently represent context and preserve identity obfuscation across the trust boundary). The rules may apply differently depending on the fields. For example, for one field like user name, contextual pseudonymization can be applied. For another field like job name, anonymization (in the form of masking) can be applied. For a third field like source IP address, a hash function can be applied.”) [to generate a data tag, wherein the tag retains a structural or contextual characteristic of the data item]; [associate, by the computing device, the data tag with the tuple to create a return data item]; render, in the return data item by the computing device, the data inaccessible for processing outside the network environment (Baldwin, Parag. [0015-0016]; “Figure 1 is a schematic representation of a system according to an example. In the example of figure 1 , a trust boundary 101 is depicted. The trust boundary 101 defines a logical boundary between a trusted environment within which a source apparatus 103 is located, and a non-trusted environment. The non-trusted environment is that to which personal and/or private data which forms part of an event generated by the source apparatus 103 should not be passed (i.e., data cannot be rendered at devices that are outside the trusted network). … In an example, analytics can be generated within one boundary (such as a security service provider in a non-trusted environment to the right of the trust boundary 101 in figure 1) whilst personal and confidential information is retained within, for example, an enterprise (i.e. a trusted environment to the left of the trust boundary 101 in figure 1).” … Parag. [0017]; “According to an example, in a set up phase, analytics can be selected, and transformation rules to transform a data item, such as anonymization, pseudonymisation and contextualization rules, can be generated and sent to the transformation module 105.” … Parag. [0033]; “According to an example, and as described above, an event message can be subdivided or parsed into a set of fields or tuples each of which is described in terms of a fieldname (data identifier) and value (data item). In the examples below, a data item is re-represented with some token. This token can be in the form of a random string/GUID. It can be in the form of a known class (e.g.“admin”,’’California”) to provide context. It can also be a combination of these (e.g. a concatenation of strings that sufficiently represent context and preserve identity obfuscation across the trust boundary). The rules may apply differently depending on the fields. For example, for one field like user name, contextual pseudonymization can be applied. For another field like job name, anonymization (in the form of masking) can be applied. For a third field like source IP address, a hash function can be applied.”); and [transmit, by the computing device, the return data item and the data item outside the network environment]. Baldwin does not expressly teach: … generate a data tag, wherein the tag retains a structural or contextual characteristic of the data item; associate, by the computing device, the data tag with the tuple to create a return data item; transmit, by the computing device, the return data item and the data item outside the network environment. However, Christodoulou teaches: to generate a data tag (Christodoulou, Parag. [0010]; “the data item acquisition unit including a data tag generator for generating a data tag associated with each data item, and the data item acquisition unit being arranged to transmit at least the data tag to the data store.” … Parag. [0019]; “According to a second aspect of the present invention there is provided a method of processing data, the method comprising generating a data tag associated with a data item, said data tag generation occurring at a data acquisition unit, and transmitting at least said data tag to a data store.”), wherein the tag retains a structural or contextual characteristic of the data item (Christodoulou, Parag. [0003]; “Alternatively, the metadata may equally be much more complex comments, or tags, that may refer to the structure of the data. For example, the metadata associated with a text document may include a reference to the subject matter of the document, its author, the number of words, the size of the data item etc. As a further example, metadata associated with a graphical image such as a photograph may include tags identifying different elements of the image i.e. that the image is a sunrise/sunset, it includes people faces, it is a landscape, and so on.” … Parag. [0010]; “the data item acquisition unit including a data tag generator for generating a data tag associated with each data item, and the data item acquisition unit being arranged to transmit at least the data tag to the data store.” … Parag. [0019]; “According to a second aspect of the present invention there is provided a method of processing data, the method comprising generating a data tag associated with a data item, said data tag generation occurring at a data acquisition unit, and transmitting at least said data tag to a data store.” … Parag. [0035] “The metadata generator is arranged to process data items input from one or more of the data input devices to generate datatags or metadata for each data item.” … Parag. [0036]; “On receipt of the data items the metadata generator 12 will perform data processing to generate metadata associated with the input data items. The metadata may then be transmitted from the data acquisition unit 2 to the data store 4, together with, for example, a request from the data acquisition unit for the data store 4 to provide further data items that have similar metadata associated with them.”) associate, by the computing device, the data tag with the tuple to create a return data item (Christodoulou, Parag. [0010]; “the data item acquisition unit including a data tag generator for generating a data tag associated with each data item, and the data item acquisition unit being arranged to transmit at least the data tag to the data store.” … Parag. [0017]; “The failure may be a ‘hard’ failure, in which case no metadata is generated and the data acquisition unit may transmit the data item to the data store, the data tag (metadata) generation then occurring at the data store. Alternatively, appropriate configuration information held by the data tag generator at the data store may be transmitted to the data acquisition unit to allow successful data tag generation to occur at the data acquisition unit. The failure may alternatively be a ‘soft’ failure, in which case the metadata generated prior to the failure occurring may be transmitted to the data store, or equally simplified metadata may be generated instead and transmitted to the data store.” … Parag. [0019]; “According to a second aspect of the present invention there is provided a method of processing data, the method comprising generating a data tag associated with a data item, said data tag generation occurring at a data acquisition unit, and transmitting at least said data tag to a data store.”); transmit, by the computing device, the return data item and the data item outside the network environment (Christodoulou, Parag. [0010-0011]; “According to the present invention there is provided a data processing system comprising at least one data item acquisition unit and at least one data store, the data item acquisition unit including a data tag generator for generating a data tag associated with each data item, and the data item acquisition unit being arranged to transmit at least the data tag to the data store. The data item acquisition unit may also transmit the data item itself to the at least one data store.” … Claim 39; “A data processing system comprising at least one data item acquisition unit and at least one remote data store, the data item acquisition unit comprising a data tag generator for generating a data tag associated with each data item, and the data item acquisition unit being arranged to transmit at least the data tag to the remote data store, wherein said data tag generator is arranged to detect a failure to generate a data tag for a data item and in response to said failure to request the transmission of further configuration information held at the remote data store to allow successful data tag generation to occur.”). Baldwin and Christodoulou are from similar field of technology. Prior to the instant application’s effective filling date, there was a need to provide a secure data communication between trusted and non-trusted networks. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Christodoulou system into Baldwin system with a motivation to provide a method to generate a tag and associate the tag with the data item (Christodoulou, Parag. [0010]). As per Claim 9, the combination of Baldwin and Christodoulou teach the non-transitory machine-readable storage medium of claim 8. Baldwin teaches further comprising instructions (Baldwin, Parag. [0057-0058]; “For example, the instructions may be provided on a non-transitory computer readable storage medium encoded with instructions, executable by a processor. With reference to figure 1 for example, processor 121 can be associated with a memory 152. The memory 152 can comprise computer readable instructions 154 which are executable by the processor 121.”) to select the evaluation function based on the key (Baldwin, Parag. [0024]; “The transformation module 105 comprises a processor 121. In an example, processor 121 can transform or modify event data from source apparatus 103, wherein the event data can be in the form of an event or event message. In an example, the processor 121 can sort event data into fields, e.g. by parsing. A field can comprise a tuple relating to the event and/or associated with the source apparatus, and which comprises a data item, and a data identifier (i.e., a key) related to the data item. The processor 121 can update, transform or modify the data item (or a portion thereof) according to a set of rules in order to, for example, mask or pseudonymise private data, convert data fields into additional contextual information, or augment the data item with additional contextual information. The transformation module 105 operates within the trusted environment. In an example, processor 121 can be used to apply a transformation rule to a first tuple to pseudonymise a first data item in order to provide a pseudonymised data item, and/or generate a contextual supplement to the first data item.” … Parag. [0027]; “Analytics Engine 111 can be triggered upon selected rules (based on the fields available within the event message) when event messages are fed into the system of figure 1 and these may build on information already stored from previous events. Alternatively, analytic rules may run regularly to derive reports. The contextual information can enable analytics to be applied that would not otherwise be used. For example, a rule may look for large numbers of events such as failed logins, or security alerts occurring at one location or being triggered from a particular source IP address (or IP addresses within a given site).” … Parag. [0033]; “According to an example, and as described above, an event message can be subdivided or parsed into a set of fields or tuples each of which is described in terms of a fieldname (data identifier) and value (data item). In the examples below, a data item is re-represented with some token. This token can be in the form of a random string/GUID. It can be in the form of a known class (e.g.“admin”,’’California”) to provide context. It can also be a combination of these (e.g. a concatenation of strings that sufficiently represent context and preserve identity obfuscation across the trust boundary). The rules may apply differently depending on the fields. For example, for one field like user name, contextual pseudonymization can be applied. For another field like job name, anonymization (in the form of masking) can be applied. For a third field like source IP address, a hash function can be applied.”). As per Claim 10, the combination of Baldwin and Christodoulou teach the non-transitory machine-readable storage medium of claim 8. Baldwin teaches wherein the tuple comprises the key and a plurality of data items (Baldwin, Abstract; “a method for modifying a data item from a source apparatus, the data item associated with an event, in which the method comprises, within a trusted environment, parsing the data item to generate a set of tuples relating to the event and/or associated with the source apparatus, each tuple comprising a data item, and a data identifier (i.e., the key) related to the data item.”). As per Claim 11, the combination of Baldwin and Christodoulou teach the non-transitory machine-readable storage medium of claim 10. Baldwin teaches further comprising instructions to (Baldwin, Parag. [0057-0058]; “For example, the instructions may be provided on a non-transitory computer readable storage medium encoded with instructions, executable by a processor. With reference to figure 1 for example, processor 121 can be associated with a memory 152. The memory 152 can comprise computer readable instructions 154 which are executable by the processor 121.”) apply the evaluation function to the plurality of data items (Baldwin, Parag. [0024]; “The transformation module 105 comprises a processor 121. In an example, processor 121 can transform or modify event data from source apparatus 103, wherein the event data can be in the form of an event or event message. In an example, the processor 121 can sort event data into fields, e.g. by parsing. A field can comprise a tuple relating to the event and/or associated with the source apparatus, and which comprises a data item, and a data identifier (i.e., a key) related to the data item. The processor 121 can update, transform or modify the data item (or a portion thereof) according to a set of rules in order to, for example, mask or pseudonymise private data, convert data fields into additional contextual information, or augment the data item with additional contextual information. The transformation module 105 operates within the trusted environment. In an example, processor 121 can be used to apply a transformation rule to a first tuple to pseudonymise a first data item in order to provide a pseudonymised data item, and/or generate a contextual supplement to the first data item.” … Parag. [0033]; “According to an example, and as described above, an event message can be subdivided or parsed into a set of fields or tuples each of which is described in terms of a fieldname (data identifier) and value (data item). In the examples below, a data item is re-represented with some token. This token can be in the form of a random string/GUID. It can be in the form of a known class (e.g.“admin”,’’California”) to provide context. It can also be a combination of these (e.g. a concatenation of strings that sufficiently represent context and preserve identity obfuscation across the trust boundary). The rules may apply differently depending on the fields. For example, for one field like user name, contextual pseudonymization can be applied. For another field like job name, anonymization (in the form of masking) can be applied. For a third field like source IP address, a hash function can be applied.”) In addition Christodoulou teaches: to generate the data tag (Christodoulou, Parag. [0010]; “the data item acquisition unit including a data tag generator for generating a data tag associated with each data item, and the data item acquisition unit being arranged to transmit at least the data tag to the data store.” … Parag. [0019]; “According to a second aspect of the present invention there is provided a method of processing data, the method comprising generating a data tag associated with a data item, said data tag generation occurring at a data acquisition unit, and transmitting at least said data tag to a data store.”). As per Claim 12, the combination of Baldwin and Christodoulou teach the non-transitory machine-readable storage medium of claim 8. Baldwin teaches wherein the tuple comprises the key and a plurality of data items (Baldwin, Abstract; “a method for modifying a data item from a source apparatus, the data item associated with an event, in which the method comprises, within a trusted environment, parsing the data item to generate a set of tuples relating to the event and/or associated with the source apparatus, each tuple comprising a data item, and a data identifier related to the data item.”); and further comprising instructions to apply a second evaluation function, which is different from the evaluation function, to a second data item which is different from the data item (Baldwin, Parag. [0033]; “According to an example, and as described above, an event message can be subdivided or parsed into a set of fields or tuples each of which is described in terms of a fieldname (data identifier) and value (data item). In the examples below, a data item is re-represented with some token. This token can be in the form of a random string/GUID. It can be in the form of a known class (e.g.“admin”,’’California”) to provide context. It can also be a combination of these (e.g. a concatenation of strings that sufficiently represent context and preserve identity obfuscation across the trust boundary). The rules may apply differently depending on the fields. For example, for one field like user name, contextual pseudonymization can be applied. For another field like job name, anonymization (in the form of masking) can be applied. For a third field like source IP address, a hash function can be applied.” Examiner submits that the evaluation function is interpreted as the rule selected based on the field/key. For example contextual pseudonymization and masking or hashing, are a plurality of evaluation functions that could be applied.) In addition Christodoulou teaches: to generate the data tag (Christodoulou, Parag. [0010]; “the data item acquisition unit including a data tag generator for generating a data tag associated with each data item, and the data item acquisition unit being arranged to transmit at least the data tag to the data store.” … Parag. [0019]; “According to a second aspect of the present invention there is provided a method of processing data, the method comprising generating a data tag associated with a data item, said data tag generation occurring at a data acquisition unit, and transmitting at least said data tag to a data store.”). As per Claim 13, the combination of Baldwin and Christodoulou teach the non-transitory machine-readable storage medium of claim 8. Baldwin teaches further comprising instructions (Baldwin, Parag. [0057-0058]; “For example, the instructions may be provided on a non-transitory computer readable storage medium encoded with instructions, executable by a processor. With reference to figure 1 for example, processor 121 can be associated with a memory 152. The memory 152 can comprise computer readable instructions 154 which are executable by the processor 121.”) to receive, at the computing device, the evaluation function (Baldwin, Parag. [0017]; “According to an example, in a set up phase, analytics can be selected, and transformation rules to transform a data item, such as anonymization, pseudonymisation and contextualization rules, can be generated and sent to the transformation module 105.” … Parag. [0033]; “According to an example, and as described above, an event message can be subdivided or parsed into a set of fields or tuples each of which is described in terms of a fieldname (data identifier) and value (data item). In the examples below, a data item is re-represented with some token. This token can be in the form of a random string/GUID. It can be in the form of a known class (e.g.“admin”,’’California”) to provide context. It can also be a combination of these (e.g. a concatenation of strings that sufficiently represent context and preserve identity obfuscation across the trust boundary). The rules may apply differently depending on the fields. For example, for one field like user name, contextual pseudonymization can be applied. For another field like job name, anonymization (in the form of masking) can be applied. For a third field like source IP address, a hash function can be applied.” Examiner submits that the evaluation function is interpreted as the rule selected based on the field/key. For example contextual pseudonymization., masking or hashing.). As per Claim 14, the combination of Baldwin and Christodoulou teach the non-transitory machine-readable storage medium of claim 8. Baldwin teaches further comprising instructions (Baldwin, Parag. [0057-0058]; “For example, the instructions may be provided on a non-transitory computer readable storage medium encoded with instructions, executable by a processor. With reference to figure 1 for example, processor 121 can be associated with a memory 152. The memory 152 can comprise computer readable instructions 154 which are executable by the processor 121.”) to: transmit, at the computing device, the return data item to a message rewriter of the computing device (Baldwin, Parag. [0018]; “The event data 109 is sent to the transformation module 105 (i.e., rewriter) which applies one or more rules to transform or modify the data (i.e. by way of one or more of anonymization, pseudonymisation and contextualization rules in order to anonymise, pseudonymise and contextualise the data) before forwarding the messages to the analytics engine 111.” … Parag. [0024]; “The transformation module 105 comprises a processor 121. In an example, processor 121 can transform or modify event data from source apparatus 103, wherein the event data can be in the form of an event or event message. In an example, the processor 121 can sort event data into fields, e.g. by parsing. A field can comprise a tuple relating to the event and/or associated with the source apparatus, and which comprises a data item, and a data identifier related to the data item. The processor 121 can update, transform or modify the data item (or a portion thereof) according to a set of rules in order to, for example, mask or pseudonymise private data, convert data fields into additional contextual information, or augment the data item with additional contextual information.”); and obfuscate, at the computing device, the tuple of the return data item (Baldwin, Parag. [0018]; “The event data 109 is sent to the transformation module 105 (i.e., rewriter) which applies one or more rules to transform or modify the data (i.e. by way of one or more of anonymization, pseudonymisation and contextualization rules in order to anonymise, pseudonymise and contextualise the data) before forwarding the messages to the analytics engine 111.” … Parag. [0024]; “The transformation module 105 comprises a processor 121. In an example, processor 121 can transform or modify event data from source apparatus 103, wherein the event data can be in the form of an event or event message. In an example, the processor 121 can sort event data into fields, e.g. by parsing. A field can comprise a tuple relating to the event and/or associated with the source apparatus, and which comprises a data item, and a data identifier related to the data item. The processor 121 can update, transform or modify the data item (or a portion thereof) according to a set of rules in order to, for example, mask or pseudonymise private data, convert data fields into additional contextual information, or augment the data item with additional contextual information.”). Claims 15-19 are rejected under 35 U.S.C. 103 as being unpatentable over Baldwin et al. (WO2020251587A1) hereinafter Baldwin in view of Christodoulou et al. (US 2003/0069898) hereinafter Christodoulou and further in view of Bangalore et al. (US 2020/0192736) hereinafter Bangalore. As per Claim 15, Baldwin teaches a non-transitory machine-readable storage medium encoded with instructions executable by a processor, the machine-readable storage medium comprising instructions (Baldwin, Parag. [0057-0058]; “For example, the instructions may be provided on a non-transitory computer readable storage medium encoded with instructions, executable by a processor. With reference to figure 1 for example, processor 121 can be associated with a memory 152. The memory 152 can comprise computer readable instructions 154 which are executable by the processor 121.”) to: receive, at a computing device having the processor and memory executing in a network environment, a system log from an originating apparatus (Baldwin, Abstract; “a method for modifying a data item from a source apparatus, the data item associated with an event” … Para. [0001]; “Nodes in a network, whether print devices, PCs or loT devices and so on, can produce multiple events. The events can relate to processes executing within the nodes, logon attempts and so on. Such events can be used to determine the occurrence of potential security issues within the network, or other issues that may benefit from attention. Such events can include personal or confidential data.” … Parag. [0018]; “In a runtime phase, according to an example, event data 109, such as that representing security event messages for example, are created by devices such as the source apparatus 103 of figure 1. The event data 109 is sent to the transformation module 105.” Examiner submits that the system log is interpreted as data related to an event in a device(s).), wherein a value in the system log is accessible for processing within the network environment (Baldwin, Abstract; “a method for modifying a data item from a source apparatus, the data item associated with an event, in which the method comprises, within a trusted environment, parsing the data item to generate a set of tuples relating to the event and/or associated with the source apparatus, each tuple comprising a data item, and a data identifier related to the data item, applying a rule to a first tuple to pseudonymise a first data item to provide a transformed data item, and/or generate a contextual supplement to the first data item, generating a mapping between the transformed data item and the first data item, whereby to provide a link between the transformed data item and the first data item to enable subsequent resolution of the first data item using the transformed data item, and forwarding the transformed data item and the data identifier related to the first data item to an analytics engine situated logically outside of the trusted environment.” … Parag. [0015]; “A source apparatus 103 can be a node or endpoint in a network. For example, a source apparatus 103 can be an loT device, printer, PC and so on.” Examiner submits that the transformation process applied to the data is interpreted as data accessible to be processed.); determine, at the computing device, a user-defined function to be applied to the value, wherein the user-defined function corresponds to a key (Baldwin, Parag. [0024]; “The transformation module 105 comprises a processor 121. In an example, processor 121 can transform or modify event data from source apparatus 103, wherein the event data can be in the form of an event or event message. In an example, the processor 121 can sort event data into fields, e.g. by parsing. A field can comprise a tuple relating to the event and/or associated with the source apparatus, and which comprises a data item, and a data identifier (i.e., a key) related to the data item. The processor 121 can update, transform or modify the data item (or a portion thereof) according to a set of rules in order to, for example, mask or pseudonymise private data, convert data fields into additional contextual information, or augment the data item with additional contextual information. The transformation module 105 operates within the trusted environment. In an example, processor 121 can be used to apply a transformation rule to a first tuple to pseudonymise a first data item in order to provide a pseudonymised data item, and/or generate a contextual supplement to the first data item.” … Parag. [0027]; “Analytics Engine 111 can be triggered upon selected rules (based on the fields available within the event message) when event messages are fed into the system of figure 1 and these may build on information already stored from previous events. Alternatively, analytic rules may run regularly to derive reports. The contextual information can enable analytics to be applied that would not otherwise be used. For example, a rule may look for large numbers of events such as failed logins, or security alerts occurring at one location or being triggered from a particular source IP address (or IP addresses within a given site).” … Parag. [0033]; “According to an example, and as described above, an event message can be subdivided or parsed into a set of fields or tuples each of which is described in terms of a fieldname (data identifier) and value (data item). In the examples below, a data item is re-represented with some token. This token can be in the form of a random string/GUID. It can be in the form of a known class (e.g.“admin”,’’California”) to provide context. It can also be a combination of these (e.g. a concatenation of strings that sufficiently represent context and preserve identity obfuscation across the trust boundary). The rules may apply differently depending on the fields. For example, for one field like user name, contextual pseudonymization can be applied. For another field like job name, anonymization (in the form of masking) can be applied. For a third field like source IP address, a hash function can be applied.”) in the system log (Baldwin, Para. [0001]; “Nodes in a network, whether print devices, PCs or loT devices and so on, can produce multiple events. The events can relate to processes executing within the nodes, logon attempts and so on. Such events can be used to determine the occurrence of potential security issues within the network, or other issues that may benefit from attention. Such events can include personal or confidential data.”); apply the user-defined function to the value (Baldwin, Parag. [0024]; “The transformation module 105 comprises a processor 121. In an example, processor 121 can transform or modify event data from source apparatus 103, wherein the event data can be in the form of an event or event message. In an example, the processor 121 can sort event data into fields, e.g. by parsing. A field can comprise a tuple relating to the event and/or associated with the source apparatus, and which comprises a data item, and a data identifier (i.e., a key) related to the data item. The processor 121 can update, transform or modify the data item (or a portion thereof) according to a set of rules in order to, for example, mask or pseudonymise private data, convert data fields into additional contextual information, or augment the data item with additional contextual information. The transformation module 105 operates within the trusted environment. In an example, processor 121 can be used to apply a transformation rule to a first tuple to pseudonymise a first data item in order to provide a pseudonymised data item, and/or generate a contextual supplement to the first data item.” … Parag. [0027]; “Analytics Engine 111 can be triggered upon selected rules (based on the fields available within the event message) when event messages are fed into the system of figure 1 and these may build on information already stored from previous events. Alternatively, analytic rules may run regularly to derive reports. The contextual information can enable analytics to be applied that would not otherwise be used. For example, a rule may look for large numbers of events such as failed logins, or security alerts occurring at one location or being triggered from a particular source IP address (or IP addresses within a given site).” … Parag. [0033]; “According to an example, and as described above, an event message can be subdivided or parsed into a set of fields or tuples each of which is described in terms of a fieldname (data identifier) and value (data item). In the examples below, a data item is re-represented with some token. This token can be in the form of a random string/GUID. It can be in the form of a known class (e.g.“admin”,’’California”) to provide context. It can also be a combination of these (e.g. a concatenation of strings that sufficiently represent context and preserve identity obfuscation across the trust boundary). The rules may apply differently depending on the fields. For example, for one field like user name, contextual pseudonymization can be applied. For another field like job name, anonymization (in the form of masking) can be applied. For a third field like source IP address, a hash function can be applied.”), [wherein applying the user-defined function comprises generating a data tag characterizing the value, wherein the data tag indicates a format of the value]; [couple the data tag to the system log, wherein the data tag is transmitted with the system log outside the network environment], and wherein the value is rendered inaccessible for processing outside the network environment (Baldwin, Parag. [0015-0016]; “Figure 1 is a schematic representation of a system according to an example. In the example of figure 1 , a trust boundary 101 is depicted. The trust boundary 101 defines a logical boundary between a trusted environment within which a source apparatus 103 is located, and a non-trusted environment. The non-trusted environment is that to which personal and/or private data which forms part of an event generated by the source apparatus 103 should not be passed (i.e., data cannot be rendered at devices that are outside the trusted network). … In an example, analytics can be generated within one boundary (such as a security service provider in a non-trusted environment to the right of the trust boundary 101 in figure 1) whilst personal and confidential information is retained within, for example, an enterprise (i.e. a trusted environment to the left of the trust boundary 101 in figure 1).” … Parag. [0017]; “According to an example, in a set up phase, analytics can be selected, and transformation rules to transform a data item, such as anonymization, pseudonymisation and contextualization rules, can be generated and sent to the transformation module 105.” … Parag. [0033]; “According to an example, and as described above, an event message can be subdivided or parsed into a set of fields or tuples each of which is described in terms of a fieldname (data identifier) and value (data item). In the examples below, a data item is re-represented with some token. This token can be in the form of a random string/GUID. It can be in the form of a known class (e.g.“admin”,’’California”) to provide context. It can also be a combination of these (e.g. a concatenation of strings that sufficiently represent context and preserve identity obfuscation across the trust boundary). The rules may apply differently depending on the fields. For example, for one field like user name, contextual pseudonymization can be applied. For another field like job name, anonymization (in the form of masking) can be applied. For a third field like source IP address, a hash function can be applied.”); and [transmit the data tag for transmission to a destination outside the network environment]. Baldwin does not expressly teach: wherein applying the user-defined function comprises generating a data tag characterizing the value, wherein the data tag indicates a format of the value; couple the data tag to the system log, wherein the data tag is transmitted with the system log outside the network environment, and transmit the data tag for transmission to a destination outside the network environment. However, Christodoulou teaches: wherein applying the user-defined function comprises generating a data tag characterizing the value, wherein the data tag indicates a format of the value (Christodoulou, Parag. [0003]; “Alternatively, the metadata may equally be much more complex comments, or tags, that may refer to the structure of the data. For example, the metadata associated with a text document may include a reference to the subject matter of the document, its author, the number of words, the size of the data item etc. As a further example, metadata associated with a graphical image such as a photograph may include tags identifying different elements of the image i.e. that the image is a sunrise/sunset, it includes people faces, it is a landscape, and so on.” … Parag. [0010]; “the data item acquisition unit including a data tag generator for generating a data tag associated with each data item, and the data item acquisition unit being arranged to transmit at least the data tag to the data store.” … Parag. [0019]; “According to a second aspect of the present invention there is provided a method of processing data, the method comprising generating a data tag associated with a data item, said data tag generation occurring at a data acquisition unit, and transmitting at least said data tag to a data store.” … Parag. [0035] “The metadata generator is arranged to process data items input from one or more of the data input devices to generate data tags or metadata for each data item.” … Parag. [0036]; “On receipt of the data items the metadata generator 12 will perform data processing to generate metadata associated with the input data items. The metadata may then be transmitted from the data acquisition unit 2 to the data store 4, together with, for example, a request from the data acquisition unit for the data store 4 to provide further data items that have similar metadata associated with them.”); transmit the data tag for transmission to a destination outside the network environment (Christodoulou, Parag. [0010-0011]; “According to the present invention there is provided a data processing system comprising at least one data item acquisition unit and at least one data store, the data item acquisition unit including a data tag generator for generating a data tag associated with each data item, and the data item acquisition unit being arranged to transmit at least the data tag to the data store. The data item acquisition unit may also transmit the data item itself to the at least one data store.” … Claim 39; “A data processing system comprising at least one data item acquisition unit and at least one remote data store, the data item acquisition unit comprising a data tag generator for generating a data tag associated with each data item, and the data item acquisition unit being arranged to transmit at least the data tag to the remote data store, wherein said data tag generator is arranged to detect a failure to generate a data tag for a data item and in response to said failure to request the transmission of further configuration information held at the remote data store to allow successful data tag generation to occur.”). Baldwin and Christodoulou are from similar field of technology. Prior to the instant application’s effective filling date, there was a need to provide a secure data communication between trusted and non-trusted networks. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Christodoulou system into Baldwin system with a motivation to provide a method to generate a tag and associate the tag with the data item (Christodoulou, Parag. [0010]). The combination of Baldwin and Christodoulou does not expressly teach: couple the data tag to the system log, wherein the data tag is transmitted with the system log outside the network environment … However, Bangalore teaches: couple the data tag to the system log, wherein the data tag is transmitted with the system log outside the network environment (Bangalore, Parag. [0030]; “In some embodiments, the application 140 or the operating system 138 tags the diagnostic log 142 with a collaborative session identifier, and sends the logs to an external storage service.” … Parag. [0032]; “For example, the electronic processor 150 may append the log files with metadata including the session identifier. In another example, the electronic processor 150 may insert the session identifier directly into the diagnostic logs, using a predetermined format. In some embodiments, the first and second diagnostic logs are merged into a single file, which is tagged with the session identifier. In some embodiments, the diagnostic logs are tagged with a session identifier at the user device prior to transmission to the collaboration server.”). Baldwin, Christodoulou and Bangalore are from similar field of technology. Prior to the instant application’s effective filling date, there was a need to provide a secure data communication between trusted and non-trusted networks. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bangalore system into Baldwin-Christodoulou system with a motivation to provide a method to generate a tag and add the tag to a log in order to identify system log data (Bangalore, Parag. [0030]). As per Claim 16, the combination of Baldwin, Christodoulou and Bangalore teach the non-transitory machine-readable storage medium of claim 15. Baldwin teaches further comprising instructions to obfuscate the value (Baldwin, Parag. [0018]; “The event data 109 is sent to the transformation module 105 (i.e., rewriter) which applies one or more rules to transform or modify the data (i.e. by way of one or more of anonymization, pseudonymisation and contextualization rules in order to anonymise, pseudonymise and contextualise the data) before forwarding the messages to the analytics engine 111.” … Parag. [0024]; “The transformation module 105 comprises a processor 121. In an example, processor 121 can transform or modify event data from source apparatus 103, wherein the event data can be in the form of an event or event message. In an example, the processor 121 can sort event data into fields, e.g. by parsing. A field can comprise a tuple relating to the event and/or associated with the source apparatus, and which comprises a data item, and a data identifier related to the data item. The processor 121 can update, transform or modify the data item (or a portion thereof) according to a set of rules in order to, for example, mask or pseudonymise private data, convert data fields into additional contextual information, or augment the data item with additional contextual information.”). As per Claim 17, the combination of Baldwin, Christodoulou and Bangalore teach the non-transitory machine-readable storage medium of claim 15. Baldwin teaches further comprising instructions to obfuscate the system log (Baldwin, Parag. [0018]; “The event data 109 is sent to the transformation module 105 (i.e., rewriter) which applies one or more rules to transform or modify the data (i.e. by way of one or more of anonymization, pseudonymisation and contextualization rules in order to anonymise, pseudonymise and contextualise the data) before forwarding the messages to the analytics engine 111.” … Parag. [0024]; “The transformation module 105 comprises a processor 121. In an example, processor 121 can transform or modify event data from source apparatus 103, wherein the event data can be in the form of an event or event message. In an example, the processor 121 can sort event data into fields, e.g. by parsing. A field can comprise a tuple relating to the event and/or associated with the source apparatus, and which comprises a data item, and a data identifier related to the data item. The processor 121 can update, transform or modify the data item (or a portion thereof) according to a set of rules in order to, for example, mask or pseudonymise private data, convert data fields into additional contextual information, or augment the data item with additional contextual information.”). As per Claim 18, the combination of Baldwin, Christodoulou and Bangalore teach the non-transitory machine-readable storage medium of claim 15. Christodoulou teaches further comprising instructions to transmit the data tag separately from the system log outside the network environment, wherein an association between the data tag and the system log is maintained (Christodoulou, Parag. [0024]; “According to a third aspect of the present invention there is provided a data item acquisition device comprising a data tag generator and being arranged to transmit a generated data tag associated with an acquired data item to a data store.” … Parag. [0035]; “FIG. 1 shows a data acquisition device or unit 2 connected to a data Store 4. The data acquisition unit 2 is connected to one or more data input devices. Examples of data input devices that are shown are a discrete data storage unit 6, for example a hard disk, a digital camera 8, and a document scanner 10. Other input devices such as video or sound recorders could also be provided. Located in the data acquisition unit 2 is a data tag generator 12 also known as a metadata generator. The metadata generator is arranged to process data items input from one or more of the data input devices to generate data tags or metadata for each data item. A data store 4 is connected to the data acquisition unit 2. The data store unit includes one or more data storage devices 14, such as known hard disk drives. Connected to the data storage devices 14 is a data query and/or indexing unit that is arranged to perform conventional data searching procedures. The data storage devices 14 are arranged to store either a plurality of data tags, a plurality of individual data items, or both data items and their associated data tags. The data acquisition unit 2 and data store 4 are connected by any suitable data transmission channel, for example by fibre optic cable, or by wireless connections.”). As per Claim 19, the combination of Baldwin, Christodoulou and Bangalore teach the non-transitory machine-readable storage medium of claim 15. Baldwin teaches further comprising instructions to receive, at the computing device, the user-defined function (Baldwin, Parag. [0017]; “According to an example, in a set up phase, analytics can be selected, and transformation rules to transform a data item, such as anonymization, pseudonymisation and contextualization rules, can be generated and sent to the transformation module 105.” … Parag. [0033]; “According to an example, and as described above, an event message can be subdivided or parsed into a set of fields or tuples each of which is described in terms of a fieldname (data identifier) and value (data item). In the examples below, a data item is re-represented with some token. This token can be in the form of a random string/GUID. It can be in the form of a known class (e.g.“admin”,’’California”) to provide context. It can also be a combination of these (e.g. a concatenation of strings that sufficiently represent context and preserve identity obfuscation across the trust boundary). The rules may apply differently depending on the fields. For example, for one field like user name, contextual pseudonymization can be applied. For another field like job name, anonymization (in the form of masking) can be applied. For a third field like source IP address, a hash function can be applied.” Examiner submits that the evaluation function is interpreted as the rule selected based on the field/key. For example contextual pseudonymization, masking or hashing.). Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Baldwin et al. (WO2020251587A1) hereinafter Baldwin in view of Christodoulou et al. (US 2003/0069898) hereinafter Christodoulou and further in view of Bangalore et al. (US 2020/0192736) hereinafter Bangalore and Oliner et al. (US 11,928,242) hereinafter Oliner. As per Claim 20, the combination of Baldwin, Christodoulou and Bangalore teach the non-transitory machine-readable storage medium of claim 15. Baldwin teaches wherein the instructions to determine the user-defined function to be applied to a portion of the value (Baldwin, Parag. [0024]; “The transformation module 105 comprises a processor 121. In an example, processor 121 can transform or modify event data from source apparatus 103, wherein the event data can be in the form of an event or event message. In an example, the processor 121 can sort event data into fields, e.g. by parsing. A field can comprise a tuple relating to the event and/or associated with the source apparatus, and which comprises a data item, and a data identifier related to the data item. The processor 121 can update, transform or modify the data item (or a portion thereof) according to a set of rules in order to, for example, mask or pseudonymise private data, convert data fields into additional contextual information, or augment the data item with additional contextual information. The transformation module 105 operates within the trusted environment. In an example, processor 121 can be used to apply a transformation rule to a first tuple to pseudonymise a first data item in order to provide a pseudonymised data item, and/or generate a contextual supplement to the first data item.” … Parag. [0033]; “According to an example, and as described above, an event message can be subdivided or parsed into a set of fields or tuples each of which is described in terms of a fieldname (data identifier) and value (data item). In the examples below, a data item is re-represented with some token. This token can be in the form of a random string/GUID. It can be in the form of a known class (e.g.“admin”,’’California”) to provide context. It can also be a combination of these (e.g. a concatenation of strings that sufficiently represent context and preserve identity obfuscation across the trust boundary). The rules may apply differently depending on the fields. For example, for one field like user name, contextual pseudonymization can be applied. For another field like job name, anonymization (in the form of masking) can be applied. For a third field like source IP address, a hash function can be applied.”) further [comprise instructions to validate the user-defined function]. The combination of Baldwin, Christodoulou and Bangalore does not expressly teach: instructions to validate the user-defined function. However, Oliner teaches: instructions to validate the user-defined function (Oliner, Col. 5, lines 59-60; “Alternatively, a user may manually define extraction rules for fields using a variety of techniques.” … Col. 44, lines 14-29; “In some cases, an example value is used to identify other values from the dataset, which are used to generate one or more extraction rules (e.g., to determine the formatting, pattern, and/or context of PII values). As an example, in some cases, the system identifies an occurrence of an example value from an event, generates a preliminary extraction rule based on that occurrence (e.g., capable of extracting that occurrence), uses the preliminary extraction rule to identify other potential PII values in the dataset, and determines the formatting, pattern, and/or context using the identified set of values. This information could be used to update or replace the preliminary extraction rule, to generate one or more additional extraction rules capable of extracting the occurrence of the example value, to identify other example values for the same or a different dataset, and/or to determined or validate generated extraction rules.” … Col. 47, lines 52-62; “For example, a query (e.g., search query 2012) could reference the field in one or more query commands of the query language. This can allow the system to automatically mask (e.g., delete or replace) the PII values from the query results by referencing the field. As another option, a user could define the query using the field (e.g., by typing the field/PII label into the query or otherwise directing a command comprising the label to be included in the query). Further, the extraction rules can be utilized to define metadata fields, such as custom fields, as described above.” Examiner submits that the evaluation function is interpreted as the rule selected based on the field/key. For example, contextual pseudonymization, masking or hashing.) Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Shikha et al. (US 10,713,235) a computer-implemented method for evaluating and storing data items may include (i) receiving a data item to be evaluated and stored, (ii) evaluating the data item by comparing the data item with a set of rules used to determine properties of data items, (iii) storing, in connection with the data item, (a) at least one determined property of the data item and (b) contextual details about a state of at least one rule used to determine the property at a point in time at which the rule was used, and (iv) after the data item has been stored, performing an action on the data item based on the stored contextual details. Various other methods, systems, and computer-readable media are also disclosed. Adhikari et al. (US 11,194,764) a processing logic receives a request to perform an operation with respect to a resource associated with an account. Processing logic determines a tag policy for the account, wherein the tag policy specifies a required tag for resources associated with the account, wherein the required tag comprises a key value pair comprising a tag key and an associated tag value. Processing logic determines or more tag compliance rules of the tag policy, wherein the one or more tag compliance rules comprise a required syntax for the tag key and a set of permissible values for the tag value. Processing logic determines that the resource fails to comply with the one or more tag compliance rules of the tag policy and performs a remedial action with respect to the resource. Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALEX D CARRASQUILLO whose telephone number is (571)270-5045. The examiner can normally be reached Monday - Friday 9:00 am - 6:00 pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached at 571-272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /A.D.C./Examiner, Art Unit 2498 /YIN CHEN SHAW/Supervisory Patent Examiner, Art Unit 2498