EXTENSIBLE DATA OBJECTS FOR USE IN MACHINE LEARNING MODELS

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION This communication is responsive to Amendment, filed 01/28/2026. Claims 1-17 are pending in this application. This action is made Final. Terminal Disclaimer The terminal disclaimer filed on 03/02/2026 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of US Patents 12/105,728 has been reviewed and is accepted. The terminal disclaimer has been recorded. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claims 1, 3-10, 12-17 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al (US Pub No. 2017/0063902), in view of BERWICK et al (US Pub No. 2019/0034504). As per claim 1, Muddu teaches a method, comprising: accessing a dataset with a plurality of unstructured documents (i.e. FIG. 9A illustrates raw event data 900 received by the data intake and preparation stage. The raw event data 900, representing an event that occurs, are log data generated by a web gateway server. The web gateway is located where network traffic in and out the environment goes through, and therefore can log the data transfer and web communication from a system inside the environment. The particular event as represented by the event data 900 indicates that, at a particular point of time identified by the timestamp, the user “psibbal” uses the IP address “10.33.240.240” to communicate with an external IP address “74.125.239.107,” and transfers 106 bytes of data. The status code of that event is “200,” and the event is a TCP event where the HTTP status is “GET.” As illustrated, the event data 900 also includes a significant amount of additional information, [0217]); creating an extensible data object for each of the unstructured documents, including a first extensible data object associated with a first unstructured document (i.e. The particular event as represented by the event data 900 indicates that, at a particular point of time identified by the timestamp, [0217]); receiving a plurality of structured insight features from at least one preprocessing subsystem (i.e. Using the aforementioned techniques (e.g., the parsers 806, and the field mapper 808), the graph generator 810 can readily identify that the event represented in the FIG. 9A involves a number of entities ... The graph generator 810 also identifies that an action “GET” is involved in the event, [0218]); augmenting the first extensible data object to include the plurality of structured insight features (i.e. Accordingly, the graph generator 810 can compare the action to the table of identifiable actions, identify one or more relationships between the entities, and create an event-specific relationship graph 902 based on the event. As shown in FIG. 9B, the relationship graph 902 includes the entities that are involved in the events. Each entity is represented by a different node. The relationship graph 902 also includes edges that link the nodes representing entities. The identified relationships between the entities are the edges in the graph 902. The relationship graph 902 can be stored in known data structures (e.g., an array) suitable for representing graphs that have nodes and edges, [0218]; With the new session created in the session database ... Two existing sessions should be linked or correlated if the newly added session (1) matches a link event time range, (2a) has a match in one of its from-session-link-context or to-session-link-context with those of one existing session, and (2b) has at least a partial match in one of its from-session-link-context or to-session-link-context with those of another existing session, [0263]), wherein at least one of the plurality of structured insight features characterizes a relationship between the first unstructured document and a second unstructured document of a second extensible data object (i.e. The relationship graph 902 also includes edges that link the nodes representing entities. The identified relationships between the entities are the edges in the graph 902. The relationship graph 902 can be stored in known data structures (e.g., an array) suitable for representing graphs that have nodes and edges, [0218]; the graph generator 810 attaches the relationship graph 902 to the associated event data 900. For example, the graph 902 may be recorded as an additional field of the event data 900. In alternative embodiments, the relationship graph 902 can be stored and/or transferred individually (i.e., separate from the event data 900) to subsequent nodes in the security platform, [0220]; and wherein at least another one of the plurality of structured insight features characterizes a relationship between the first unstructured document and a third unstructured document of a third extensible data object (i.e. The relationship graph 902 also includes edges that link the nodes representing entities. The identified relationships between the entities are the edges in the graph 902. The relationship graph 902 can be stored in known data structures (e.g., an array) suitable for representing graphs that have nodes and edges, [0218]; if an event that is received involves both a user and a machine identifier (e.g., if the event data representing the event has both a user identifier and a machine identifier), then machine learning model that is employed by the identity resolution module 812 can use this event to create or update the probability of association between the user and the machine identifier, [0233]; Based on this user association record, the identity resolution module 812 can annotate the new event to explicitly connect the new event to the particular user. For example, the identity resolution module 812 can add, as a field, the particular user's name to the new event in its associated event data, [0239]; With the new session created in the session database ... Two existing sessions should be linked or correlated if the newly added session (1) matches a link event time range, (2a) has a match in one of its from-session-link-context or to-session-link-context with those of one existing session, and (2b) has at least a partial match in one of its from-session-link-context or to-session-link-context with those of another existing session, [0263]); rendering, for display on an electronic display, a view menu as part of a graphical user interface to facilitate user toggling between a lineage view and a timeline view of the first, second, and third extensible data objects (i.e. because a network login to a target device also creates a new session, the current session should be correlated with the new session. This correlation is referred to herein as session lineage, [0259]; Returning to FIG. 40A, clicking on the “Details” tab 4011 in the Threats Review view 4000 also can generate illustrations of a Threat Anomalies Timeline 4060 in FIGS. 40E and 4F, [0469]); receiving, via user input, a selection of the timeline view (i.e. Returning to FIG. 40A, clicking on the “Details” tab 4011 in the Threats Review view 4000 also can generate illustrations of a Threat Anomalies Timeline 4060, [0469]; By hovering over a point on the line, the GUI generates a bubble indicating the date and number of anomalies on that date. Similar to the Threat Anomalies Timeline 4060, upon clicking on a bubble, the GUI generates an associated Anomalies Table view 4200, in the format shown in FIG. 42, [0471]); and rendering, for display via the electronic display, in response to the user selection of the timeline view (i.e. Returning to FIG. 40A, clicking on the “Details” tab 4011 in the Threats Review view 4000 also can generate illustrations of a Threat Anomalies Timeline 4060, Threat Anomalies Trend 4070, and Threat Anomalies listing 4080 and Device Locations 4090, in FIGS. 40E and 40F, [0469]: one or more orbit rings each comprising a plurality of icons around a respective icon representing at least some of extensible data objects, wherein each icon of the plurality of icons represents a different earlier version of the respective extensible data object, and, simultaneously (i.e. Threat Anomalies Timeline 4060 provides a timeline of each anomaly, sorted by anomaly type. In this example, there are four anomaly types: “Excessive Data Transmission,” “Land Speed Violation,” “Unusual Network Activity,” and “Unusual Activity Time.” The timeline shows a circle corresponding to each occurrence, which is color-coded to indicate its severity. If there is more than one anomaly of the same type on the same date, the circle is made larger. By hovering over a circle, a bubble is generated that provides the date of the anomaly or anomalies and prompts the user to select more detailed information (not shown). Upon clicking on a bubble, the GUI generates an associated Anomalies Table view 4200, in the format shown in FIG. 42, [0470]); a timeline that shows the relative time of creation of each version of at least one extensible data object (i.e. To achieve this, in some embodiments, the identity resolution module 812 can initiate, for a given user, different versions of the machine learning model at different point of time, and each version may have a valid life time. As events related to the given user arrive, versions of a machine learning model are initiated, trained, activated, (optionally) continually updated, and finally expired, [0235]; The “Details” version of the Threats Review view 4000 also includes a Threat Anomalies listing 4080, [0472]; Referring to FIG. 40F, the detailed version of the Threats Review page 4000 also includes a Devices Location map 4090, [0474]). Muddu does not seem to specifically teach "one or more orbit rings each comprising a plurality of icons around a respective icon". BERWICK teaches "one or more orbit rings each comprising a plurality of icons around a respective icon" (i.e. FIG. 4a illustrates an example dashboard page 300 having a data visualization element represented in the form of an unpopulated multi-dimensional donut 400 ... a plurality of concentric rings of varying diameter (or thickness) axially disposed around the center portion 402, [0074]; the user may select a first sector 414 from one of a plurality of clusters to view specifics about that sector 414. Thus, upon selecting the first sector, all data values and graphical visualizations within the multi-dimensional donut 400 may be dynamically updated to reflect data for only the selected first sector 414, [0075]). It would have been obvious to one of ordinary skill of the art having the teaching of Muddu, BERWICK before the effective filing date of the claimed invention to modify the system of Muddu to include the limitations as taught by BERWICK. One of ordinary skill in the art would be motivated to make this combination in order to provide the multi-dimensional donut comprising a center region and a plurality of concentric rings axially disposed around the center portion in view of BERWICK ([0008]), as doing so would give the added benefit of enabling the user to select two or more dimensions to view the overlap between the selected two or more dimensions, as taught by BERWICK ([0075]). As per claim 6, Muddu teaches a system, comprising: a processor (i.e. Storage adapter 8550 interfaces with an operating system running on processor(s) 8510 to access information on attached storage devices, [0744]); a memory in communication with the processor (i.e. Storage adapter 8550 includes a plurality of ports having I/O interface circuitry that couples with disks or other storage related devices over an I/O interconnect arrangement, [0744]); and a non-transitory computer-readable medium with instructions stored thereon to implement operations to generate a dynamic graphical user interface, the operations including (i.e. The information may be stored on any type of attached array of writable storage media, such as hard disk drives, magnetic tape, optical disk, flash memory, solid-state drives, RAM, MEMs and/or any other similar media adapted to store information, [0744]): accessing a database with a plurality of extensible data objects, wherein each extensible data object comprises: an unstructured document from an dataset of documents, a data type insight feature, a relationship insight feature, and at least one additional insight feature (i.e. An event view includes a name (e.g., view identifier) for subscription purposes. An event view can include a number of fields to access certain attributes of an event; for example, the fields can be used by a machine learning model to identify which subset of the event data (e.g., serverIP, sourceIP, sourcePort, etc.) is the information that the model wants to receive, [0250]), and wherein at least one of the extensible data objects includes a relationship insight feature that identifies a relationship of the unstructured document with unstructured documents of at least three other extensible data objects (i.e. after the entities are identified in the tokens, the relationship graph generator 810 is operable to identify a number of relationships between the entities, and to explicitly record these relationships between the entities ... A graph in the context of this description includes a number of nodes and edges. Each node in the relationship graph represents one of the entities involved in the event, and each edge represents a relationship between two of the entities, [0214]; Based on this user association record, the identity resolution module 812 can annotate the new event to explicitly connect the new event to the particular user. For example, the identity resolution module 812 can add, as a field, the particular user's name to the new event in its associated event data, [0239]; With the new session created in the session database ... Two existing sessions should be linked or correlated if the newly added session (1) matches a link event time range, (2a) has a match in one of its from-session-link-context or to-session-link-context with those of one existing session, and (2b) has at least a partial match in one of its from-session-link-context or to-session-link-context with those of another existing session, [0263]); rendering, for display on an electronic display, a graphical user interface that includes a data type filter menu to facilitate a user selection of one or more data types (i.e. FIG. 40F is an illustrative view of a “Device Locations” map, which is generated upon clicking the “Details” tab in the “Threats Review” screen of FIG. 40A, in accordance with various embodiments of the disclosure, [0057]; FIG. 46D illustrates an “Anomalous Activity Sequence” box 4660 in the Anomaly Details view 4650. Given that the type of anomaly in Anomaly Details view 4650 is an “Unusual AD Activity Sequence,” this graphic illustrates the string of activities that triggered the anomaly. It is worth noting that this graphic would not apply for other types of anomalies, such as the “Machine Generated Beacon” 4655 of FIG. 46F. Accordingly, each Anomalies Detailed View provides different boxes and graphics to illustrate parameters that correspond to the type of anomaly in the view, [0494]; As shown in FIG. 40A, the Threats Review view 4000 also includes a “Details” tab 4011. When the user selects this tab, in the example provided in this figure, the Threats Review view is augmented with several additional charts and graphics, as shown in FIGS. 40D, 40E, and 40F, as will be described next, [0461]); receiving, via a user input, a first data type selection of a first data type via the data type filter menu (i.e. FIG. 40F is an illustrative view of a “Device Locations” map, which is generated upon clicking the “Details” tab in the “Threats Review” screen of FIG. 40A, in accordance with various embodiments of the disclosure, [0057]; The view 4000 can include a filter section 4020 that enables the user to selectively filter out threat results according to time, severity, or type, [0456]); rendering, for display via the electronic display, the graphical user interface with (i.e. Referring to FIG. 40F, the detailed version of the Threats Review page 4000 also includes a Devices Location map 4090. This map provides a visual indication of the location of the devices associated with the threat. Device is represented on the map by a circle, color-coded to indicate the score, or severity of risk associated with the device or location. If there are multiple devices at a single location (or vicinity), it is represented by a larger circle. In FIG. 40F, there are four locations represented, one in China, two in California, and one in Pittsburgh, PA. By hovering over a circle, such as 4092, the GUI generates a bubble, as shown in FIG. 40G, that provides more detailed location information (in this case, “Beijing—China”), the device name/IP address (“1.94.32.234”), and a link to “View Device Details.” If the GUI user clicks on the link, the GUI navigates to the User Facts view 4100 of FIG. 41, [0474]): an icon representing each extensible data object that has a data type insight feature corresponding to the selected first data type (i.e. FIG. 40G is an illustrative view of a text bubble generated upon hovering a cursor over a device location in the “Device Locations” map of FIG. 40F, in accordance with various embodiments of the disclosure, [0058]; FIG. 40H is an illustrative view of a text bubble generated upon hovering a cursor over a line drawn between devices in the “Device Locations” map of FIG. 40F, in accordance with various embodiments of the disclosure, [0059]), and connection lines between icons to represent the relationship insight features between the unstructured documents of the extensible data objects represented by the rendered icons having the data type insight feature corresponding to the selected first data type (i.e. Devices Location map 4009 also includes color-coded lines that connect the devices. For example, line 4093 connects the devices represented by circle 4091 to the device represented by circle 4092. The lines correspond to the one or more anomalies for which the connected devices are participants. As shown in FIG. 40H, by hovering over line 4093, the GUI generates a bubble 4095 that identifies each anomaly represented by that line and a color-code indicating the score for that anomaly. The bubble 4095 additionally includes a link for the GUI user to view all associated anomalies (e.g., “View All 2 Anomalies”). Upon clicking on the link to view all anomalies, the GUI navigates to the associated Anomalies Table 4200, in the format shown in FIG. 42, [0475]); rendering, for display on the electronic display, a view menu as part of the graphical user interface to facilitate user toggling between a lineage view and a timeline view of the extensible data objects (i.e. because a network login to a target device also creates a new session, the current session should be correlated with the new session. This correlation is referred to herein as session lineage, [0259]; Returning to FIG. 40A, clicking on the “Details” tab 4011 in the Threats Review view 4000 also can generate illustrations of a Threat Anomalies Timeline 4060 ... in FIGS. 40E and 4F, [0469]); receiving, via user input, a selection of the timeline view (i.e. Returning to FIG. 40A, clicking on the “Details” tab 4011 in the Threats Review view 4000 also can generate illustrations of a Threat Anomalies Timeline 4060, [0469]; By hovering over a point on the line, the GUI generates a bubble indicating the date and number of anomalies on that date. Similar to the Threat Anomalies Timeline 4060, upon clicking on a bubble, the GUI generates an associated Anomalies Table view 4200, in the format shown in FIG. 42, [0471]); and rendering, for display via the electronic display, in response to the user selection of the timeline view (i.e. Returning to FIG. 40A, clicking on the “Details” tab 4011 in the Threats Review view 4000 also can generate illustrations of a Threat Anomalies Timeline 4060, Threat Anomalies Trend 4070, and Threat Anomalies listing 4080 and Device Locations 4090, in FIGS. 40E and 40F, [0469]: one or more orbit rings each comprising a plurality of icons around a respective icon representing at least some of extensible data objects, wherein each icon of the plurality of icons represents a different earlier version of the respective extensible data object i.e. Threat Anomalies Timeline 4060 provides a timeline of each anomaly, sorted by anomaly type. In this example, there are four anomaly types: “Excessive Data Transmission,” “Land Speed Violation,” “Unusual Network Activity,” and “Unusual Activity Time.” The timeline shows a circle corresponding to each occurrence, which is color-coded to indicate its severity. If there is more than one anomaly of the same type on the same date, the circle is made larger. By hovering over a circle, a bubble is generated that provides the date of the anomaly or anomalies and prompts the user to select more detailed information (not shown). Upon clicking on a bubble, the GUI generates an associated Anomalies Table view 4200, in the format shown in FIG. 42, [0470]), and a timeline that shows the relative time of creation of each version of at least one extensible data object (i.e. To achieve this, in some embodiments, the identity resolution module 812 can initiate, for a given user, different versions of the machine learning model at different point of time, and each version may have a valid life time. As events related to the given user arrive, versions of a machine learning model are initiated, trained, activated, (optionally) continually updated, and finally expired, [0235]; The “Details” version of the Threats Review view 4000 also includes a Threat Anomalies listing 4080, [0472]; Referring to FIG. 40F, the detailed version of the Threats Review page 4000 also includes a Devices Location map 4090, [0474]), wherein versions of each respective rendered extensible data object are displayed on separate timelines within a primary panel of the graphical user interface (i.e. i.e. Threat Anomalies Timeline 4060 provides a timeline of each anomaly, sorted by anomaly type. In this example, there are four anomaly types: “Excessive Data Transmission,” “Land Speed Violation,” “Unusual Network Activity,” and “Unusual Activity Time.", [0470]). Muddu does not seem to specifically teach "one or more orbit rings each comprising a plurality of icons around a respective icon". BERWICK teaches "one or more orbit rings each comprising a plurality of icons around a respective icon" (i.e. FIG. 4a illustrates an example dashboard page 300 having a data visualization element represented in the form of an unpopulated multi-dimensional donut 400 ... a plurality of concentric rings of varying diameter (or thickness) axially disposed around the center portion 402, [0074]; the user may select a first sector 414 from one of a plurality of clusters to view specifics about that sector 414. Thus, upon selecting the first sector, all data values and graphical visualizations within the multi-dimensional donut 400 may be dynamically updated to reflect data for only the selected first sector 414, [0075]). It would have been obvious to one of ordinary skill of the art having the teaching of Muddu, BERWICK before the effective filing date of the claimed invention to modify the system of Muddu to include the limitations as taught by BERWICK. One of ordinary skill in the art would be motivated to make this combination in order to provide the multi-dimensional donut comprising a center region and a plurality of concentric rings axially disposed around the center portion in view of BERWICK ([0008]), as doing so would give the added benefit of enabling the user to select two or more dimensions to view the overlap between the selected two or more dimensions, as taught by BERWICK ([0075]). As per claim 12, Muddu teaches system, comprising: a processor (i.e. Storage adapter 8550 interfaces with an operating system running on processor(s) 8510 to access information on attached storage devices, [0744]); a memory in communication with the processor (i.e. Storage adapter 8550 includes a plurality of ports having I/O interface circuitry that couples with disks or other storage related devices over an I/O interconnect arrangement, [0744]); and a non-transitory computer-readable medium with instructions stored thereon to implement operations for generating a dynamic graphical user interface with data objects, the instructions comprising (i.e. The information may be stored on any type of attached array of writable storage media, such as hard disk drives, magnetic tape, optical disk, flash memory, solid-state drives, RAM, MEMs and/or any other similar media adapted to store information, [0744]): a data object creation module to create an extensible data object for each of the unstructured data elements, including a first extensible data object for a first unstructured data element and a second extensible data object for a second unstructured data element, wherein each extensible data object includes one of the unstructured data elements (i.e. FIG. 9A illustrates raw event data 900 received by the data intake and preparation stage. The raw event data 900, representing an event that occurs, are log data generated by a web gateway server. The web gateway is located where network traffic in and out the environment goes through, and therefore can log the data transfer and web communication from a system inside the environment. The particular event as represented by the event data 900 indicates that, at a particular point of time identified by the timestamp, the user “psibbal” uses the IP address “10.33.240.240” to communicate with an external IP address “74.125.239.107,” and transfers 106 bytes of data. The status code of that event is “200,” and the event is a TCP event where the HTTP status is “GET.” As illustrated, the event data 900 also includes a significant amount of additional information, [0217]); a structured insight feature module to receive (i.e. The field mapper 808 can map the extracted tokens to one or more corresponding fields with predetermined meanings, [0211]): a first structured insight feature associated with the first unstructured data element of the first extensible data object (i.e. The particular event as represented by the event data 900 indicates that, at a particular point of time identified by the timestamp, [0217]), and a second structured insight feature associated with the second unstructured data element of the second extensible data object (i.e. The relationship graph 902 also includes edges that link the nodes representing entities. The identified relationships between the entities are the edges in the graph 902. The relationship graph 902 can be stored in known data structures (e.g., an array) suitable for representing graphs that have nodes and edges, [0218]; the graph generator 810 attaches the relationship graph 902 to the associated event data 900. For example, the graph 902 may be recorded as an additional field of the event data 900. In alternative embodiments, the relationship graph 902 can be stored and/or transferred individually (i.e., separate from the event data 900) to subsequent nodes in the security platform, [0220]; and a data object augmentation module to (i.e. a computer program or a server can be coupled to the messaging system to perform this process of combining individual relationship graphs into a composite relationship graph, which can also be called an enterprise security graph, [0221]): augment the first extensible data object to include the first structured insight feature (i.e. The relationship graph 902 also includes edges that link the nodes representing entities. The identified relationships between the entities are the edges in the graph 902. The relationship graph 902 can be stored in known data structures (e.g., an array) suitable for representing graphs that have nodes and edges, [0218]; the graph generator 810 attaches the relationship graph 902 to the associated event data 900. For example, the graph 902 may be recorded as an additional field of the event data 900. In alternative embodiments, the relationship graph 902 can be stored and/or transferred individually (i.e., separate from the event data 900) to subsequent nodes in the security platform, [0220], and augment the second extensible data object to include the second structured insight feature (i.e. The relationship graph 902 also includes edges that link the nodes representing entities. The identified relationships between the entities are the edges in the graph 902. The relationship graph 902 can be stored in known data structures (e.g., an array) suitable for representing graphs that have nodes and edges, [0218]; if an event that is received involves both a user and a machine identifier (e.g., if the event data representing the event has both a user identifier and a machine identifier), then machine learning model that is employed by the identity resolution module 812 can use this event to create or update the probability of association between the user and the machine identifier, [0233]; Based on this user association record, the identity resolution module 812 can annotate the new event to explicitly connect the new event to the particular user. For example, the identity resolution module 812 can add, as a field, the particular user's name to the new event in its associated event data, [0239]); and a graphic user interface module to (i.e. an access interface, also called an “event view”, can be implemented as a class (in object-oriented programming terms, e.g., a Java™ class). An event view includes a name (e.g., view identifier) for subscription purposes. An event view can include a number of fields to access certain attributes of an event; for example, the fields can be used by a machine learning model to identify which subset of the event data (e.g., serverIP, sourceIP, sourcePort, etc.) is the information that the model wants to receive, [0250]): rendering, for display on an electronic display, a view menu as part of a graphical user interface to facilitate user toggling between a lineage view and a timeline view of the first, second, and third extensible data objects (i.e. because a network login to a target device also creates a new session, the current session should be correlated with the new session. This correlation is referred to herein as session lineage, [0259]; Returning to FIG. 40A, clicking on the “Details” tab 4011 in the Threats Review view 4000 also can generate illustrations of a Threat Anomalies Timeline 4060, [0469]); receiving, via user input, a selection of the timeline view (i.e. Returning to FIG. 40A, clicking on the “Details” tab 4011 in the Threats Review view 4000 also can generate illustrations of a Threat Anomalies Timeline 4060, [[0469]; By hovering over a point on the line, the GUI generates a bubble indicating the date and number of anomalies on that date. Similar to the Threat Anomalies Timeline 4060, upon clicking on a bubble, the GUI generates an associated Anomalies Table view 4200, in the format shown in FIG. 42, [0471]); and rendering, for display via the electronic display, in response to the user selection of the timeline view (i.e. Returning to FIG. 40A, clicking on the “Details” tab 4011 in the Threats Review view 4000 also can generate illustrations of a Threat Anomalies Timeline 4060, Threat Anomalies Trend 4070, and Threat Anomalies listing 4080 and Device Locations 4090, in FIGS. 40E and 40F, [0469]: one or more orbit rings each comprising a plurality of icons around a respective icon representing at least some of extensible data objects, wherein each icon of the plurality of icons represents a different earlier version of the respective extensible data object (i.e. Threat Anomalies Timeline 4060 provides a timeline of each anomaly, sorted by anomaly type. In this example, there are four anomaly types: “Excessive Data Transmission,” “Land Speed Violation,” “Unusual Network Activity,” and “Unusual Activity Time.” The timeline shows a circle corresponding to each occurrence, which is color-coded to indicate its severity. If there is more than one anomaly of the same type on the same date, the circle is made larger. By hovering over a circle, a bubble is generated that provides the date of the anomaly or anomalies and prompts the user to select more detailed information (not shown). Upon clicking on a bubble, the GUI generates an associated Anomalies Table view 4200, in the format shown in FIG. 42, [0470]; See Fig. 4D and Fig. 42), and a timeline that shows the relative time of creation of each version of at least one of the first and second extensible data object (i.e. To achieve this, in some embodiments, the identity resolution module 812 can initiate, for a given user, different versions of the machine learning model at different point of time, and each version may have a valid life time. As events related to the given user arrive, versions of a machine learning model are initiated, trained, activated, (optionally) continually updated, and finally expired, [0235]; The “Details” version of the Threats Review view 4000 also includes a Threat Anomalies listing 4080, [0472]; Referring to FIG. 40F, the detailed version of the Threats Review page 4000 also includes a Devices Location map 4090, [0474]). Muddu does not seem to specifically teach "one or more orbit rings each comprising a plurality of icons around a respective icon". BERWICK teaches "one or more orbit rings each comprising a plurality of icons around a respective icon" (i.e. FIG. 4a illustrates an example dashboard page 300 having a data visualization element represented in the form of an unpopulated multi-dimensional donut 400 ... a plurality of concentric rings of varying diameter (or thickness) axially disposed around the center portion 402, [0074]; the user may select a first sector 414 from one of a plurality of clusters to view specifics about that sector 414. Thus, upon selecting the first sector, all data values and graphical visualizations within the multi-dimensional donut 400 may be dynamically updated to reflect data for only the selected first sector 414, [0075]). It would have been obvious to one of ordinary skill of the art having the teaching of Muddu, BERWICK before the effective filing date of the claimed invention to modify the system of Muddu to include the limitations as taught by BERWICK. One of ordinary skill in the art would be motivated to make this combination in order to provide the multi-dimensional donut comprising a center region and a plurality of concentric rings axially disposed around the center portion in view of BERWICK ([0008]), as doing so would give the added benefit of enabling the user to select two or more dimensions to view the overlap between the selected two or more dimensions as taught by BERWICK ([0075]). As per claim 3, Muddu teaches the method of claim 1, wherein at least one of the plurality of structured insight features comprises a structured, machine-readable version of the first unstructured document (i.e. After receiving the event data by the data connectors 802, the parsers 806 parse the event data according to a predetermined data format. The data format can be specified in, for example, the configuration file. The data format can be used for several functions. The data format can enable the parser to tokenize the event data into tokens, which may be keys, values, or more commonly, key-value pairs. Examples of supported data format include event data output from an active-directory event, a proxy event, an authentication event, a firewall event, an event from a web gateway, a virtual private network (VPN) connection event, an intrusion detection system event, a network traffic analyzer event, or an event generated from a malware engine, [0209]; (i.e. the models that are used to generate and track the probability of association between each user and possible machine identifiers are time-dependent, meaning that a result from the models has a time-based dependence on current and past inputs .. the identity resolution module 812 can initiate, for a given user, different versions of the machine learning model at different point of time, and each version may have a valid life time, [0235])). As per claim 4, Muddu teaches the method of claim 3, wherein another one of the plurality of structured insight features comprises a document categorization identifying a document type of the first unstructured document (i.e. Each parser can implement a set of steps. Depending on what type of data the data intake and preparation stage is currently processing, in some embodiments, the initial steps can including using regular expression to perform extraction or stripping. For example, if the data is a system log (syslog), then a syslog regular expression can be first used to strip away the packet of syslog (i.e., the outer shell of syslog) to reveal the event message inside. Then, the parser can tokenize the event data into a number of tokens for further processing, [0210]). As per claim 5, Muddu teaches the method of claim 1, wherein at least one of the plurality of structured insight features comprises one of: a computer-readable version of the first unstructured document, an attribute of the first unstructured document, a subject matter expert insight provided with respect to the first unstructured document, a characteristic of the first unstructured document, a relationship between the first unstructured document and another of the unstructured document, and a language translation of the first unstructured document (i.e. Each parser can implement a set of steps. Depending on what type of data the data intake and preparation stage is currently processing, [0210]); The field mapper 808 can map the extracted tokens to one or more corresponding fields with predetermined meanings. For example, the data format can assist the field mapper 808 to identify and extract entities from the tokens, and more specifically, the data format can specify which of the extracted tokens represent entities. In other words, the field mapper 808 can perform entity extraction in accordance with those embodiments that can identify which tokens represent entities. An entity can include, for example, a user, a device, an application, a session, a uniform resource locator (URL), or a threat. Additionally, the data format can also specify which tokens represent actions that have taken place in the event. Although not necessarily, an action can be performed by one entity with respect to another entity; examples of an action include use, visit, connect to, log in, log out, and so forth. In yet another example, the filed mapper 808 can map a value extracted to a key to create a key-value pair, based on the predetermined data format, [0211]). As per claim 7, Muddu teaches system of claim 6, wherein the operations further include: receiving, via an additional user input, a second data type selection of a different data type via the data type filter menu (i.e. The view 4000 can include a filter section 4020 that enables the user to selectively filter out threat results according to time, severity, or type. For example, as shown in FIG. 40B, the default provides views of “All Threat Types” 4021 but a user can change this to just review pages for “External,” “Insider,” or “Rule-Based” threats. The filter section 4020 also provides an option to “Select Threat Types,” which enables the user to select the specific types of threats to be included in the Threat Review. The filter section 4020 also enables the user to filter out threats based on their scores by clicking the “Scores” tab 4022. (For example, if the user is only interested in evaluating high risk threats, the user might filter out any threats with a score less than 5). The user can also click on the “Time” tab 4023 to filter out threats based on a date range. For example, if the user is only interested in evaluating very recent threats, the user can choose to filter out any threats earlier than the past 24 hours, [0456]); and rendering, for display via the electronic display, an updated graphical user interface with (i.e. Returning again to FIG. 40A, Threats Review view 4000 additionally prompts the user to take “Actions” 4010, view additional “Details” 4011, or set up a “Watchlist” 4021. By clicking on the “Actions” tab 4010, the user can select from several options, as shown in FIG. 40, [0461]; As shown in FIG. 40A, the Threats Review view 4000 also includes a “Details” tab 4011. When the user selects this tab, in the example provided in this figure, the Threats Review view is augmented with several additional charts and graphics, as shown in FIGS. 40D, 40E, and 40F, as will be described next, [0460]): an updated set of icons representing the extensible data objects that have data type insight features corresponding to the second data type selection (i.e. The “Threats Review” view 4000 can additionally include a status chart 4004 that provides a Timeline, list of Anomalies, list of Users, list of Devices, list of Apps, and a suggestion of “What Next.” The Timeline identifies the date that the threat began, the last update concerning the threat, and the duration of time that the threat has been active, [0458]), and updated connection lines between icons representing the relationship insight features between the unstructured documents of the extensible data objects represented by the rendered icons having the data type insight feature corresponding to the second data type selection (i.e. When the connector (e.g., HDFS connector) is activated to retrieve files of a particular time range (e.g., each file representing a number of events that take place within the particular time range), the connector first refers to a table in the database (“directoryCatalog”) to check if there is any row in the table (e.g., indicating a file) that still needs to process (e.g., which may be a leftover from a previous run). The connector also stores the last time it was run in the database (“lastRunTime”), [0331]). As per claim 8, Muddu teaches the system of claim 6, wherein the operations further include: rendering for display on the electronic display, a version filter menu as part of the graphical user interface to facilitate a user selection of one or more versions for each extensible data object displayed as an icon (i.e. The “Threats Review” view 4000 can additionally include a status chart 4004 that provides a Timeline, list of Anomalies, list of Users, list of Devices, list of Apps, and a suggestion of “What Next.” The Timeline identifies the date that the threat began, the last update concerning the threat, and the duration of time that the threat has been active, [0458]); receiving, via an additional user input, a first version selection of at least one version of a plurality of available versions for each extensible data object displayed as an icon (i.e. The user can also click on the “Time” tab 4023 to filter out threats based on a date range, [0456]); and rendering, for display via the electronic display, the graphical user interface with (i.e. The view 4000 can include a filter section 4020 that enables the user to selectively filter out threat results according to time, severity, or type ... The user can also click on the “Time” tab 4023 to filter out threats based on a date range, [0456]): an updated set of icons representing the extensible data objects that have data type insight features corresponding to (i.e. The “Threats Review” view 4000 can additionally include a status chart 4004 that provides a Timeline, list of Anomalies, list of Users, list of Devices, list of Apps, and a suggestion of “What Next.” The Timeline identifies the date that the threat began, the last update concerning the threat, and the duration of time that the threat has been active, [0458]): the first data type selection (i.e. The view 4000 can include a filter section 4020 that enables the user to selectively filter out threat results according to time, severity, or type ... The user can also click on the “Time” tab 4023 to filter out threats based on a date range, [0456]), and the first version selection (i.e. When the connector (e.g., HDFS connector) is activated to retrieve files of a particular time range (e.g., each file representing a number of events that take place within the particular time range), the connector first refers to a table in the database (“directoryCatalog”) to check if there is any row in the table (e.g., indicating a file) that still needs to process (e.g., which may be a leftover from a previous run). The connector also stores the last time it was run in the database (“lastRunTime”), [0330]); and updated connection lines between the updated set of icons (i.e. Thereafter, if the connector determines that the events are recorded in an ascending order (within a tolerance of a few seconds), then the connector can stop parsing and return the time of the first event. Conversely, if the events are stored in a descending order, the connector then seeks toward (e.g., to a few kilobytes short of) the end of the file and retrieves the time of the first event from there. In the case that the connector determines that the events are recorded in an unsorted manner, the connector parses the entire file and returns the lowest time found as the event time of the first event recorded in the file. Then, the connector adds an entry in the database with the filename, time of the first event and other status (e.g., retrieved), [0332]). As per claim 9, Muddu teaches the system of claim 6, wherein the timeline view further displays the relative time that each insight feature was added to the extensible data object associated with each displayed icon (i.e. The “Link-Event time” is the time that the new session is recorded. Two existing sessions should be linked or correlated if the newly added session (1) matches a link event time range, (2a) has a match in one of its from-session-link-context or to-session-link-context with those of one existing session, and (2b) has at least a partial match in one of its from-session-link-context or to-session-link-context with those of another existing session, [0263]). As per claim 10, Muddu teaches he system of claim 9, wherein the timeline view further displays information identifying at least one of a person, entity, or subsystem that caused each insight feature to be added to each respective extensible data object associated with each displayed icon (i.e. By hovering over a circle, such as 4092, the GUI generates a bubble, as shown in FIG. 40G, that provides more detailed location information (in this case, “Beijing—China”), the device name/IP address (“1.94.32.234”), and a link to “View Device Details.” If the GUI user clicks on the link, the GUI navigates to the User Facts view 4100 of FIG. 41, [0474]; The particular event as represented by the event data 900 indicates that, at a particular point of time identified by the timestamp, the user “psibbal” uses the IP address “10.33.240.240” to communicate with an external IP address “74.125.239.107,” and transfers 106 bytes of data. The status code of that event is “200,” and the event is a TCP event where the HTTP status is “GET.” As illustrated, the event data 900 also includes a significant amount of additional information, [0217]). As per claim 13, Muddu teaches he system of claim 12, wherein the structured insight feature module is further configured to receive a third structured insight feature that characterizes a relationship between the first unstructured data element and the second unstructured data element (i.e. FIG. 9A illustrates raw event data 900 received by the data intake and preparation stage. The raw event data 900, representing an event that occurs, are log data generated by a web gateway server. The web gateway is located where network traffic in and out the environment goes through, and therefore can log the data transfer and web communication from a system inside the environment. The particular event as represented by the event data 900 indicates that, at a particular point of time identified by the timestamp, the user “psibbal” uses the IP address “10.33.240.240” to communicate with an external IP address “74.125.239.107,” and transfers 106 bytes of data. The status code of that event is “200,” and the event is a TCP event where the HTTP status is “GET.” As illustrated, the event data 900 also includes a significant amount of additional information, [0217]), and wherein the data object augmentation module is further configured to augment each of the first extensible data object and the second extensible data object to further include the third structured insight feature that characterizes the relationship between the first and second unstructured data elements (i.e. Two existing sessions should be linked or correlated if the newly added session (1) matches a link event time range, (2a) has a match in one of its from-session-link-context or to-session-link-context with those of one existing session, and (2b) has at least a partial match in one of its from-session-link-context or to-session-link-context with those of another existing session, [0263]).. As per claim 14, Muddu teaches the system of claim 12, wherein the first unstructured data element comprises a first unstructured document (i.e. FIG. 9A illustrates raw event data 900 received by the data intake and preparation stage. The raw event data 900, representing an event that occurs, are log data generated by a web gateway server. The web gateway is located where network traffic in and out the environment goes through, and therefore can log the data transfer and web communication from a system inside the environment. The particular event as represented by the event data 900 indicates that, at a particular point of time identified by the timestamp, the user “psibbal” uses the IP address “10.33.240.240” to communicate with an external IP address “74.125.239.107,” and transfers 106 bytes of data. The status code of that event is “200,” and the event is a TCP event where the HTTP status is “GET.” As illustrated, the event data 900 also includes a significant amount of additional information, [0217]). As per claim 15, Muddu teaches the system of claim 14, wherein the first structured insight feature comprises a structured, machine-readable version of the first unstructured document (i.e. the models that are used to generate and track the probability of association between each user and possible machine identifiers are time-dependent, meaning that a result from the models has a time-based dependence on current and past inputs .. the identity resolution module 812 can initiate, for a given user, different versions of the machine learning model at different point of time, and each version may have a valid life time, [0235]). As per claim 16, Muddu teaches the system of claim 15, wherein the second structured insight feature comprises a document categorization identifying a document type of the first unstructured document (i.e. Each parser can implement a set of steps. Depending on what type of data the data intake and preparation stage is currently processing, in some embodiments, the initial steps can including using regular expression to perform extraction or stripping. For example, if the data is a system log (syslog), then a syslog regular expression can be first used to strip away the packet of syslog (i.e., the outer shell of syslog) to reveal the event message inside. Then, the parser can tokenize the event data into a number of tokens for further processing, [0210]). As per claim 17, Muddu teaches the system of claim 16, wherein the second structured insight feature comprises one of: a computer-readable version of the first unstructured data element, an attribute of the first unstructured data element, a subject matter expert insight provided with respect to the first unstructured data element, a characteristic of the first unstructured data element, a relationship between the first unstructured data element and another of the unstructured data elements, and a language translation of the first unstructured data element (i.e. The field mapper 808 can map the extracted tokens to one or more corresponding fields with predetermined meanings. For example, the data format can assist the field mapper 808 to identify and extract entities from the tokens, and more specifically, the data format can specify which of the extracted tokens represent entities. In other words, the field mapper 808 can perform entity extraction in accordance with those embodiments that can identify which tokens represent entities. An entity can include, for example, a user, a device, an application, a session, a uniform resource locator (URL), or a threat. Additionally, the data format can also specify which tokens represent actions that have taken place in the event. Although not necessarily, an action can be performed by one entity with respect to another entity; examples of an action include use, visit, connect to, log in, log out, and so forth. In yet another example, the filed mapper 808 can map a value extracted to a key to create a key-value pair, based on the predetermined data format, [0211]). Claims 2, 11 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al (US Pub No. 2017/0063902), in view of BERWICK et al (US Pub No. 2019/0034504), as applied to claims above, and further in view of KHOKHAR et al. (US Pub No. 2020/0394612). As per claim 2, Muddu, BERWICK do not seem to specifically teach the method of claim 1, wherein at least some of the unstructured documents comprise contract documents. KHOKHAR teaches " wherein at least some of the unstructured documents comprise contract documents" (i.e. The document categories can be exposed to allow the user to select provision types that are extracted across the four agreements, [0257]; Each node shown in the timeline can represent an identified milestone/data period in the construction cycle, [0233]; all the components relating to contract price set out across different provisions in a construction contract are collated and aggregated into a dynamic “live” data hierarchy through which the user can delve into the relevant details on the concept in a structured and organized framework, [0235]; The system 100 provides a dynamic, activated user interface for the review and assessment of identified provisions, [0254]). It would have been obvious to one of ordinary skill of the art having the teaching of Muddu, BERWICK, KHOKHAR before the effective filing date of the claimed invention to modify the system of Muddu, BERWICK to include the limitations as taught by KHOKHAR. One of ordinary skill in the art would be motivated to make this combination in order to perform a classification and framework to assess provisions within a document at multiple levels in view of KHOKHAR ([0265]), as doing so would give the added benefit of providing a dynamic, activated interface for review and assessment of identified provisions as taught by KHOKHAR ([0267]). As per claim 11, Muddu teaches he system of claim 6, wherein each data type insight feature identifies each respective extensible data object as having one of a plurality of different data types, at least one of which data types comprises a contract data type (i.e. An entity can include, for example, a user, a device, an application, a session, a uniform resource locator (URL), or a threat. Additionally, the data format can also specify which tokens represent actions that have taken place in the event, [0210]), and wherein each relationship insight feature identifies a relationship of the respective unstructured document with an unstructured document of at least one other extensible data object (i.e. Specifically, after the entities are identified in the tokens, the relationship graph generator 810 is operable to identify a number of relationships between the entities, and to explicitly record these relationships between the entities ... Each node in the relationship graph represents one of the entities involved in the event, and each edge represents a relationship between two of the entities. In general, any event involves at least two entities with some relationship between them (e.g., a device and a user who accesses the device) and therefore can be represented as an event-specific relationship graph, [0214]). Muddu, BERWICK do not seem to specifically teach "a contract data type". KHOKHAR teaches "a contract data type" (i.e. The document categories can be exposed to allow the user to select provision types that are extracted across the four agreements, [0257]; Each node shown in the timeline can represent an identified milestone/data period in the construction cycle, [0233]; all the components relating to contract price set out across different provisions in a construction contract are collated and aggregated into a dynamic “live” data hierarchy through which the user can delve into the relevant details on the concept in a structured and organized framework, [0235]; The system 100 provides a dynamic, activated user interface for the review and assessment of identified provisions, [0254]). It would have been obvious to one of ordinary skill of the art having the teaching of Muddu, BERWICK, KHOKHAR before the effective filing date of the claimed invention to modify the system of Muddu, BERWICK to include the limitations as taught by KHOKHAR. One of ordinary skill in the art would be motivated to make this combination in order to perform a classification and framework to assess provisions within a document at multiple levels in view of KHOKHAR ([0265]), as doing so would give the added benefit of providing a dynamic, activated interface for review and assessment of identified provisions, as taught by KHOKHAR ([0267]). Response to Arguments Applicant's arguments with respect to claims 1-17 have been considered but are moot in view of the new ground(s) of rejection. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MIRANDA LE whose telephone number is (571)272-4112. The examiner can normally be reached M-F 7AM-5PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kavita Stanley can be reached on 571-272-8352. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MIRANDA LE/ Primary Examiner, Art Unit 2153