Prosecution Insights
Last updated: July 17, 2026
Application No. 18/794,919

DATA-AWARE ANOMALY DETECTION

Non-Final OA §101§103
Filed
Aug 05, 2024
Examiner
JOHNSON, CARLTON
Art Unit
2436
Tech Center
2400 — Computer Networks
Assignee
Rubrik Inc.
OA Round
1 (Non-Final)
59%
Grant Probability
Moderate
1-2
OA Rounds
2y 7m
Est. Remaining
91%
With Interview

Examiner Intelligence

Grants 59% of resolved cases
59%
Career Allowance Rate
211 granted / 359 resolved
+0.8% vs TC avg
Strong +32% interview lift
Without
With
+31.9%
Interview Lift
resolved cases with interview
Typical timeline
4y 6m
Avg Prosecution
13 currently pending
Career history
385
Total Applications
across all art units

Statute-Specific Performance

§101
1.4%
-38.6% vs TC avg
§103
92.2%
+52.2% vs TC avg
§102
4.9%
-35.1% vs TC avg
§112
0.6%
-39.4% vs TC avg
Black line = Tech Center average estimate • Based on career data from 359 resolved cases

Office Action

§101 §103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION 1. Claims 1 - 20 are pending. Claims 1, 14, 19 are independent. 2. This application was filed on 8-5-2024. Claim Rejections - 35 USC § 101 3. 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. 4. Claims 1, 14, 19 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. Claims recite determining locations of a type of data across multiple data sources, obtaining activity logs from those sources, converting the logs to a normalized format, associating the normalized logs with the type of data, and identifying anomalous activity based on the supplemented logs. These steps describe collecting, analyzing, and evaluating information, which is an abstract idea falling within the category of certain methods of organizing human activity (information analysis). Such processes can be performed by a human absent a computer. Accordingly, the claims recite an abstract idea. These steps describe collecting, analyzing, and evaluating information, which is an abstract idea falling within the category of mental processes and certain methods of organizing human activity (information analysis). Such processes can be performed by a human absent a computer. Any additional elements are recited at a high-level of generality and performed utilizing generic computers or computer components such that they amount to no more than mere instructions to apply the exception using a generic computer. Mere instructions to apply an exception using a generic computer cannot provide an inventive concept. Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. Considering the claim as a whole, looking at the elements individually and in an ordered combination, does not integrate the abstract idea into a practical application using the considerations set forth above. The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements are recited at a high-level of generality and utilize generic computer components such that they amount to no more than mere instructions to apply the exception using a generic computer. Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. There are no well-understood, routine, and conventional additional elements recited in the claims. Thus, the claimed elements, either individually, or in the ordered combination do not add significantly more to the abstract idea. Claim Rejections - 35 USC § 103 5. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 6. Claims 1 - 4, 8, 10, 13 - 16, 18 - 20 are rejected under 35 U.S.C. 103 as being unpatentable over Bhatia et al. (US PGPUB No. 20190318100) in view of Balles et al. (US Patent No. 11,922,204). Regarding Claims 1, 14, 19, Bhatia discloses a method and a resource management system and a non-transitory, computer-readable medium, comprising: a) determining, for a computing environment comprising a plurality of data sources (see Bhatia paragraph [0112]: the data loader application 206 can retrieve activity data for the tenant 220 from the service provider 230. The activity data can come from logs generated by the service provider 230 as the tenant's users use the service providers services. ... The data entered into a landing repository 210 may be in different formats and/or have different ranges of values, due, for example, from having been collected from different service providers (multiple sources activity logs).; paragraph [0034]: The event logs, also referred to herein as activity logs, provided by a service provider can include events recorded by the service provider as a tenant's users use the service provider's services. For example, the event logs can record users logging into the service, users placing authentication requests to access the services, new users of the service being generated, users of the service being deleted; paragraph [0093]: The activity data may be for a user account, a tenant account, a group account, or another type of account. The activity data may be obtained for a service, a particular type of data (e.g., a data for a particular attribute), one or more users, or combinations services, service providers, attributes, users, or other factors. In some examples, the data accesser 182 may process data to identify activity related to one or more criteria, such as one or more services, a particular type of data (e.g., a data for a particular attribute), one or more users, or combinations thereof.), a plurality of locations of a type of data that is present in different locations across the plurality of data sources; (see Bhatia paragraph [0074]: The application information 132 can record, for example, actions performed during use of the services 112a-112b of the service provider 110 as well as identification of the users who performed the actions, timestamps for when the actions were performed, network identification of network and/or geographic locations for the users when the users performed the actions, resources affected by the actions, and other information related to use of the services 112a-112b.) b) obtaining a first plurality of activity logs from a first data source of the plurality of data sources and a second plurality of activity logs from a second data source of the plurality of data sources, (see Bhatia paragraph [0007]: systems, methods, and computer-readable medium can perform steps including obtaining application data from a service provider system, wherein the application data includes a record of actions performed by an application during use of the application by one or more users associated with a tenant, wherein the application executes in a service platform provided for the tenant by the service provider system; paragraph [0034]: The event logs, also referred to herein as activity logs, provided by a service provider can include events recorded by the service provider as a tenant's users use the service provider's services. For example, the event logs can record users logging into the service, users placing authentication requests to access the services, new users of the service being generated, users of the service being deleted) wherein the first plurality of activity logs have a first format and capture activity information associated with the first data source, and wherein the second plurality of activity logs have a second format and capture activity information associated with the second data source (see Bhatia paragraph [0117]: the activity data may be received in different formats that are used by different service providers or services. For example, the data may be formatted in JSON or other data interchange formats, or may be available as log files or database entries. In some examples, the data loader application 206 performs operations for normalizing the data and reformatting the data into a common format for storage in, and retrieval from, the analytics and threat intelligence repository 211.) c) converting, based at least in part on obtaining the first plurality of activity logs and the second plurality of activity logs, the first plurality of activity logs and the second plurality of activity logs to a normalized format to obtain a plurality of normalized activity logs; (see Bhatia paragraph [0136]: the data in the activity logs may be normalized by the analytics engine 300 or prior to being provided to the analytics engine 300. Normalizing the activity data 310 include reformatting the activity data 310 such data from different services and/or service providers is comparable, has the same meaning, and/or bears the same significance and relevance. After normalization, the behavioral analytics engine 304 can aggregate and compare data from different cloud services in meaningful ways) and e) identifying, based at least in part on the plurality of supplemented activity logs, anomalous activity in the computing environment, the anomalous activity associated with the type of data being accessed in the first data source, the type of data being accessed in the second data source, or both. (see Bhatia paragraph [0040]: a security monitoring and control system can include an agent executing in the computing environment provided by the service platform The agent can capture actions taken by the application as the application executes. The agent can provide these actions as application data to a security management and control system. The security management and control system can use a model for the application to determine whether the application data includes anomalous usage of the application. For example, the model can describe a baseline usage for the application, where the baseline describes a manner in which the tenant's users use the application. In this example, usage that falls beyond a threshold of the baseline usage may be anomalous.) Bhatia does not specifically disclose for d) associating the plurality of normalized activity logs with the type of data to obtain a plurality of supplemented activity logs. However, Balles discloses: d) associating, based at least in part on the plurality of locations determined for the type of data, the plurality of normalized activity logs with the type of data to obtain a plurality of supplemented activity logs. (see Balles col 10: The asset information supplementer 216 can initiate the log file generator 217 after completing asset information supplement from the second data source(s) 240. The supplemented asset information can optionally be stored in the asset information store 215, or else in a separate data store. The log file generator 217 can use the enriched/supplemented asset information to generate the log files 218 (supplemented log files). In some embodiments, the log file generator 217 can be configured to generate a log file for each computing asset. The log file can comprise an asset identifier for the asset, as well as any attributes associated with the asset, which can include attributes collected by the asset information collector 211 as well as attributes collected by the asset information supplementer 216.) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Bhatia for d) associating the plurality of normalized activity logs with the type of data to obtain a plurality of supplemented activity logs as taught by Balles. One of ordinary skill in the art would have been motivated to employ the teachings of Balles for the benefits achieved from the enhancements of a system that enables the utilization of multiple parameters such as supplemented data in the determination of abnormal network traffic. (see Balles col 10) Furthermore, for Claim 14, Bhatia discloses wherein one or more memories; and one or more processors, wherein the one or more memories store code comprising instructions executable, individually or collectively, by the one or more processors to cause the resource management system to perform operations. (see Bhatia paragraph [0032]: The processes depicted herein, such as those described with reference to the figures in this disclosure, may be implemented in software (e.g., code, instructions, program) executed by one or more processing units (e.g., processors cores), hardware, or combinations thereof. The software may be stored in a memory (e.g., on a memory device, on a non-transitory computer-readable storage medium).) Furthermore, for Claim 19, Bhatia discloses wherein non-transitory, computer-readable medium storing code that comprises instructions that are executable, individually or collectively, by one or more processors of a resource management system to cause the resource management system to perform operations. (see Bhatia paragraph [0032]: The processes depicted herein, such as those described with reference to the figures in this disclosure, may be implemented in software (e.g., code, instructions, program) executed by one or more processing units (e.g., processors cores), hardware, or combinations thereof. The software may be stored in a memory (e.g., on a memory device, on a non-transitory computer-readable storage medium).) Regarding Claims 2, 15, 20, Bhatia-Balles discloses the method of claim 1 and the resource management system of claim 14 and the non-transitory, computer-readable medium of claim 19, wherein the type of data is sensitive data (see Bhatia paragraph [0139]: the behavioral analytics engine 304 can include contextual data in the activity profile for a user. Contextual data can be obtained, for example, from third-party data 318, where the source of the third-party data 318 is a reputation system, a social media system, a news aggregator or provider, or another system that can maintain information about a user. Examples of contextual data include, travel location and itinerary from travel applications or email, employee status from healthcare management systems, sensitive financial time period from a Salesforce application, and/or sensitive emails from email servers,), and wherein the plurality of locations are locations of sensitive data across the plurality of data sources. (see Bhatia paragraph [0241]: one or more actions performed by the application affected a computing resource. In these examples, and the policy can indicate that the effect to the computing resource is a security risk. Examples of resources include databases, network locations credential storage, and other repositories for data.) Regarding Claims 3, 16, Bhatia-Balles discloses the method of claim 1 and the resource management system of claim 14, further comprising: a) storing, after associating the plurality of normalized activity logs with the type of data, the plurality of activity logs in a database (see Bhatia paragraph [0116]: the data loader application 206 can store retrieved activity data in the analytics and threat intelligence repository 211. The analytics and threat intelligence repository 211 can be any database or data repository with query capability. In some examples, the analytics and threat intelligence repository 211 is built in a NoSQL based infrastructure such as Apache Cassandra or another distributed data processing system,), wherein identifying the anomalous activity comprises: b) periodically performing one or more procedures for analyzing the stored plurality of activity logs for one or more types of anomalous activity. (see Bhatia paragraph [0113]: the data loader application 206 can obtain activity data by connecting to and communicating with the service provider 230. In various examples, the connection is made over an encrypted communication channel. In some examples, the connection can be authenticated by a token or using login credentials, or another authentication method. In some examples, collection of activity data is scheduled to occur periodically (e.g., every four hours, every six hours, or at some other time interval). In some examples, the schedule for collection is configurable by the tenant 220.) Balles discloses supplemented activity logs as stated above. Regarding Claim 4, Bhatia-Balles discloses the method of claim 3, further comprising: a) storing, based at least in part on periodically performing the one or more procedures, indications of the identified anomalous activity in a second database; (see Bhatia paragraph [0120]: the aggregation of activity information in the analytics and threat intelligence repository 211 concerning access patterns and other event statistics enables the system 200 to establish baselines of behavior. Machine learning techniques, for example, can be applied to detect threats and provide recommendations concerning how to respond to threats. Threat models can be developed to detect threats that are known or unknown or emerging. Threats can also be identified by comparing activity data with external threat intelligence information, such as information provided by third-party providers, as discussed further below. In various examples, data in the analytics and threat intelligence repository 211 can further be used to generate reports that may be presented visually to a system administrator via a user interface and to generate analytics for determining threat levels, detecting specific threats, and predicting potential threats, among other things.) and b) indicating via a user interface, based at least in part on storing the indications of the identified anomalous activity, an occurrence of the identified anomalous activity. (see Bhatia paragraph [0201]: In various implementations, the security monitoring and control system 402 can conduct analysis on the application data 432 to identify security risks. For example, the security monitoring and control system 402 can maintain a model for the hosted application 422, which can describe usage patterns for the hosted application 422 by a tenant's users. These usage patterns can capture routine or typical usage by the users. In some examples, the models can be machine learning models, such as a model that can be used by a neural network to identify usage patterns. In these and other examples, the security monitoring and control system 402 can compare application data 432 to the model, and identify anomalous activity: that is, actions performed by the hosted application 422 that fall outside of expected behavior.; paragraph [0210]: Using the graphical interface 600, a security administrator can perform various actions with respect to a risk event. For example, the incident column enables an administrator to mark a risk event for follow-up, and assign an incident number to the event. As another example, a drop-down list of actions can enable the administrator to perform actions such as changing the risk level of a risk event, marking risk events as false positives, sending a notification related to a risk event, and/or deleting a risk event.) Regarding Claims 8, 18, Bhatia-Balles discloses the method of claim 1, further comprising, wherein generating, based at least in part on the plurality of normalized activity logs and the type of data associated with the plurality of normalized activity logs, respective baselines associated with baseline activity for a set of users within the computing environment. (see Bhatia paragraph [0120]: the aggregation of activity information in the analytics and threat intelligence repository 211 concerning access patterns and other event statistics enables the system 200 to establish baselines of behavior (baseline behavior for a set of users). Machine learning techniques, for example, can be applied to detect threats and provide recommendations concerning how to respond to threats. Threat models can be developed to detect threats that are known or unknown or emerging. Threats can also be identified by comparing activity data with external threat intelligence information, such as information provided by third-party providers, as discussed further below. In various examples, data in the analytics and threat intelligence repository 211 can further be used to generate reports that may be presented visually to a system administrator via a user interface and to generate analytics for determining threat levels, detecting specific threats, and predicting potential threats, among other things.) Regarding Claim 10, Bhatia-Balles discloses the method of claim 8, wherein the anomalous activity is identified based at least in part on deviations in an activity of a user from a baseline activity for the user. (see Bhatia paragraph [0062]: analysis performed by the security monitoring and control system 102 can include determining models of normal and/or abnormal behavior in user activity, and using the models to detect patterns of suspicious activity. In some examples, the security monitoring and control system 102 can simultaneously analyze data from different services and/or from different services providers. In these examples, the security monitoring and control system 102 may be able to detect suspect activity that is only evident when actions performed with different services occurs.; (determine deviations from normal or baseline behavior)) Regarding Claim 13, Bhatia-Balles discloses the method of claim 1, further comprising: a) storing, in a database, the first plurality of activity logs obtained from the first data source and the second plurality of activity logs obtained from the second data source; (see Bhatia paragraph [0116]: the data loader application 206 can store retrieved activity data in the analytics and threat intelligence repository 211. The analytics and threat intelligence repository 211 can be any database or data repository with query capability. In some examples, the analytics and threat intelligence repository 211 is built in a NoSQL based infrastructure such as Apache Cassandra or another distributed data processing system; paragraph [0074]: The application information 132 can include, for example data logs collected from the organization 130 and/or activity logs obtained from the service provider 110. The application information 132 can record, for example, actions performed during use of the services 112a-112b of the service provider 110 as well as identification of the users who performed the actions, timestamps for when the actions were performed, network identification of network and/or geographic locations for the users when the users performed the actions, resources affected by the actions, and other information related to use of the services) b) identifying, after identifying the anomalous activity in the computing environment, an association between characteristics of the first plurality of activity logs and the second plurality of activity logs and the identified anomalous activity; (see Bhatia paragraph [0155]: anomalous activity that is detected for a user of one cloud service can be used by the threat detection engine 302 to calculate or re-calculate the likelihood of a threat in the use of another cloud service. In this way, new events occurring during the use of one cloud service can be screened proactively to detect and/or predict threats in the use of another cloud service. In various examples, multiple data points across different cloud services can be correlated to increase the accuracy of a threat score.; paragraph [0040]: a security monitoring and control system can include an agent executing in the computing environment provided by the service platform The agent can capture actions taken by the application as the application executes. The agent can provide these actions as application data to a security management and control system. The security management and control system can use a model for the application to determine whether the application data includes anomalous usage of the application. For example, the model can describe a baseline usage for the application, where the baseline describes a manner in which the tenant's users use the application. In this example, usage that falls beyond a threshold of the baseline usage may be anomalous.; (detect an association between event data from two sources)) and c) updating a procedure for identifying anomalous activity based at least in part on the identified association. (see Bhatia paragraph [0123]: These applications can include a descriptive analytics application 207 and a prediction analytics application 212. In some examples, the descriptive analytics application 207 can generate analytics such as statistics on users, user activity, and resources used by the users. In some examples, the threat detection and prediction analytics application 212 can generate analytics using machine learning and other algorithms. The analytics performed by the prediction analytics application 212 can include identifying and predicting security threats from patterns of activity and behavioral models. Analytics performed by the descriptive analytics application 207 and the prediction analytics application 212 can be performed using data stored in the analytics and threat intelligence repository 211.) 7. Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Bhatia in view of Balles and further in view of HeftaGaub et al. (US PGPUB No. 20090112935, referred to as “HeftaGaub”). Regarding Claim 5, Bhatia-Balles discloses the method of claim 4, wherein identified anomalous activity. Bhatia does not specifically disclose for a) receiving a request for activity logs associated with the anomalous activity, and for b) outputting via the user interface activity logs associated with the anomalous activity. However, HeftaGaub discloses further comprising: a) receiving, based at least in part on indicating the occurrence of the identified anomalous activity, a request for supplemented activity logs of the plurality of supplemented activity logs associated with the anomalous activity; (see HeftaGaub paragraph [0011]: the content includes a reference to the activity log information and the system dynamically updates the content by retrieving the reference when the system receives a request to display the content.) and b) outputting via the user interface, in response to the request, one or more activity logs of the plurality of activity logs associated with the anomalous activity. (see HeftaGaub paragraph [0011]: the content includes a reference to the activity log information and the system dynamically updates the content by retrieving the reference when the system receives a request to display the content. A content author creates new content in an editor. For example, the content author may create content in a text editing application. As the author creates new content, the author places one or more references in the content that refer to a particular activity log entry and one or more fields of the entry. The system receives the new content from the author and stores the content in a data store for display to other users. When the system receives a request to display the content, the system retrieves the content including the references. The system retrieves target information of each reference from the activity log. The system renders the content including the retrieved target information in a form for display to a client application. The system sends the rendered content in response to the request. If the content author later modifies the information in the activity log, then the next time the system receives a request to display the content, the system will provide the updated information.) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Bhatia for for a) receiving a request for activity logs associated with the anomalous activity, and for b) outputting via the user interface activity logs associated with the anomalous activity as taught by HeftaGaub. One of ordinary skill in the art would have been motivated to employ the teachings of HeftaGaub for the benefits achieved from the enhanced operation of a system that enables the display of requested information associated with activity logs for additional analysis of the information. (see HeftaGaub paragraph [0011]) Balles discloses supplemented activity logs as stated above. 8. Claims 6, 7, 9, 17 are rejected under 35 U.S.C. 103 as being unpatentable over Bhatia in view of Balles and further in view of Nareddy et al. (US PGPUB No. 20030120670). Regarding Claims 6, 17, Bhatia-Balles discloses the method of claim 1 and the resource management system of claim 14. Bhatia does not specifically disclose determining an identity of a user associated with supplemented activity logs. However, Nareddy discloses wherein further comprising determining an identity of one or more users associated with one or more respective sets of the plurality of supplemented activity logs. (see Nareddy paragraph [0027]: providing customers with access to and analysis of event data (e.g., navigation data collected at customer web sites) is provided. The event data may be stored in log files and supplemented with data from other sources, such as product databases and customer invoices. In one embodiment, a data warehouse system collects customer data from the customer web sites and stores the data at a data warehouse server. The customer data may include application event data (e.g., click stream log files), user attribute data of users of the customer web site (e.g., name, age, and gender),) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Bhatia for determining an identity of a user associated with supplemented activity logs as taught by Nareddy. One of ordinary skill in the art would have been motivated to employ the teachings of Nareddy for the benefits achieved from the flexibility of a system including the identification information associated with a user within the supplemented activity logs. (see Nareddy paragraph [0027]) Regarding Claim 7, Bhatia-Balles discloses the method of claim 6. Bhatia does not specifically disclose updating, determining an identity of a user associated with a set of the plurality of supplemented activity logs, to include an indication of the user. However, Nareddy discloses further comprising updating, based at least in part on determining an identity of a user associated with a set of the plurality of supplemented activity logs, the set of the plurality of supplemented activity logs to include an indication of the user. (see Nareddy paragraph [0027]: providing customers with access to and analysis of event data (e.g., navigation data collected at customer web sites) is provided. The event data may be stored in log files and supplemented with data from other sources, such as product databases and customer invoices. In one embodiment, a data warehouse system collects customer data from the customer web sites and stores the data at a data warehouse server. The customer data may include application event data (e.g., click stream log files), user attribute data of users of the customer web site (e.g., name, age, and gender),) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Bhatia for updating, determining an identity of a user associated with a set of the plurality of supplemented activity logs, to include an indication of the user as taught by Nareddy. One of ordinary skill in the art would have been motivated to employ the teachings of Nareddy for the benefits achieved from the flexibility of a system including the identification information associated with a user within the supplemented activity logs. (see Nareddy paragraph [0027]) Regarding Claim 9, Bhatia-Balles discloses the method of claim 8 and the resource management system of claim 14, including normalized activity logs. Bhatia does not specifically disclose determining, based at least in part on the respective baselines, an identity of one or more users associated with the plurality of activity logs. However, Nareddy discloses wherein further comprising: determining, based at least in part on the respective baselines, an identity of one or more users associated with one or more sets of the plurality of activity logs. (see Nareddy paragraph [0027]: providing customers with access to and analysis of event data (e.g., navigation data collected at customer web sites) is provided. The event data may be stored in log files and supplemented with data from other sources, such as product databases and customer invoices. In one embodiment, a data warehouse system collects customer data from the customer web sites and stores the data at a data warehouse server. The customer data may include application event data (e.g., click stream log files), user attribute data of users of the customer web site (e.g., name, age, and gender),) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Bhatia for determining, based at least in part on the respective baselines, an identity of one or more users associated with the plurality of activity logs as taught by Nareddy. One of ordinary skill in the art would have been motivated to employ the teachings of Nareddy for the benefits achieved from the flexibility of a system including the identification information associated with a user within the supplemented activity logs. (see Nareddy paragraph [0027]) 9. Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Bhatia in view of Balles and further in view of Levin et al. (US PGPUB No. 20220385682). Regarding Claim 11, Bhatia-Balles discloses the method of claim 1, further comprising: obtaining a first plurality of activity logs from the first data source and a second plurality of management logs from the second data source, wherein a set of management logs of the first plurality of management logs, a set of activity logs of the second plurality of management logs, or both. (see Bhatia paragraph [0007]: systems, methods, and computer-readable medium can perform steps including obtaining application data from a service provider system, wherein the application data includes a record of actions performed by an application during use of the application by one or more users associated with a tenant, wherein the application executes in a service platform provided for the tenant by the service provider system; paragraph [0034]: The event logs, also referred to herein as activity logs, provided by a service provider can include events recorded by the service provider as a tenant's users use the service provider's services. For example, the event logs can record users logging into the service, users placing authentication requests to access the services, new users of the service being generated, users of the service being deleted) Bhatia-Balles does not specifically disclose management logs and indicating an association between a user and a set of activity logs of the first plurality of activity logs, a set of activity logs of the second plurality of activity logs, or both. However, Levin discloses management logs wherein indicating an association between a user and a set of activity logs of the first plurality of activity logs, a set of activity logs of the second plurality of activity logs, or both. (see Levin paragraph [0023]: a monitor 126 can generate entries in a resource management log 118. The monitor 126 can include software, hardware, firmware, or a combination thereof. The entries in the resource management log 118 can include at least some of the following information: (i) a user identification (ID) that uniquely identifies the user that was logged in to the portal 122 to perform a management operation on the cloud resources 124, (ii) a resource ID that uniquely identifies the cloud resource 124 that is a target of an operation performed by the user associated with the user ID (e.g., a uniform resource identifier (URI) or the like), (iii) an operation performed by the user associated with the user ID and on the resource associated with the resource ID, or (iv) a time at which the user associated with the user ID performed the operation on the resource associated with the resource ID) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Bhatia-Balles for management logs and indicating an association between a user and a set of activity logs of the first plurality of activity logs, a set of activity logs of the second plurality of activity logs, or both as taught by Levin. One of ordinary skill in the art would have been motivated to employ the teachings of Levin for the benefits achieved from the enhanced activity information such as user identification information associated with collected log information in the processing of network traffic. (see Levin paragraph [0023]) 10. Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Bhatia in view of Balles and further in view of Jacoby et al. (US PGPUB No. 20150074055). Regarding Claim 12, Bhatia-Balles discloses the method of claim 1, including a first plurality of directories of the first data source searched by a user, in a second plurality of directories of the second data source searched by the user, or both (see Bhatia paragraph [0007]: systems, methods, and computer-readable medium can perform steps including obtaining application data from a service provider system, wherein the application data includes a record of actions performed by an application during use of the application by one or more users associated with a tenant, wherein the application executes in a service platform provided for the tenant by the service provider system; paragraph [0034]: The event logs, also referred to herein as activity logs, provided by a service provider can include events recorded by the service provider as a tenant's users use the service provider's services. For example, the event logs can record users logging into the service, users placing authentication requests to access the services, new users of the service being generated, users of the service being deleted) and including activity logs within a duration. (see Bhatis paragraph [0072]: security information 126 can include separate entries for different customers of the security monitoring and control system 102. In some examples, the security information 126 includes historic data: the results of past analysis (e.g., from the last month, last three months, last year, or some other past time period) which can be consulted when needed.) Bhatia-Balles does not specifically disclose identifying the anomalous activity comprises: identifying preliminary breach activities based at least in part on the plurality of activity logs indicating that a threshold quantity of files storing the type of data are included. However, Jacoby discloses wherein identifying the anomalous activity comprises: identifying preliminary breach activities based at least in part on the plurality of supplemented activity logs indicating that, within a duration, a threshold quantity of files storing the type of data are included. (see Jacoby paragraph [0041]: an analysis is performed 104 including the collective data types: snapshot operation data, the configuration information, and the stored debug data. The analysis applies a set of one or more rules/checks to the log files and/or data structures within one or more of the collective data types to identify issues. The analysis may include searching for key words/numbers/characters or key data structures within the log files and/or collective data types. The rules/checks may include checks against a specified threshold, range, a specific criteria/value, or other types of checks. The analysis may apply a set of checks/rules to detect one or more issues with at least one of the following characteristics: a hardware component, hardware module, hardware configuration, hardware interconnect, environmental condition, configuration condition, firmware, firmware version, software, software version, software configuration, memory, disk space, network connectivity, network configuration, multipath input/output (MPIO) configuration, or performance characteristic. It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Bhatia-Balles for identifying the anomalous activity comprises: identifying preliminary breach activities based at least in part on the plurality of activity logs indicating that a threshold quantity of files storing the type of data are included as taught by Jacoby. One of ordinary skill in the art would have been motivated to employ the teachings of Jacoby for the benefits achieved from enhanced discovery actions of a system that enables the early detection of anomalous activities processing network traffic. (see Jacoby paragraph [0041]) Balles discloses supplemented activity logs as stated above. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to CARLTON JOHNSON whose telephone number is (571)270-1032. The examiner can normally be reached Work: 12-9PM (most days). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached at 571-272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /CJ/ April 20, 2026 /FATOUMATA TRAORE/Primary Examiner, Art Unit 2436
Read full office action

Prosecution Timeline

Aug 05, 2024
Application Filed
May 20, 2026
Non-Final Rejection mailed — §101, §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12683769
ENCRYPTED SEARCH WITH A PUBLIC KEY
3y 2m to grant Granted Jul 14, 2026
Patent 12666269
METHODS AND SYSTEMS FOR ALLOWING DEVICE TO SEND AND RECEIVE DATA
4y 1m to grant Granted Jun 23, 2026
Patent 12664253
AUTOMATED ONLINE POLICY GENERATION FOR ZERO-TRUST ARCHITECTURES
3y 1m to grant Granted Jun 23, 2026
Patent 12626261
SYSTEM AND METHOD FOR AUTOMATED SCAM DETECTION
1y 0m to grant Granted May 12, 2026
Patent 12604197
METHODS AND SYSTEMS FOR ALLOWING DEVICE TO SEND AND RECEIVE DATA
3y 11m to grant Granted Apr 14, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
59%
Grant Probability
91%
With Interview (+31.9%)
4y 6m (~2y 7m remaining)
Median Time to Grant
Low
PTA Risk
Based on 359 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month