Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Claims 1-31 are pending.
Response to Arguments
Applicant's arguments filed 12/12/2025 have been fully considered but they are not persuasive.
The applicant argues with respect to claims that Sriharsha fails to disclose every element of claim 1. Specifically, claim 1 requires in part, “receiving, by each of [a] plurality of data gateway modules of the security monitoring system, raw log data from the log source associated therewith” and the applicant alleges Sriharsha is silent regarding the use of a plurality of data gateway modules for receiving raw log data from an associated log source.
The examiner disagrees. Sriharsha discloses receiving, by each of the plurality of data gateway modules of the security monitoring system, raw log data from the log source associated therewith (Figs. 3A, 34A, and [0790], particularly, “The raw data converter 3402 can join ingested pieces of data prior to a conversion. For example, the ingested pieces of data can include job manager logs, task manager logs, and/or one or more other types of application logs.”).
While Sriharsha may only explicitly refer to “raw data converter 3402” in the singular in [0790], it is clear there are multiple converters in operation and such is explicitly recited in [0808], “In some embodiments, not shown, the streaming data processor(s) 308 can launch multiple raw data converters 3402 that may or may not have a 1-to-1 mapping to the local pattern matchers 3404A-3404D to facilitate the conversion of the ingested data into the comparable data structures,” and thus discloses “a plurality of data gateway modules.”
Further, the examiner stresses the breadth of the term, “data gateway module.” While the applicant has numerous references to the instant specification and exemplary embodiments of Sriharsha in their arguments, see pages 9-12 of the remarks dated 12/12/2025; the applicant has not provided the term with its broadest reasonable interpretation in light of the specification. In other words, data converters 3402 fit within the scope of the term “data gateway modules,” even if they do not fit into the non-limiting the examples the applicant has attempted to define them to be.
The applicant further argues with respect to claim 1 that Sriharsha fails to disclose, “generating, by each of the plurality of data gateway modules of the security monitoring system, formatted log data based on the raw log data; ingesting, by the edge module of the security monitoring system, formatted log data from the plurality of data gateway modules. Specifically, the applicant contends the raw data converters 3402 formats the raw log data after it has been ingested by the intake system.
The examiner disagrees. Sriharsha discloses generating, by each of the plurality of data gateway modules of the security monitoring system, formatted log data based on the raw log data (Figs. 3A, 34A, and [0790]-[0791], particularly, “The raw data converter 3402 can be configured to convert ingested data into a comparable data structure. Specifically, the raw data converter 3402 can parse an ingested piece of data (e.g., task manager logs, job manager logs, and/or other type(s) of application logs that describe various events) and identify delimiters (e.g., blank spaces, commas, periods, semicolons, dashes, pipes, and/or any other character that may separate two items, such as two tokens) in the ingested piece of data based on the parsing.”);
ingesting, by the edge module of the security monitoring system, formatted log data from the plurality of data gateway modules (Fig. 1 and [0781], particularly, “As detailed above, data may be ingested at the data intake and query system 108 through an intake system 210 configured to conduct preliminary processing on the data, and make the data available to downstream systems or components, such as the indexing system 212, query system 214, third party systems, etc. In some cases, there may be errors, anomalies, or other issues with the ingested data. Typically, such errors, anomalies, or other issues may be surfaced by an administrator after the data has been ingested, processed, and made available to downstream systems or components (e.g., after the ingested data has already been indexed and stored in common storage 216, after the ingested data is searchable by the query system 214, etc.)”).
From the citations taken from Sriharsha, [0781], [0790]-[0791], it is clear the data formatted by the data converters is in turn ingested by downstream systems or components as it recites, “As detailed above, data may be ingested at the data intake and query system 108 through an intake system 210 configured to conduct preliminary processing on the data, and make the data available to downstream systems or components, such as the indexing system 212, query system 214, third party systems, etc.” and these downstream entities read on an “edge module.” Therefore, the applicant’s conclusion the raw data converters 3402 format the raw log data after it has been ingested by the intake system is not relevant.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
Claims 1-8, 11, 12, 14, 16-23, 26, 27, 29, and 31 are rejected under 35 U.S.C. 102(a)(1)/(2) as being anticipated by Sriharsha et al (US Pub. No. 2021/0117231; cited on IDS), hereafter, “Sriharsha.”
As to claim 1, Sriharsha a method for streamlining and standardizing the ingest of data in a security monitoring system across a plurality of tenant networks, the security monitoring system comprising an edge module, a central control plane module, and a plurality of data gateway modules, each of the plurality of data gateway modules associated with a different log source, each of the plurality of tenant networks comprising at least one log source (Figs. 1 and 2), the method comprising:
receiving, by each of the plurality of data gateway modules of the security monitoring system, raw log data from the log source associated therewith (Figs. 3A, 34A, and [0790], particularly, “The raw data converter 3402 can join ingested pieces of data prior to a conversion. For example, the ingested pieces of data can include job manager logs, task manager logs, and/or one or more other types of application logs.” [0808] explicitly discloses a plurality of raw data converters);
generating, by each of the plurality of data gateway modules of the security monitoring system, formatted log data based on the raw log data (Figs. 3A, 34A, and [0790]-[0791], particularly, “The raw data converter 3402 can be configured to convert ingested data into a comparable data structure. Specifically, the raw data converter 3402 can parse an ingested piece of data (e.g., task manager logs, job manager logs, and/or other type(s) of application logs that describe various events) and identify delimiters (e.g., blank spaces, commas, periods, semicolons, dashes, pipes, and/or any other character that may separate two items, such as two tokens) in the ingested piece of data based on the parsing.”);
ingesting, by the edge module of the security monitoring system, formatted log data from the plurality of data gateway modules (Fig. 1 and [0781], particularly, “As detailed above, data may be ingested at the data intake and query system 108 through an intake system 210 configured to conduct preliminary processing on the data, and make the data available to downstream systems or components, such as the indexing system 212, query system 214, third party systems, etc. In some cases, there may be errors, anomalies, or other issues with the ingested data. Typically, such errors, anomalies, or other issues may be surfaced by an administrator after the data has been ingested, processed, and made available to downstream systems or components (e.g., after the ingested data has already been indexed and stored in common storage 216, after the ingested data is searchable by the query system 214, etc.)”);
automatically updating, by the central control plane module of the security monitoring system, a configuration of at least one of the plurality of data gateway modules based on a change to the log source(s) associated therewith (Fig. 3A and [0786], particularly, “The streaming data processor(s) 308 can then convert the joined logs into a comparable data structure (e.g., a string vector), determine whether the comparable data structure should be assigned to an existing data pattern or a new data pattern, and optionally update a characteristic of the data pattern to which the comparable data structure is assigned. The streaming data processor(s) 308 can perform these operations without an administrator first providing a query or otherwise attempting to investigate the characteristics of the ingested data. Thus, an administrator may not need to understand the specific query language used to produce query results. Rather, the streaming data processor(s) 308 can perform these operations automatically in real-time (e.g., as soon as data is ingested or while the data is streamed) or in batches (e.g., periodically every minute, hour, day, week, etc.).”); and
implementing, by the security monitoring system, a security action related to at least one of the plurality of tenant networks based on the ingested formatted data (Fig. 3A and [0788], particularly, “If the combined score exceeds a threshold, this may indicate that the ingested pipeline metric(s) are truly anomalous and not false positives. Thus, the streaming data processor(s) 308 or another component of the data intake and query system 108 can then generate a user interface or alert that indicates that the ingested pipeline metric(s) are anomalous and use the anomalous logs to explain a reason why the ingested pipeline metric(s) are anomalous.”).
As to claims 16 and 31, they are rejected by a similar rationale by that set forth in claim 1’s rejection.
As to claim 2 and 17, Sriharsha discloses filtering, by each of the plurality of data gateway modules of the security monitoring system, the raw log data to include only relevant security fields to generate the formatted log data ([0689]); and normalizing, by each of the plurality of data gateway modules of the security monitoring system, the raw log data based on a standard schema to generate the formatted log data (Fig. 1 and [0756).
As to claim 3 and 18, Sriharsha discloses updating, by the central control plane module of the security monitoring system, the filtering of the raw log data performed by the plurality of gateway modules based on an update to the relevant security fields ([0737]).
As to claim 4 and 19, Sriharsha discloses routing, by each of the plurality of data gateway modules of the security monitoring system, the raw log data to a tenant storage archive (Fig. 4, [0240]); and routing, by each of the plurality of data gateway modules of the security monitoring system, the formatted log data to a SIEM detection engine and [0760]).
As to claim 5 and 20, Sriharsha discloses hosting the edge module by a SIEM provider server; hosting the SIEM detection engine by the SIEM provider server; and hosting the tenant storage archive by a tenant server (Fig. 2, [0191], and [0209]).
As to claim 6 and 21, Sriharsha discloses hosting the edge module by a SIEM provider server; hosting the SIEM detection engine by the SIEM provider server, and hosting the tenant storage archive by the SIEM provider server (Fig. 2, [0191], and [0209]).
As to claim 7 and 22, Sriharsha discloses hosting the SIEM detection engine by a third party server; hosting the edge module by the third party server; hosting the tenant storage archive by the tenant server (Figs. 2, 3A, [0191], and [0209]).
As to claim 8 and 23, Sriharsha discloses hosting the SIEM detection engine by a third-party server; and hosting the tenant storage system by the third-party server (Figs. 2, 3A, [0191], and [0209]).
As to claim 11 and 26, Sriharsha discloses at least one of the plurality of tenant networks of the security monitoring system comprises a cloud-based log source and an on-premises log source, the method further comprising: generating the raw log data by the cloud-based log source; and generating the raw log data by the on-premises log source (Fig. 2, [0188]-[0189]).
As to claim 12 and 27, Sriharsha discloses hosting the edge module by a SIEM provider server; and hosting the central control plane module by the SIEM provider server (Figs. 2, 3A, [0191], and [0209]).
As to claim 14 and 29, Sriharsha discloses implementing the security action comprises generating a security alert to be transmitted to an administrator of the at least one tenant network ([0784] and [0788]).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 9-10, 13, 15, 24-25, 28, and 30 are rejected under 35 U.S.C. 103 as being unpatentable over Sriharsha in view of Zimmermann et al (US Pub. No. 2018/0027006), hereafter, “Zimmermann.”
As to claim 9 and 24, Sriharsha discloses the parent claim but does not disclose simultaneously updating, by the central control plane module of the security monitoring system, a configuration of the plurality of gateway modules based on a common change to the log sources associated therewith; and updating, by the central control plane module of the security monitoring system, a configuration of at least one of the plurality of gateway modules based on an exception related to the log source(s) associated therewith.
However, Zimmermann discloses simultaneously updating, by a central control plane module of a security monitoring system, a configuration of a plurality of gateway modules based on a common change to the log sources associated therewith (Fig. 1, [0104], particularly, “In embodiments, a policy API, associated with the policy automation engine 116, comprises one of the members of the family of enterprise APIs 104. This allows an enterprise to update policy criteria through APIs 104. As the enterprise continuously updates its policies, the APIs 104 can access the updates and implement a workflow to automatically update policies, including policies implemented by the policy automation engine 116 of the CSF 100.”); and
updating, by the central control plane module of the security monitoring system, a configuration of at least one of a plurality of gateway modules based on an exception related to the log source(s) associated therewith (Fig. 23, [0412], particularly, “Ownership criteria may be used to flag objects owned by individuals, or members of OUs and groups, you can also define ownership exceptions, which let you say, “flag documents not owned by <users>”. Referring to FIG. 23, the ownership criteria may be configured with an ownership criteria configuration part 2302 of the UI. If “All users” is selected, and “Exceptions” is unchecked, no ownership criteria are created and the policy will apply regardless of ownership.”).
Therefore it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the application to combine the teachings of Sriharsha with Zimmermann in order to provide a more adaptable system that can change more quickly with changing networking environments.
As to claim 10 and 25, Sriharsha discloses the parent claim but does not disclose generating, by the central control plane module of the security monitoring system, a new gateway module to be associated with a new log source.
However, Zimmermann discloses generating, by the central control plane module of the security monitoring system, a new gateway module to be associated with a new log source. (Fig. 17, [0379] particularly, "In embodiments, the policy automation engine 116 uses an appropriate abstraction and model to fit foreseeable policy criteria for various environments and domains. The policy automation engine 116 prefers supports extensions for new platforms without extensive modification.").
Therefore it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the application to combine the teachings of Sriharsha with Zimmermann in order to provide a more adaptable system that can change more quickly with changing networking environments.
As to claim 13 and 28, Sriharsha discloses the parent claim but does not disclose identifying, by the central control plane module, a log source that is no longer generating raw log data.
However, Zimmermann discloses identifying, by the central control plane module, a log source that is no longer generating raw log data ([0298] particularly, “An inactive accounts use case may include flagging inactive accounts and accounts to de-provision. An inactive accounts use case may include various scenarios. Inactive accounts use case scenarios may include identifying that a user's account, such as on a SaaS organization or Paas/laaS platform has no activity for a long period of time, such as six weeks, or that the only activity on a user's account is API activity.")
Therefore it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the application to combine the teachings of Sriharsha with Zimmermann in order to provide a more adaptable system that can change more quickly with changing networking environments.
As to claim 15 and 30, Sriharsha discloses the parent claim but does not disclose implementing the security action comprises removing access to the at least one tenant network from one or more devices configured to access the at least one tenant network.
However, Zimmermann discloses implementing the security action comprises removing access to the at least one tenant network from one or more devices configured to access the at least one tenant network (Fig. 1, [0486], particularly, "Protection may include tracking and reporting on events occurring within PaaS/laaS environments 138, tracking and reporting on user behavior, and various remediation actions, such as sending alerts, changing access control privileges, blocking or suspending access.")
Therefore it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the application to combine the teachings of Sriharsha with Zimmermann in order to provide a more adaptable system that can change more quickly with changing networking environments.
Conclusion
THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS J DAILEY whose telephone number is (571)270-1246. The examiner can normally be reached on 9:30am-6:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached on 571-270-3037. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/THOMAS J DAILEY/ Primary Examiner, Art Unit 2458
Prosecution Insights