DOCUMENT OPEN DETECTION AND REMEDIATION

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Priority The instant application 18/840,131 is a 371 of PCT application PCT/US2023/062987, which claims priority to provisional application 63/314,192, which claims the priority filing date of 02/25/2022. Therefore, the effective filing date of the instant application 18/840,131 is 02/25/2022. Oath/Declaration Applicant’s oath/declaration filed on 10/24/2024 has been reviewed by the examiner and is found to conform to the requirements prescribed in 37 C.F.R. 1.63. Information Disclosure Statement The information disclosure statements (IDS) submitted on 08/21/2024 and 11/03/2024 are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statements are being considered by the examiner. Drawings The drawings submitted on 08/21/2024 with the instant application are acceptable for examination purposes. Specification The specification submitted on 08/21/2024 with the instant application are acceptable for examination purposes. Claim Objections Claim 2-4, 6, 7, 9, 10, 12, 14-19, 21, and 23 objected to because of the following informalities: In line 1 of Claim 2, the limitation “a new document” should read: “the new document” for consistency with the antecedent basis for the new document In line 2 of Claim 3, the limitation “a new document” should read: “the new document” for consistency with the antecedent basis for the new document In line 3 of Claim 4, the limitation “to reports on user activities” should read: “to report on user activities” In line 1-2 of Claim 6, the limitation “the in focus window” should read: “the focused window” for consistency with the antecedent basis for the focused window In line 4 of Claim 6, the limitation “stored in cache memory” should read: “stored in the cache” for consistency with the antecedent basis for the cache memory In line 1-2 of Claim 7, the limitation “the in-focus window” should read: “the focused window” for consistency with the antecedent basis for the focused window In line 2-3 of Claim 7, the limitation “the previous in-focus window” should read: “a previous focused window” for consistency with the antecedent basis for the focused window and because there is no antecedent basis for “the previous focused window” In line 3 of Claim 9, the limitation “determining that the user lacked permission” should read: “determining that the user lacks permission” to clarify that the determination reflects that the user currently lacks permission to view the document In line 4 of Claim 10, the limitation “stored in cache memory” should read: “stored in the cache” for consistency with the antecedent basis for the cache memory In line 2 of Claim 12, the limitation “the user session” should read: “a user session” because there is no antecedent basis for “the user session” In line 1 of Claim 14, the limitation “a new document” should read: “the new document” for consistency with the antecedent basis for the new document In line 2 of Claim 15, the limitation “a new document” should read: “the new document” for consistency with the antecedent basis for the new document In line 2 of Claim 16, the limitation “the user interface” should read: “a user interface” because there is no antecedent basis for “the user interface” In line 6 of Claim 16, the limitation “a user interface” should read: “the user interface” for consistency with the antecedent basis for the user interface in accordance with the above correction In line 5 of Claim 17, the limitation “stored in cache memory” should read: “stored in the cache” for consistency with the antecedent basis for the cache memory In line 1-2 of Claim 18, the limitation “the in focus window” should read: “the focused window” for consistency with the antecedent basis for the focused window In line 1-2 of Claim 19, the limitation “the in focus window” should read: “the focused window” for consistency with the antecedent basis for the focused window In line 2-3 of Claim 21, the limitation “determining the user lacked permission” should read: “determining the user lacks permission” to clarify that the determination reflects that the user currently lacks permission to view the document In line 1-2 of Claim 23, the limitation “the user session” should read: “a user session” because there is no antecedent basis for “the user session” Appropriate correction is required. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-3, 10, 13-15, and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Littlejohn et al. (US 20140283042 A1), hereinafter Littlejohn, in view of Ziv et al. (WO 2020142654 A1), hereinafter Ziv. Regarding Claim 1: Littlejohn teaches a computer system for detecting whether a new document has been opened at a user computer on the computer system (Littlejohn – Paragraph [0056]: At the conclusion of the evaluation period, the real-time event evaluator 133 uses policy conditions (configured by the real-time event configuration manager 131) to make decisions on whether any reporting is necessary or whether the activity on the resource can be ignored; and Paragraph [0058]: These policy conditions can include whether a given resource was deleted, created, modified (written to), read, and/or had access/security permissions changed; and Paragraph [0014]: A "resource" includes a user, service, system, device, directory, data store, file system, files, non-volatile data, non-volatile files, groups of users, combinations and/or collections of these things, etc), the computer system comprising: the user computer comprising a processor and memory (Littlejohn – Paragraph [0022]: Also, the techniques presented herein are implemented in (and reside within) machines, such as processor(s) or processor-enabled devices (hardware processors). These machines are configured and programmed to specifically perform the processing of the methods and system presented herein. More particularly, the methods and system components are implemented as one or more software modules that reside or are programmed within: memory and/or a non-transitory computer-readable storage media; the software module(s) are processed on the processors of machines configured to perform the methods); a user application accessible by a human user at the user computer (Littlejohn – Paragraph [0037]: The kernel mode takes care of a variety of low level processes for the OS 120 and applications that execute in the user or application mode. In fact, a user application, which originates at the user mode of the OS 120, may use an API to have the OS 120 execute a number of kernel functions (in the kernel layer 140) to carry out the user application requests); and an agent application hosted by the user computer and configured to: [register to] receive notifications of user interface actions with an operating system (OS) of the user computer (Littlejohn – Paragraph [0038]: The real-time event configuration manager 131 registers as a handler for a class of IRPs; and Paragraph [0039]: The OS kernel layer 140 includes the real-time user event configurer 141. The real-time user event configurer 141 monitors resource actions (that it is configured to recognize) and collects a variety of information related to those actions, such as resource identifiers (this includes the acting resource that initiated activity on another resource (such as a particular user or user thread X reads resource Y (both X and Y are captured in a single event))), action identifiers, time stamps, and the like. When the real-time user event configurer 141 detects an action on a resource, the real-time user event configurer 141 generates event information including the collected information in an event that is raised up from the OS kernel layer 140 and detected by the real-time event queue manager 132; and Paragraph [0040]: The real-time event configuration manager 131 operates in the OS user layer 130 and is used to configure the real-time user event configurer 141 by passing configuration information to the real-time user event configurer 141. The configuration information informs or defines criteria for events that the event notification manager 141 is to trap and report in real time from the OS kernel layer 140 back up to the OS user layer 130); and determine whether a new document was opened at [a display screen of] the user computer by the user interface action (Littlejohn – Paragraphs [0058]-[0064]: This is but one example, the point is coarse grain and fine grain user defined policy conditions can be defined and configured into the real-time event evaluator 133 by the real-time event configuration manager 131. Some further examples of scenarios include the following: 1) is the file (type of resource) named in the consolidated event present in the file system of the processing environment; and 2) is the file named in the consolidated event present in the baseline resources 134? The answers to these initial policy conditions can lead to other policy conditions, such as: 1) if the file is in the file system and in the baseline resources 134, then a change occurred during the evaluation period and the file needs to be compared to its version in the baseline resources 134 to see what was in fact changed or the extend of the changes; 2) if the file is in the file system but not in the baseline resources 134, then a new file was created during the evaluation period, which may or may not necessitate reporting (based on still other policy conditions); Examiner’s Comment: determination that a file has been changed or that a new file was created is interpreted to represent the claimed determining “whether a new document was opened …”). Littlejohn does not expressly teach register to receive notifications of user interface actions with an operating system; receive a notification from the OS of a user interface action; and at a display screen of the user computer. However, Ziv teaches an agent application hosted by the user computer and configured to: register to receive notifications of user interface actions with an operating system (Ziv – P. 6: In a typical implementation, the agent 220 is configured to communicate and interact with the operating system 120 of the computer 110. For example, the agent 220 may register for notifications from the operating system 120 when a specific user related activity is detected by the operating system 120; and P. 18: the systems and techniques disclosed herein can be broadly applied to detecting any one of a variety of user actions at a computer, whether that action is performed through a keyboard-based interaction or through a mouse-based interaction. Moreover, regardless of the type of user action detected, a notification that may include any one of the types of information mentioned herein as possibly accompanying a paste activity notification may be included with a notification of whatever other activity is being noticed. These can include identifying what the non-paste activity was, who did it, on what machine, in what session, in what process(es), when, etc.); receive a notification from the OS of a user interface action (Ziv – P. 6: Upon receipt of a notification from the operating system 120 by the agent 220, the agent 220 may communicate notification data received from the operating system 120 to the monitor application server 210; and P. 13: The screenshot also shows a warning notification for a particular user action. The warning notification identifies, who performed the action (“nirs.mbp\nirbarak”), what was done (“performed paste” at a visited URL for a personal Gmail? account), on which computer (“nirs-mbp 1 10.1.100.133”), from which client (“console (ClientAddress-N/A),” which refers to the local console or laptop), and when (“Thursday 12/20/2018 8: 14AM”). In a typical implementation, all of the information presented about the indicated user action would have come from, or been derived from information provided by, the operating system for the computer where the action occurred; and P. 18: Moreover, regardless of the type of user action detected, a notification that may include any one of the types of information mentioned herein as possibly accompanying a paste activity notification may be included with a notification of whatever other activity is being noticed. These can include identifying what the non-paste activity was, who did it, on what machine, in what session, in what process(es), when, etc.); and at a display screen of the user computer (Ziv – P. 16: In some such implementations, the agent 220 may be configured to run in a user mode and be triggered when an interactive session is created on a monitored machine (connected via SSH, Telnet, Rlogin, and so on). It records user activity inside the sessions, including interactive user activity and system functions such as OPEN, EXEC, CHMOD and others; and Ziv – P. 10: If the subsequent user action is a left mouse click by the user 201, then the agent 220 will receive an indication as such (through Windows USER (user32)). The indication typically includes information (e.g., screen coordinates) that identifies where on the screen the click took place). It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Littlejohn, further incorporating Ziv to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Ziv’s teaching for an agent to register to receive user activity notifications from an OS regarding a user’s on-screen activity into Littlejohn’s system for detecting new documents on a user computer. This combination would enhance Littlejohn’s system by providing an agent with a stream of specifically requested user activity information for more efficient and focused determination of potentially suspicious user file opens. Regarding Claim 2: The combination of Littlejohn and Ziv teaches the computer system of claim 1. Littlejohn further teaches wherein determining whether a new document was opened at the [display screen of the] user computer by the user interface action further comprises: determining, with the agent, whether a document was contained in [a focused window on the display screen of] the user computer when the user interface action notification was generated (Littlejohn – Paragraph [0056]: At the conclusion of the evaluation period, the real-time event evaluator 133 uses policy conditions (configured by the real-time event configuration manager 131) to make decisions on whether any reporting is necessary or whether the activity on the resource can be ignored. This can be done by aggregating all events for each resource over the evaluation period and then evaluating the policy conditions; and Paragraph [0058]: These policy conditions can include whether a given resource was deleted, created, modified (written to), read, and/or had access/security permissions changed. The policy conditions can also identify patterns of activity or behavior taken on the resources during the evaluation period. Moreover, as stated above, the event information for the events can identify both the acting resource (user thread or application) and the resource that was acted upon; and Paragraph [0064]: a new file was created during the evaluation period, which may or may not necessitate reporting). Ziv further teaches at the display screen of the user computer (Ziv – P. 3: In yet another aspect, a computer-based method is disclosed for determining whether a user at a computer has used a mouse to select a particular option from an on-screen context menu. The computer-based method includes obtaining a handle for an in-focus window (e.g., an on-screen context menu) at the computer from a user interface of the computer, and using the handle to request information about the in-focus window from an accessibility application programming interface (API)on the computer. The in-focus window, in this regard, is an on screen context menu and the information about the context menu may include information about one or more options available at the on-screen context menu and on-screen location information for those one or more options; and P. 18: the systems and techniques disclosed herein can be broadly applied to detecting any one of a variety of user actions at a computer, whether that action is performed through a keyboard-based interaction or through a mouse-based interaction. Moreover, regardless of the type of user action detected, a notification that may include any one of the types of information mentioned herein as possibly accompanying a paste activity notification may be included with a notification of whatever other activity is being noticed. These can include identifying what the non-paste activity was, who did it, on what machine, in what session, in what process(es), when, etc.); in a focused window on the display screen of the user computer (Ziv – P. 3: The computer-based method includes obtaining a handle for an in-focus window (e.g., an on-screen context menu) at the computer from a user interface of the computer, and using the handle to request information about the in-focus window from an accessibility application programming interface (API) on the computer). The motivation to combine the arts is the same as that of Claim 1. Regarding Claim 3: The combination of Littlejohn and Ziv teaches the computer system of claim 2. Littlejohn further teaches further comprising a cache memory (Littlejohn – Paragraph [0028]: The processing environment 110 includes a variety of resources, such as but not limited to, cache, non-transitory storage, non-volatile data/files, memory, processors, port interfaces, network connections, the components 120-141, and the like), wherein determining whether a new document was opened at the [display screen of the] user computer by the user interface action further comprises: determining, with the agent, whether the document contained in [the focused window on the display screen of] the user computer when the user interface action notification was generated matches a document stored in the cache memory (Littlejohn – Paragraph [0052]: The baseline resources 134 can be used to detect the extent of changes made to resources at the conclusion of the evaluation period. The copy of the resources in the baseline resources 134 are copies of the resources before any volatile operations occurred on those resources, such that at the conclusion of the evaluation period for a given resource, the final version of the given resource can be compared against its baseline version in the baseline resources 134 to provide more meaningful details on the extent of the actual changes beyond just a binary reporting that a change occurred; and Paragraph [0053]: In an embodiment, the baseline resources 134 are housed in cache; and Paragraph [0063]: 1) if the file is in the file system and in the baseline resources 134, then a change occurred during the evaluation period and the file needs to be compared to its version in the baseline resources 134 to see what was in fact changed or the extend of the changes; and Paragraph [0064]: 2) if the file is in the file system but not in the baseline resources 134, then a new file was created during the evaluation period, which may or may not necessitate reporting). Ziv further teaches at the display screen of the user computer (Ziv – P. 3: In yet another aspect, a computer-based method is disclosed for determining whether a user at a computer has used a mouse to select a particular option from an on-screen context menu. The computer-based method includes obtaining a handle for an in-focus window (e.g., an on-screen context menu) at the computer from a user interface of the computer, and using the handle to request information about the in-focus window from an accessibility application programming interface (API)on the computer. The in-focus window, in this regard, is an on screen context menu and the information about the context menu may include information about one or more options available at the on-screen context menu and on-screen location information for those one or more options; and P. 18: the systems and techniques disclosed herein can be broadly applied to detecting any one of a variety of user actions at a computer, whether that action is performed through a keyboard-based interaction or through a mouse-based interaction. Moreover, regardless of the type of user action detected, a notification that may include any one of the types of information mentioned herein as possibly accompanying a paste activity notification may be included with a notification of whatever other activity is being noticed. These can include identifying what the non-paste activity was, who did it, on what machine, in what session, in what process(es), when, etc.); the focused window on the display screen of the user computer (Ziv – P. 3: The computer-based method includes obtaining a handle for an in-focus window (e.g., an on-screen context menu) at the computer from a user interface of the computer, and using the handle to request information about the in-focus window from an accessibility application programming interface (API) on the computer). The motivation to combine the arts is the same as that of Claim 1. Regarding Claim 10: The combination of Littlejohn and Ziv teaches the computer system of claim 3. Littlejohn further teaches wherein the agent reverts to listening for a subsequent notification from the OS of a subsequent user interface action if the agent determines that the document … on the … user computer when the user interface action notification was generated matches the document stored in cache memory (Littlejohn – Paragraph [0050]: The evaluation period also allows OS kernel layer 140 activities for a given resource having detected events to stabilize before decisions are made by the real-time event evaluator 133. In an embodiment, each event that identifies a resource for a first time causes the evaluation period for that resource to be initiated. So, the evaluation period can, in one embodiment, be resource specific meaning that there can be multiple independent evaluation periods continually being reset and/or initialized as resources cease to have kernel activity and as resources start to have kernel activity. In an embodiment, the evaluation period is for all registered resource activities for all resources detected during the evaluation period, with the evaluation period being regularly reset each time it lapses to provide continuous monitoring of the processing environment 110; and Paragraph [0051]: Moreover, when a resource is first detected (by a monitored event) as having been accessed at the OS kernel layer 140, the real-time event evaluator 133 ensures that a copy of that resource is populated and securely maintained and persisted (unchanged) in the baseline resources 134 for the duration of the evaluation period; and Paragraph [0063]: 1) if the file is in the file system and in the baseline resources 134, then a change occurred during the evaluation period and the file needs to be compared to its version in the baseline resources 134 to see what was in fact changed or the extend of the changes). Ziv further teaches the focused window on the display screen of the user computer (Ziv – P. 3: The computer-based method includes obtaining a handle for an in-focus window (e.g., an on-screen context menu) at the computer from a user interface of the computer, and using the handle to request information about the in-focus window from an accessibility application programming interface (API) on the computer). The motivation to combine the arts is the same as that of Claim 1. Regarding Claim 13: Littlejohn teaches a method for an agent application hosted by a user computer of a computer system for detecting whether a new document has been opened via a user application accessible by a human user at the user computer at the user computer (Littlejohn – Paragraph [0056]: At the conclusion of the evaluation period, the real-time event evaluator 133 uses policy conditions (configured by the real-time event configuration manager 131) to make decisions on whether any reporting is necessary or whether the activity on the resource can be ignored; and Paragraph [0058]: These policy conditions can include whether a given resource was deleted, created, modified (written to), read, and/or had access/security permissions changed; and Paragraph [0014]: A "resource" includes a user, service, system, device, directory, data store, file system, files, non-volatile data, non-volatile files, groups of users, combinations and/or collections of these things, etc), comprising the steps of: [registering to] receive notifications of user interface actions with an operating system (OS) of the user computer (Littlejohn – Paragraph [0038]: The real-time event configuration manager 131 registers as a handler for a class of IRPs; and Paragraph [0039]: The OS kernel layer 140 includes the real-time user event configurer 141. The real-time user event configurer 141 monitors resource actions (that it is configured to recognize) and collects a variety of information related to those actions, such as resource identifiers (this includes the acting resource that initiated activity on another resource (such as a particular user or user thread X reads resource Y (both X and Y are captured in a single event))), action identifiers, time stamps, and the like. When the real-time user event configurer 141 detects an action on a resource, the real-time user event configurer 141 generates event information including the collected information in an event that is raised up from the OS kernel layer 140 and detected by the real-time event queue manager 132; and Paragraph [0040]: The real-time event configuration manager 131 operates in the OS user layer 130 and is used to configure the real-time user event configurer 141 by passing configuration information to the real-time user event configurer 141. The configuration information informs or defines criteria for events that the event notification manager 141 is to trap and report in real time from the OS kernel layer 140 back up to the OS user layer 130); and determining whether a new document was opened at [a display screen of] the user computer by the user interface action (Littlejohn – Paragraphs [0058]-[0064]: This is but one example, the point is coarse grain and fine grain user defined policy conditions can be defined and configured into the real-time event evaluator 133 by the real-time event configuration manager 131. Some further examples of scenarios include the following: 1) is the file (type of resource) named in the consolidated event present in the file system of the processing environment; and 2) is the file named in the consolidated event present in the baseline resources 134? The answers to these initial policy conditions can lead to other policy conditions, such as: 1) if the file is in the file system and in the baseline resources 134, then a change occurred during the evaluation period and the file needs to be compared to its version in the baseline resources 134 to see what was in fact changed or the extend of the changes; 2) if the file is in the file system but not in the baseline resources 134, then a new file was created during the evaluation period, which may or may not necessitate reporting (based on still other policy conditions); Examiner’s Comment: determination that a file has been changed or that a new file was created is interpreted to represent the claimed determining “whether a new document was opened …”). Littlejohn does not expressly teach registering to receive notifications of user interface actions with an operating system; receiving a notification from the OS of a user interface action; and at a display screen of the user computer. However, Ziv teaches an agent application hosted by the user computer and configured to: register to receive notifications of user interface actions with an operating system (Ziv – P. 6: In a typical implementation, the agent 220 is configured to communicate and interact with the operating system 120 of the computer 110. For example, the agent 220 may register for notifications from the operating system 120 when a specific user related activity is detected by the operating system 120); receiving a notification from the OS of a user interface action (Ziv – P. 6: Upon receipt of a notification from the operating system 120 by the agent 220, the agent 220 may communicate notification data received from the operating system 120 to the monitor application server 210; and P. 13: The screenshot also shows a warning notification for a particular user action. The warning notification identifies, who performed the action (“nirs.mbp\nirbarak”), what was done (“performed paste” at a visited URL for a personal Gmail? account), on which computer (“nirs-mbp 1 10.1.100.133”), from which client (“console (ClientAddress-N/A),” which refers to the local console or laptop), and when (“Thursday 12/20/2018 8: 14AM”). In a typical implementation, all of the information presented about the indicated user action would have come from, or been derived from information provided by, the operating system for the computer where the action occurred; and P. 18: Moreover, regardless of the type of user action detected, a notification that may include any one of the types of information mentioned herein as possibly accompanying a paste activity notification may be included with a notification of whatever other activity is being noticed. These can include identifying what the non-paste activity was, who did it, on what machine, in what session, in what process(es), when, etc.) and at a display screen of the user computer (Ziv – P. 16: In some such implementations, the agent 220 may be configured to run in a user mode and be triggered when an interactive session is created on a monitored machine (connected via SSH, Telnet, Rlogin, and so on). It records user activity inside the sessions, including interactive user activity and system functions such as OPEN, EXEC, CHMOD and others; and Ziv – P. 10: If the subsequent user action is a left mouse click by the user 201, then the agent 220 will receive an indication as such (through Windows USER (user32)). The indication typically includes information (e.g., screen coordinates) that identifies where on the screen the click took place). It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Littlejohn, further incorporating Ziv to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Ziv’s teaching for an agent to register to receive user activity notifications from an OS regarding a user’s on-screen activity into Littlejohn’s system for detecting new documents on a user computer. This combination would enhance Littlejohn’s system by providing an agent with a stream of specifically requested user activity information for more efficient and focused determination of potentially suspicious user file opens. Regarding Claim 14: Claim 14 is a method claim with limitations corresponding to those of system Claim 2. Therefore, Claim 14 is rejected with the same combination and rationale as that of the rejection of Claim 2. Regarding Claim 15: Claim 15 is a method claim with limitations corresponding to those of system Claim 3. Therefore, Claim 15 is rejected with the same combination and rationale as that of the rejection of Claim 3. Regarding Claim 17: Claim 17 is a method claim with limitations corresponding to those of system Claim 10. Therefore, Claim 17 is rejected with the same combination and rationale as that of the rejection of Claim 10. Claim(s) 4, 5, 11, 12, 16, 22, and 23 is/are rejected under 35 U.S.C. 103 as being unpatentable over Littlejohn, in view of Ziv and Biswas et al. (US 20220174097 A1), hereinafter Biswas. Regarding Claim 4: The combination of Littlejohn and Ziv teaches the computer system of claim 3. Littlejohn further teaches to reports on user activities that cause or result in new documents being opened at the user computer (Littlejohn – Paragraph [0047]: In an embodiment, the policies conditions include patterns of activity performed on a given resource that indicate reporting needs to occur; and Paragraph [0056]: At the conclusion of the evaluation period, the real-time event evaluator 133 uses policy conditions (configured by the real-time event configuration manager 131) to make decisions on whether any reporting is necessary or whether the activity on the resource can be ignored; and Paragraph [0058]: the policy conditions can state fine-grain rules, such as if an acting resource belonging to a particular role or group reads a file (type of resource) belong to a particular user-defined classification of files, then report to an administrator (another type of resource) using via email (type of communication for the reporting; and Paragraph [0064]: if the file is in the file system but not in the baseline resources 134, then a new file was created during the evaluation period, which may or may not necessitate reporting). The combination of Littlejohn and Ziv does not expressly teach further comprising: an admin computer configured to present a user interface at a display screen of the admin computer. However, Biswas teaches further comprising: an admin computer configured to present a user interface at a display screen of the admin computer (Biswas – Paragraph [0081]: In some examples, the control manager 172 can also maintain security policies for the organization 130. A security policy can define an action or set of actions that, when detected, constitute a security violation or an event that otherwise requires attention … In some examples, a security policy can also define one or more remediation actions to perform when a violation of the policy is detected. A remediation action can include, for example, sending a notification to the user who caused the violation, to network administrators of the organization 130, to administrators of the security management and control system 102, and/or to another entity; and Paragraph [0087]: In various implementations, the security management and control system 102 provides an interface 120 through which customers of the security management and control system 102 can use the services of the security management and control system 102. The interface 120 can provide, for example, a graphical user interface (GUI) that can display a control panel or dashboard that enables the organization's administrative users to configure the services of the security management and control system 102. The graphical user interface can further enable the administrative users to view reports of user activity with respect to the services 112a-112b of the service provider 110. The graphical user interface can further provide reports of security events and suggest remediation actions, and/or report on the outcome of remediation actions that the security management and control system 102 automatically performs). It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Littlejohn and Ziv, further incorporating Biswas to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Biswas’s teachings to provide reports on at least user document open activities to an administrator into Littlejohn and Ziv’s system for detecting new documents on a user computer. This additional functionality would enhance the system with actionable alerts regarding suspicious or potentially malicious user activity. Regarding Claim 5: The combination of Littlejohn, Ziv, and Biswas teaches the computer system of claim 4. Littlejohn further teaches wherein the agent is further configured to cause the system to generate a report … in response to the agent determining that the document … on the … user computer when the user interface action notification was generated does not match the document stored in the cache memory (Littlejohn – Paragraph [0052]: The baseline resources 134 can be used to detect the extent of changes made to resources at the conclusion of the evaluation period. The copy of the resources in the baseline resources 134 are copies of the resources before any volatile operations occurred on those resources, such that at the conclusion of the evaluation period for a given resource, the final version of the given resource can be compared against its baseline version in the baseline resources 134 to provide more meaningful details on the extent of the actual changes beyond just a binary reporting that a change occurred; and Paragraph [0053]: In an embodiment, the baseline resources 134 are housed in cache; and Paragraph [0063]: 1) if the file is in the file system and in the baseline resources 134, then a change occurred during the evaluation period and the file needs to be compared to its version in the baseline resources 134 to see what was in fact changed or the extend of the changes; and Paragraph [0064]: 2) if the file is in the file system but not in the baseline resources 134, then a new file was created during the evaluation period, which may or may not necessitate reporting). Ziv further teaches document contained in the focused window on the display screen of the user computer (Ziv – P. 3: The computer-based method includes obtaining a handle for an in-focus window (e.g., an on-screen context menu) at the computer from a user interface of the computer, and using the handle to request information about the in-focus window from an accessibility application programming interface (API) on the computer). Biswas further teaches generate a report at the user interface of the admin computer (Biswas – Paragraph [0081]: In some examples, the control manager 172 can also maintain security policies for the organization 130. A security policy can define an action or set of actions that, when detected, constitute a security violation or an event that otherwise requires attention … In some examples, a security policy can also define one or more remediation actions to perform when a violation of the policy is detected. A remediation action can include, for example, sending a notification to the user who caused the violation, to network administrators of the organization 130, to administrators of the security management and control system 102, and/or to another entity; and Paragraph [0087]: In various implementations, the security management and control system 102 provides an interface 120 through which customers of the security management and control system 102 can use the services of the security management and control system 102. The interface 120 can provide, for example, a graphical user interface (GUI) that can display a control panel or dashboard that enables the organization's administrative users to configure the services of the security management and control system 102. The graphical user interface can further enable the administrative users to view reports of user activity with respect to the services 112a-112b of the service provider 110. The graphical user interface can further provide reports of security events and suggest remediation actions, and/or report on the outcome of remediation actions that the security management and control system 102 automatically performs). The motivation to combine the arts is the same as that of Claim 4. Regarding Claim 11: The combination of Littlejohn, Ziv, and Biswas teaches the computer system of claim 5. Littlejohn further teaches wherein the system connects the report on the new document open activity to file tracking data based upon whether file tracking exists (Littlejohn – Paragraph [0046]: The real-time event configuration manager 131 can also configure the real-time event evaluator 133 with policies (may also be received by the real-time event configuration manager 131 via an API or GUI). The policies are conditions that inform the real-time event evaluator 133 on when the real-time event evaluator 133 should raise an event based on activity occurring in the queues for events received for the monitored resources (defined by the configuration information) during the monitored period of time (short during, such as between 30-90 seconds, which gives activity for resources a chance to stabilize and reduces noise associated with OS activity that may be irrelevant to whether the resource was changed or not); and Paragraph [0047]: In an embodiment, the policies conditions include patterns of activity performed on a given resource that indicate reporting needs to occur; and Paragraph [0014]: A "resource" includes a user, service, system, device, directory, data store, file system, files, non-volatile data, non-volatile files, groups of users, combinations and/or collections of these things, etc.). The motivation to combine the arts is the same as that of Claim 4. Regarding Claim 12: The combination of Littlejohn, Ziv, and Biswas teaches the computer system of claim 5. Littlejohn further teaches wherein the report is correlated with another event [on the user session] (Littlejohn – Paragraph [0046]: The real-time event configuration manager 131 can also configure the real-time event evaluator 133 with policies (may also be received by the real-time event configuration manager 131 via an API or GUI). The policies are conditions that inform the real-time event evaluator 133 on when the real-time event evaluator 133 should raise an event based on activity occurring in the queues for events received for the monitored resources (defined by the configuration information) during the monitored period of time (short during, such as between 30-90 seconds, which gives activity for resources a chance to stabilize and reduces noise associated with OS activity that may be irrelevant to whether the resource was changed or not); and Paragraph [0047]: In an embodiment, the policies conditions include patterns of activity performed on a given resource that indicate reporting needs to occur; and Paragraph [0014]: A "resource" includes a user, service, system, device, directory, data store, file system, files, non-volatile data, non-volatile files, groups of users, combinations and/or collections of these things, etc.). Ziv further teaches the report is correlated with another event on the user session (Ziv – P. 15: The agent 220 may be a software component that can be installed, for example, on any Windows-based operating system (server or desktop) that you want to record. In those implementations, the agent 220 may be a user-mode executable that binds to every user session. As soon as a user logs into a monitored endpoint, the agent 220 begins recording based on a configured recording policy. From the moment a user logs on, the agent 220 starts capturing user activity data logs and, if configured, screen video. In certain implementations, all captured user activity data can be searched for, reported on, configured for alerts, and integrated with security information and event management (SIEM) systems). The motivation to combine the arts is the same as that of Claim 4. Regarding Claim 16: The combination of Littlejohn and Ziv teaches the method of claim 15. Littlejohn further teaches further comprising the step of: causing the system to generate a report … in response to the agent determining that the document … on the … user computer when the user interface action notification was generated does not match the document stored in the cache memory (Littlejohn – Paragraph [0052]: The baseline resources 134 can be used to detect the extent of changes made to resources at the conclusion of the evaluation period. The copy of the resources in the baseline resources 134 are copies of the resources before any volatile operations occurred on those resources, such that at the conclusion of the evaluation period for a given resource, the final version of the given resource can be compared against its baseline version in the baseline resources 134 to provide more meaningful details on the extent of the actual changes beyond just a binary reporting that a change occurred; and Paragraph [0053]: In an embodiment, the baseline resources 134 are housed in cache; and Paragraph [0063]: 1) if the file is in the file system and in the baseline resources 134, then a change occurred during the evaluation period and the file needs to be compared to its version in the baseline resources 134 to see what was in fact changed or the extend of the changes; and Paragraph [0064]: 2) if the file is in the file system but not in the baseline resources 134, then a new file was created during the evaluation period, which may or may not necessitate reporting); and to report on user activities that cause or result in new documents being opened at the user computer (Littlejohn – Paragraph [0047]: In an embodiment, the policies conditions include patterns of activity performed on a given resource that indicate reporting needs to occur; and Paragraph [0056]: At the conclusion of the evaluation period, the real-time event evaluator 133 uses policy conditions (configured by the real-time event configuration manager 131) to make decisions on whether any reporting is necessary or whether the activity on the resource can be ignored; and Paragraph [0058]: the policy conditions can state fine-grain rules, such as if an acting resource belonging to a particular role or group reads a file (type of resource) belong to a particular user-defined classification of files, then report to an administrator (another type of resource) using via email (type of communication for the reporting; and Paragraph [0064]: if the file is in the file system but not in the baseline resources 134, then a new file was created during the evaluation period, which may or may not necessitate reporting). Ziv further teaches document contained in the focused window on the display screen of the user computer (Ziv – P. 3: The computer-based method includes obtaining a handle for an in-focus window (e.g., an on-screen context menu) at the computer from a user interface of the computer, and using the handle to request information about the in-focus window from an accessibility application programming interface (API) on the computer) The combination of Littlejohn and Ziv does not expressly teach generate a report at the user interface of an admin computer of the computer system; and wherein the admin computer is configured to present a user interface at a display screen of the admin computer. However, Biswas teaches generate a report at the user interface of an admin computer of the computer system (Biswas – Paragraph [0081]: In some examples, the control manager 172 can also maintain security policies for the organization 130. A security policy can define an action or set of actions that, when detected, constitute a security violation or an event that otherwise requires attention … In some examples, a security policy can also define one or more remediation actions to perform when a violation of the policy is detected. A remediation action can include, for example, sending a notification to the user who caused the violation, to network administrators of the organization 130, to administrators of the security management and control system 102, and/or to another entity; and Paragraph [0087]: In various implementations, the security management and control system 102 provides an interface 120 through which customers of the security management and control system 102 can use the services of the security management and control system 102. The interface 120 can provide, for example, a graphical user interface (GUI) that can display a control panel or dashboard that enables the organization's administrative users to configure the services of the security management and control system 102. The graphical user interface can further enable the administrative users to view reports of user activity with respect to the services 112a-112b of the service provider 110. The graphical user interface can further provide reports of security events and suggest remediation actions, and/or report on the outcome of remediation actions that the security management and control system 102 automatically performs); and wherein the admin computer is configured to present a user interface at a display screen of the admin computer (Biswas – Paragraph [0081]: In some examples, the control manager 172 can also maintain security policies for the organization 130. A security policy can define an action or set of actions that, when detected, constitute a security violation or an event that otherwise requires attention … In some examples, a security policy can also define one or more remediation actions to perform when a violation of the policy is detected. A remediation action can include, for example, sending a notification to the user who caused the violation, to networ