EVENT DEDUPLICATION USING MULTIPLE STAGES AND CONCURRENT PROCESSING

§101 §103

DETAILED ACTION Applicant has amended claims 21, 28 and 35 in the filed amendment on 2/5/2026. Claims 21-40 are pending in this office action. Response to Arguments Applicant’s arguments with respect to claim(s) 21-40 have been considered but are moot in new ground of rejection. For 103 rejection: Applicant argued that the prior arts of the record do not explicitly teach limitation “determine, based on a key for the event and a global state, whether the event is a global reoccurring event that has been received by the second stage process of the computing node from one or more other first stage processes of one or more additional computing nodes prior to reception of the event from the first stage process”. In response to Applicant’s argument, claims are rejected under the new ground. In addition: Ahuja teaches limitations “receive, from a first stage process of another computing node, an event as a possible new event” as receive, from an action as a first stage process of one or more components e.g., network devices, user devices, servers, operating systems, user applications as another computing node, a subevent as an event (paragraphs 51-52, 57, 78-79). The network device(s) or the server of servers is represented as another computing node. Since the subevent that is generated and corresponds to an occurrence of an action is interpreted as a possible new event. For example, subevents may be generated by network devices, user devices, servers, operating systems, user applications, etc. Examples of subevents include, but are not limited to, network status and configuration messages, a device powering on, a device powering off, a device failure, an application error, status and events within a virtual environment, etc. A subevent may correspond to an occurrence of an action itself (e.g., by detecting an incoming/outgoing network message, detecting a device failure, etc.), or a subevent may be represented by data describing a corresponding action (e.g., a log entry describing a received network message, a push notification indicating that a server reboot occurred, etc.) (paragraph 51). A subevent refers to an action or occurrence related to one or more components of a computing environment, and a security event refers to a defined pattern of one or more particular subevent occurrences (paragraph 57); “in response to reception of the event as a possible new event: determine, based on a key for the event and a global state, whether the event is……” as in response to the receiving the subevent that is generated and corresponds to an occurrence of an action is interpreted as a possible new event (paragraphs 51-52), determine, based on timestamp of the subevent as a key for event and state data, which is stored in a security event state table in a remote storage and accessed by one or more applications or servers for updating (fig. 3, paragraphs 79, 86, 90), is represented as a global state (paragraph 65, fig. 4), whether the subevent is a subevent filter (fig. 6, paragraphs 80-83); “in response to a determination that the event is……, update the global state based on the key for the event to generate an updated global state that indicates ……” as in response to a determination that event is the subevent filter, update the data state, which is stored in a security event state table in a remote storage and accessed by one or more applications or servers for updating (fig. 3, paragraphs 79, 86, 90), is represented as a global state (paragraph 65, fig. 4), based on the timestamp of the subevent as the key for the event to generate the updated data state as an updated global state that indicates a new security event has occurred (paragraph 82-84, fig. 6). For example, a subevent processing microservice 340 may update one or more subevent counters, subevent data fields, timestamp fields, security event state data, etc. As described above in reference to FIGS. 4-5, updating the state data may include incrementing/decrementing one or more counters, storing one or more timestamps or other data included with or derived from the associated subevent, determining a next state from a state table based on the subevent matching an associated filter (paragraph 82). At block 610, in response to determining that the updated state data indicates that a new security event has occurred, security event data is generated. For example, a subevent processing microservice 340 may generate a message, notification, log entry, or any other type of data to indicate that the security event has occurred. The security event data may include data from one or more of the subevents that triggered the security event, based on one or more of the security event state items stored in association with the corresponding security event definition, or based on any other source of information related to the comprising subevents. For example, if a subevent processing microservice 340 detects an occurrence of a brute-force password attack security event, the microservice may generate security event state data indicating the type of security event, one or more source and/or destination IP addresses associated with the event, a time at which the attack started or ended, etc (paragraph 84). For example, each of security event states 740-760 may correspond to one of a plurality of states of a state table stored in association with the security event definition for the malware security event. In this example, state A 740 is an initial default state at which zero matching subevents are recorded. Thus, state data associated with the state A 740 indicates a subevent counter 742 value of “0”, a subevent data 744 value of “0”, and a subevent timestamp value of “0” (paragraph 90). Chris teaches limitations “a global reoccurring event” as a new event, which is a duplicate object i.e., an object that already exists in a forum database of remote site of a network (paragraphs 15, 12), is represented as a global reoccurring event (paragraphs 127-128, 133 79); “not a global reoccurring event” the new event, which is not a duplicate object i.e., an object that already exists in a forum database of remote site of a network (paragraphs 15, 12), is represented as a global reoccurring event (paragraphs 129, 133 79). “the event is not a global reoccurring event” as the new event, which is not a duplicate object i.e., an object that already exists in a forum database of remote site of a network (paragraphs 15, 12), is represented as a global reoccurring event (paragraphs 129, 133 79). For 101 rejection: Applicant argued that Applicant submits that amended claim 21 satisfies the above considerations indicative of elements that have integrated the exception into a practical application. For example, amended claim 21 recites "determine, based on a key for the event and a global state, whether the event is a global reoccurring event that has been received by the second stage process of the computing node from one or more other first stage processes of one or more additional computing nodes prior to reception of the event from the first stage process" and "in response to a determination that the event is not a global reoccurring event, update the global state based on the key for the event to generate an updated global state that indicates the event is not a global reoccurring event." The Specification states that "the ability to run any number of first stage processes as a "triage" stage before sending events to a particular second stage process for a more accurate/refined identification of new events, event deduplication may be performed in a much more efficiently, with less latency, and in a much more scalable manner compared to traditional techniques of event deduplication" and "[t]his may allow for efficiently performing event deduplication on massive streaming datasets and for efficiently scaling to handle changes in the amount of streaming data, while reducing the need for synchronization between different processes that handle input data streams." Specification, paragraph [0012]. Determining whether an event is a global reoccurring event that has been received from other first stage processes of other computing nodes prior to reception of the event by the second stage, as well as generating an updated global state that indicates the event is not a global reoccurring event, improves performance of event deduplication by improving efficiency, latency, and scalability, while also reducing the need for synchronization between different processes that handle input data streams (an improvement in the technical field of data processing). Therefore, Applicant respectfully requests that the rejection of claims 21-40 under 35 U.S.C. § 101 be withdrawn. Examiner respectfully disagrees. The limitations e.g., “performing event deduplication on massive streaming datasets and for efficiently scaling to handle changes in the amount of streaming data, while reducing the need for synchronization between different processes that handle input data streams” or “performance of event deduplication by improving efficiency, latency, and scalability, while also reducing the need for synchronization between different processes that handle input data streams” do not recite in claims. However, claims 21, 28, 35 recite abstract ideas of determine or determining, based on a key for the event and a global state, whether the event is a global reoccurring event that has been received by the second stage process of the computing node from one or more other first stage processes of one or more additional computing nodes prior to reception of the event from the first stage process; and in response to determination or determining that the event is not a global reoccurring event, update or updating the global state based on the key for the event to generate an updated global state that indicates the event is not a global reoccurring event) as drafted, is a process or system or medium that, under its broadest reasonable interpretation, covers performance of the limitations in the mind but for the recitation of generic computer components. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. The human mind can perform step of determining, determining and updating. Accordingly, the claims recite an abstract idea. Step: 2A Claims do not recite any additional elements that integrate the judicial exception into a practical application because additional elements of a computing node comprising one or more processors and memory, the computing node is configured to implement a second state process (in claim 21), a second stage process of a computing node (in claim 28) and program instructions that when executed on or across one or more processors of a computing node, cause the one or more processors to (in claim 35) that are recited at a high-level of generality such that it amounts no more than mere instructions to apply the exception using a generic computer component for obtaining that are well understood routine and conventional activities. The additional limitation of (receive, from a first stage process of another computing node, an event as a possible new event; in response to reception of the event as a possible new event) or ( performing, by a second stage process of a computing node: receiving, from a first stage process of another computing node, an event as a possible new event; in response to receiving the event as a possible new event) that would be insignificant post-solution data outputting, and are insignificant extra solution activities which are well understood routine and conventional activities, see (Presenting offers and gathering statistics, OIP Techs and Receiving or transmitting data over a network, e.g., using the Internet to gather data, Symantec) and See (MPEP 2106.05(g) or 2106.05(d) for Receiving or transmitting data over a network, e.g. see Intellectual Ventures v. Symantec; Storing and retrieving information in memory: Versata; Analyzing data: Genetic Techs; Determining: OIP Techs; Electronic recordkeeping: Alice Corp). The additional limitation of (a global reoccurring event that has been received by the second stage process of the computing node from one or more other first stage processes of one or more additional computing nodes prior to reception of the event from the first stage process) that just indicates event received before receiving other event. Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. The claims are directed to an abstract idea. Step: 2B Claims do not recite any additional elements that amount to significantly more than the judicial exception because additional elements of a computing node comprising one or more processors and memory, the computing node is configured to implement a second state process (in claim 21), a second stage process of a computing node (in claim 28) and program instructions that when executed on or across one or more processors of a computing node, cause the one or more processors to (in claim 35) that are recited at a high-level of generality such that it amounts no more than mere instructions to apply the exception using a generic computer component for obtaining that are well understood routine and conventional activities. The additional limitation of (receive, from a first stage process of another computing node, an event as a possible new event; in response to reception of the event as a possible new event) or ( performing, by a second stage process of a computing node: receiving, from a first stage process of another computing node, an event as a possible new event; in response to receiving the event as a possible new event) that would be insignificant post-solution data outputting, and are insignificant extra solution activities which are well understood routine and conventional activities, see (Presenting offers and gathering statistics, OIP Techs and Receiving or transmitting data over a network, e.g., using the Internet to gather data, Symantec) and See (MPEP 2106.05(g) or 2106.05(d) for Receiving or transmitting data over a network, e.g. see Intellectual Ventures v. Symantec; Storing and retrieving information in memory: Versata; Analyzing data: Genetic Techs; Determining: OIP Techs; Electronic recordkeeping: Alice Corp). The additional limitation of (a global reoccurring event that has been received by the second stage process of the computing node from one or more other first stage processes of one or more additional computing nodes prior to reception of the event from the first stage process) that just indicates event received before receiving other event . Accordingly, these additional elements do not amount to significantly more than the judicial exception. The claims are not patent eligible. As discussed above the 101 rejection for claims is still maintained in this office action. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13. The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. Claims 21-40 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 6-20 of U.S. Patent No. 12210497 in view of WILLCOX et al (or hereinafter “Wi”) (US 20210365464). Claims 6-20 of U.S. Patent No. 12210497 teach all limitation of claims 21-40 of the instant application, except limitation “that has been received by the second stage process of the computing node from one or more other first stage processes of one or more additional computing nodes prior to reception of the event from the first stage process”. Claims 6-20 of U.S. Patent No. 12210497 do not explicitly teach the limitations that has been received by the second stage process of the computing node from one or more other first stage processes of one or more additional computing nodes prior to reception of the event from the first stage process. However, Wi teaches limitations “……that has been received by the second stage process of the computing node from one or more other first stage processes of one or more additional computing nodes prior to reception of the event from the first stage process” as a primary event that is received by secondary event handler (510) as the second stage process of a client 502 as the computing node from a writer thread 518 one first stage process of one or more caches as one or more additional computing nodes or a join frame work 504 as additional computing node (fig. 5, paragraphs 130, 133) before receiving secondary event from a process secondary command as a first stage process (paragraphs 130-133). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to apply Wi’s teaching to claims 6-20 of U.S. Patent No. 12210497’s system in order to reduce unnecessary get operations issued to a data store for receiving events quickly, to use a stream processing engine with additional hardware and software to harden inaccuracies detected during stream processing, and further to provide the level of accuracy provided by larger batches. Claims 21, 28, 35 recite the same limitation as claims 6, 15 of the reference patent 12210497 Claims 22, 29, 36 recite the same limitation as claims 6, 15 of the reference patent 12210497 Claims 23, 30, 37 recite the same limitation as claim 9 of the reference patent 12210497 Claims 24, 31, 38 recite the same limitation as claims 6, 15 of the reference patent 12210497 Claims 25, 32, 39 recite the same limitation as claim 7 of the reference patent 12210497 Claims 26, 33, 40 recite the same limitation as claims 6, 15 of the reference patent 12210497 Claims 27, 34 recite the same limitation as claims 6, 15 of the reference patent 12210497. The claims of the instant application and the claims of the reference patents are compared in the table below: The instant application Reference patent 12210497 21. A system, comprising: a computing node comprising one or more processors and memory, wherein the computing node is configured to implement a second stage process to: receive, from a first stage process of another computing node, an event as a possible new event; in response to reception of the event as a possible new event: determine, based on a key for the event and a global state, whether the event is a global reoccurring event that has been received by the second stage process of the computing node from one or more other first stage processes of one or more additional computing nodes prior to reception of the event from the first stage process; and in response to a determination that the event is not a global reoccurring event, update the global state based on the key for the event to generate an updated global state that indicates the event is not a global reoccurring event. 22. (New) The system of claim 21, wherein the second stage process is configured to output the event as a new event. 23. (New) The system of claim 21, wherein the global state comprises a global lookup table, and wherein to determine that the event is not a global reoccurring event, the second stage process is configured to: determine, based on the key for the event, that an entry for the event does not exist in the global lookup table. 24. (New) The system of claim 21, wherein the second stage process is configured to send at least a portion of the global state to the first stage process to update a local state of the first stage process. 25. (New) The system of claim 21, wherein the second stage process is configured to: receive, from the first stage process of the other computing node, a promote state event that corresponds to another event obtained by the first stage process; and in response to reception of the promote state event, update a global state based on a key for the other event. 26. (New) The system of claim 21, wherein the second stage process is configured to: receive, from a first stage process of an additional computing node, an additional event as a possible new event; in response to reception of the additional event as a possible new event: determine, based on a key for the additional event and the global state, whether the additional event is a global reoccurring event; and in response to a determination that the additional event is not a global reoccurring event, update the global state based on the key for the additional event. 27. (New) The system of claim 26, wherein the second stage process is configured to: output the additional event as an additional new event; and send at least a portion of the global state to the first stage process of the other computing node and to the first stage process of the additional computing node. 28. (Currently Amended) A method, comprising: performing, by a second stage process of a computing node: receiving, from a first stage process of another computing node, an event as a possible new event; in response to receiving the event as a possible new event: determining, based on a key for the event and a global state, whether the event is a global reoccurring event that has been received by the second stage process of the computing node from one or more other first stage processes of one or more additional computing nodes prior to reception of the event from the first stage process; and in response to determining that the event is not a global reoccurring event, updating the global state based on the key for the event to generate an updated global state that indicates the event is not a global reoccurring event. 29. (New) The method of claim 28, further comprising outputting the event as a new event. 30. (New) The method of claim 28, wherein the global state comprises a global lookup table, and wherein determining that the event is not a global reoccurring event comprises: determining, based on the key for the event, that an entry for the event does not exist in the global lookup table. 31. (New) The method of claim 28, further comprising sending at least a portion of the global state to the first stage process to update a local state of the first stage process. 32. (New) The method of claim 28, further comprising: receiving, from the first stage process of the other computing node, a promote state event that corresponds to another event obtained by the first stage process;and in response to receiving the promote state event, updating a global state based on a key for the other event. 33. (New) The method of claim 28, further comprising: receiving, from a first stage process of an additional computing node, an additional event as a possible new event; in response to receiving the additional event as a possible new event:determining, based on a key for the additional event and the global state, whether the additional event is a global reoccurring event; andin response to determining that the additional event is not a global reoccurring event, updating the global state based on the key for the additional event. 34. (New) The method of claim 33, further comprising: outputting the additional event as an additional new event; and sending at least a portion of the global state to the first stage process of the other computing node and to the first stage process of the additional computing node. 35. (New) One or more non-transitory computer-accessible storage media storing program instructions that when executed on or across one or more processors of a computing node, cause the one or more processors to implement a second stage process to: receive, from a first stage process of another computing node, an event as a possible new event; in response to reception of the event as a possible new event: determine, based on a key for the event and a global state, whether the event is a global reoccurring event that has been received by the second stage process of the computing node from one or more other first stage processes of one or more additional computing nodes prior to reception of the event from the first stage process; and in response to a determination that the event is not a global reoccurring event, update the global state based on the key for the event to generate an updated global state that indicates the event is not a global reoccurring event. 36. (New) The one or more storage media as recited in claim 35, further comprising program instructions that when executed on or across the one or more processors further cause the one or more processors to implement the second stage process to: output the event as a new event. 37. (New) The one or more storage media as recited in claim 35, wherein the global state comprises a global lookup table, and wherein to determine that the event is not a global reoccurring event, the program instructions when executed on or across the one ormore processors further cause the one or more processors to implement the second stage process to:determine, based on the key for the event, that an entry for the event does not exist in the global lookup table. 38. (New) The one or more storage media as recited in claim 35, further comprising program instructions that when executed on or across the one or more processors further cause the one or more processors to implement the second stage process to: send at least a portion of the global state to the first stage process to update a local state of the first stage process. 39. (New) The one or more storage media as recited in claim 35, further comprising program instructions that when executed on or across the one or more processors further cause the one or more processors to implement the second stage process to: receive, from the first stage process of the other computing node, a promote state event that corresponds to another event obtained by the first stage process;and in response to reception of the promote state event, update a global state based on a key for the other event. 40. (New) The one or more storage media as recited in claim 35, further comprising program instructions that when executed on or across the one or more processors further cause the one or more processors to implement the second stage process to: receive, from a first stage process of an additional computing node, an additional event as a possible new event; in response to reception of the additional event as a possible new event:determine, based on a key for the additional event and the global state, whether the additional event is a global reoccurring event; andin response to a determination that the additional event is not a global reoccurring event, update the global state based on the key for the additional event. 6. A method, comprising: performing, by a first stage process of a computing node: obtaining an event from an input stream of events; determining, based on a key for the event and a local state, whether the event is a local reoccurring event; in response to determining that the event is not a local reoccurring event: updating the local state based on the key for the event; and sending the event to a second stage process as a possible new event; and performing, by the second stage process of another computing node: receiving the event as a possible new event; determining, based on the key for the event and a global state, whether the event is a global reoccurring event; and in response to determining that the event is not a global reoccurring event: updating the global state based on the key for the event; and outputting the event as a new event; and sending at least a portion of the global state to the first stage process to update the local state. 7. The method of claim 6, further comprising: performing, by the first stage process: obtaining another event from the input stream; determining, based on a key for the other event and the local state, that the other event is a local reoccurring event; in response to determining that the other event is a local reoccurring event: determining, based on the key for the other event and a property of the local state, whether to send a promote state event to the second stage process; in response determining to send the promote state event, sending the promote state event to the second stage process; and updating the property of the local state based on the key for the other event; and performing, by the second stage process: receiving the promote state event; and in response to receiving the promote state event, updating a global state based on the key for the other event. 8. The method of claim 7, wherein the local state comprises a local lookup table, and wherein updating the property of the local state based on the key for the other event comprises: re-ordering a group of entries in the local lookup table, wherein an entry that corresponds to the key for the other event is moved ahead within the group of entries according to a most recently used to least recently used ordering, or updating a timestamp for the entry that corresponds to the key for the other event. 9. The method of claim 6, wherein the local state comprises a local lookup table, and wherein determining that the event is not a local reoccurring event comprises: determining, based on the key for the event, that an entry for the event does not exist in the local lookup table. 10. The method of claim 9, wherein determining, based on the key for the event, that an entry for the event does not exist in the local lookup table comprises: generating a digest based on a hash of the key; and determining that the local lookup table does not have an entry for the digest. 11. The method of claim 6, wherein the local state comprises a local lookup table, and wherein updating the local state based on the key for the event comprises: expiring an entry from the local lookup table that corresponds to a key for another event; and inserting a new entry into the local lookup table that corresponds to the key for the event. 12. The method of claim 6, further comprising: identifying a plurality of portions of data based on the obtained event; and generating the key based on the plurality of portions of data. 13. The method of claim 6, further comprising: performing, by a first stage process of a computing node: receiving, from the other computing note, at least a portion of the global state; and in response to receiving at least the portion of the global state, updating the local state based on at least the portion of the global state. 14. The method of claim 6, wherein a network comprises the computing node and another network comprises the other computing node, and wherein the network is remote from the other network, and wherein the first stage process runs concurrent with other first stage processes at other computing nodes that send other events to the second stage process as other possible new events. 15. One or more non-transitory computer-accessible storage media storing program instructions that when executed on or across one or more processors of a second stage computing node of an event deduplication system, cause the one or more processors to implement a second stage process to: receive, from different first stage processes on different first stage computing nodes of the event deduplication system, a plurality of possible new events obtained by the different first stage processes from different input streams, wherein for an event of the plurality of possible new events obtained by a given first stage process from a given input stream, the one or more processors implement the second stage process to: determine, based on a key for the event and a global state, whether the event is a global reoccurring event; in response to a determination that the event is not a global reoccurring event, update the global state based on the key for the event and output the event as a new event; and send at least a portion of the global state to the different first stage processes to update a local state associated with the different first stage processes. 16. The one or more storage media as recited in claim 15, wherein the global state comprises a global lookup table, and wherein to update the global state based on the key for the event, the program instructions when executed on or across the one or more processors further cause the one or more processors to implement the second stage process to: insert an entry into the global lookup table that corresponds to the key for the event. 17. The one or more storage media as recited in claim 15, further comprising program instructions that when executed on or across the one or more processors further cause the one or more processors to implement the second stage process to: receive another possible new event from one of the first stage processes; determine, based on a key for the other possible new event and the global state, whether the other possible new event is a global reoccurring event; and in response to a determination that the other possible new event is a global reoccurring event, update the global state based on the key for the other possible new event. 18. The one or more storage media as recited in claim 17, wherein the global state comprises a global lookup table, and wherein to update the global state based on the key for the other possible new event, the program instructions when executed on or across the one or more processors further cause the one or more processors to implement the second stage process to: re-order a group of entries in the global lookup table, wherein an entry that corresponds to the key for the other possible new event is moved ahead within the group of entries according to a most recently used to least recently used ordering, or update a timestamp for the entry that corresponds to the key for the other possible new event. 19. The one or more storage media as recited in claim 15, further comprising program instructions that when executed on or across the one or more processors further cause the one or more processors to implement the second stage process to: receive a promote state event from one of the first stage processes, wherein the promote state event corresponds to a recurring event obtained by the first stage process; and in response to reception of the promote state event, update the global state based on a key for the recurring event. 20. The one or more storage media as recited in claim 15, further comprising program instructions that when executed on or across the one or more processors further cause the one or more processors to implement the second stage process to: receive a request from one of the first stage processes for the global state; and in response to reception of the request, send at least the portion of the global state to the first stage process. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 21-40 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. Per Step 1, claim 21 is directed to a system, claim 28 is directed to a method, and claim 35 is directed to one or more non-transitory computer-accessible storage media, which are statutory categories of invention per Step 1. However, the claims are rejected under 35 U.S.C. 101 because they are directed to an abstract idea, a judicial exception, without reciting additional elements that integrate the judicial exception into a practical application or are significantly more. Step 2: a) In analyzing under step 2A Prong One, Does the claim recite an abstract idea law of nature or natural phenomenon? Yes. Claims 21, 28, 35 recite abstract idea of determine or determining, based on a key for the event and a global state, whether the event is a global reoccurring event that has been received by the second stage process of the computing node from one or more other first stage processes of one or more additional computing nodes prior to reception of the event from the first stage process; and in response to determination or determining that the event is not a global reoccurring event, update or updating the global state based on the key for the event to generate an updated global state that indicates the event is not a global reoccurring event) as drafted, is a process or system or medium that, under its broadest reasonable interpretation, covers performance of the limitations in the mind but for the recitation of generic computer components. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. The human mind can perform step of determining, determining, and updating. Accordingly, the claims recite an abstract idea. b) In analyzing under step 2A Prong Two, Does the claim recite additional elements that integrate the judicial exception into a practical application? NO. Claims do not recite any additional elements that integrate the judicial exception into a practical application because additional elements of a computing node comprising one or more processors and memory, the computing node is configured to implement a second state process (in claim 21), a second stage process of a computing node (in claim 28) and program instructions that when executed on or across one or more processors of a computing node, cause the one or more processors to implement a second stage process to (in claim 35) that are recited at a high-level of generality such that it amounts no more than mere instructions to apply the exception using a generic computer component for obtaining that are well understood routine and conventional activities. The additional limitation of (receive, from a first stage process of another computing node, an event as a possible new event; in response to reception of the event as a possible new event) or ( performing, by a second stage process of a computing node: receiving, from a first stage process of another computing node, an event as a possible new event; in response to receiving the event as a possible new event) that would be insignificant post-solution data outputting, and are insignificant extra solution activities which are well understood routine and conventional activities, see (Presenting offers and gathering statistics, OIP Techs and Receiving or transmitting data over a network, e.g., using the Internet to gather data, Symantec) and See (MPEP 2106.05(g) or 2106.05(d) for Receiving or transmitting data over a network, e.g. see Intellectual Ventures v. Symantec; Storing and retrieving information in memory: Versata; Analyzing data: Genetic Techs; Determining: OIP Techs; Electronic recordkeeping: Alice Corp). The additional limitation of (a global reoccurring event that has been received by the second stage process of the computing node from one or more other first stage processes of one or more additional computing nodes prior to reception of the event from the first stage process) that just indicates event received before receiving other event. Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. The claims are directed to an abstract idea. c) In analyzing under step 2B, does the claim recite additional elements that amount to significantly more than the judicial exception? NO Claims do not recite any additional elements that amount to significantly more than the judicial exception because additional elements of a computing node comprising one or more processors and memory, the computing node is configured to implement a second state process (in claim 21), a second stage process of a computing node (in claim 28) and program instructions that when executed on or across one or more processors of a computing node, cause the one or more processors to (in claim 35) that are recited at a high-level of generality such that it amounts no more than mere instructions to apply the exception using a generic computer component for obtaining that are well understood routine and conventional activities. The additional limitation of (receive, from a first stage process of another computing node, an event as a possible new event; in response to reception of the event as a possible new event) or ( performing, by a second stage process of a computing node: receiving, from a first stage process of another computing node, an event as a possible new event; in response to receiving the event as a possible new event) that would be insignificant post-solution data outputting, and are insignificant extra solution activities which are well understood routine and conventional activities, see (Presenting offers and gathering statistics, OIP Techs and Receiving or transmitting data over a network, e.g., using the Internet to gather data, Symantec) and See (MPEP 2106.05(g) or 2106.05(d) for Receiving or transmitting data over a network, e.g. see Intellectual Ventures v. Symantec; Storing and retrieving information in memory: Versata; Analyzing data: Genetic Techs; Determining: OIP Techs; Electronic recordkeeping: Alice Corp). The additional limitation of (a global reoccurring event that has been received by the second stage process of the computing node from one or more other first stage processes of one or more additional computing nodes prior to reception of the event from the first stage process) that just indicates event received before receiving other event. Accordingly, these additional elements do not amount to significantly more than the judicial exception. The claims are not patent eligible. Dependent claims 22-27, 29-34, 36-40 include all the limitations of claims 21, 28, 35. Therefore, claims 22-27, 29-34, 36-40 recite the same abstract idea of processing and generating practically being performed in the mind, and the analysis must therefore proceed to Step 2A Prong Two. In particularly: Claims 22, 29, 36 recite limitation (output or outputting the event as a new event) that would be insignificant post-solution data outputting, and are insignificant extra solution activities which are well understood routine and conventional activities, see (Presenting offers and gathering statistics, OIP Techs and Receiving or transmitting data over a network, e.g., using the Internet to gather data, Symantec) and See (MPEP 2106.05(g) or 2106.05(d) for Receiving or transmitting data over a network, e.g. see Intellectual Ventures v. Symantec; Storing and retrieving information in memory: Versata; Analyzing data: Genetic Techs; Determining: OIP Techs; Electronic recordkeeping: Alice Corp). Claims 23, 30, 37 similarly recite abstract limitation of (wherein to determine that the event is not a global reoccurring event; determine, based on the key for the event, that an entry for the event does not exist in the global lookup table or determining that the event is not a global reoccurring event comprises: determining, based on the key for the event, that an entry for the event does not exist in the global lookup table.) as drafted, is a process or system or medium that, under its broadest reasonable interpretation, covers performance of the limitations in the mind but for the recitation of generic computer components. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. The human mind can perform step of determining and determining. Accordingly, the claims recite an abstract idea. The additional imitation (wherein the global state comprises a global lookup table) that just indicates state including table and, Claims 24, 31, 38 similarly recite limitation (send at least a portion of the global state to the first stage process to update a local state of the first stage process) that would be insignificant post-solution data outputting, and are insignificant extra solution activities which are well understood routine and conventional activities, see (Presenting offers and gathering statistics, OIP Techs and Receiving or transmitting data over a network, e.g., using the Internet to gather data, Symantec) and See (MPEP 2106.05(g) or 2106.05(d) for Receiving or transmitting data over a network, e.g. see Intellectual Ventures v. Symantec; Storing and retrieving information in memory: Versata; Analyzing data: Genetic Techs; Determining: OIP Techs; Electronic recordkeeping: Alice Corp). Claims 25, 32, 39 similarly recite abstract limitation of update a global state based on a key for the other event as drafted, is a process or system or medium that, under its broadest reasonable interpretation, covers performance of the limitations in the mind but for the recitation of generic computer components. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. The human mind can perform step of updating. Accordingly, the claims recite an abstract idea. The additional limitation of ( receive, from the first stage process of the other computing node, a promote state event that corresponds to another event obtained by the first stage process; and in response to reception of the promote state event) that would be insignificant post-solution data outputting, and are insignificant extra solution activities which are well understood routine and conventional activities, see (Presenting offers and gathering statistics, OIP Techs and Receiving or transmitting data over a network, e.g., using the Internet to gather data, Symantec) and See (MPEP 2106.05(g) or 2106.05(d) for Receiving or transmitting data over a network, e.g. see Intellectual Ventures v. Symantec; Storing and retrieving information in memory: Versata; Analyzing data: Genetic Techs; Determining: OIP Techs; Electronic recordkeeping: Alice Corp). Claims 26, 33, 40 recites abstract limitation of (determine, based on a key for the additional event and the global state, whether the additional event is a global reoccurring event; and in response to a determination that the additional event is not a global reoccurring event, update the global state based on the key for the additional event) as drafted, is a process or system or medium that, under its broadest reasonable interpretation, covers performance of the limitations in the mind but for the recitation of generic computer components. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. The human mind can perform step of determining, and updating. Accordingly, the claims recite an abstract idea. The additional limitation of receive, from a first stage process of an additional computing node, an additional event as a possible new event; in response to reception of the additional event as a possible new event that would be insignificant post-solution data outputting, and are insignificant extra solution activities which are well understood routine and conventional activities, see (Presenting offers and gathering statistics, OIP Techs and Receiving or transmitting data over a network, e.g., using the Internet to gather data, Symantec) and See (MPEP 2106.05(g) or 2106.05(d) for Receiving or transmitting data over a network, e.g. see Intellectual Ventures v. Symantec; Storing and retrieving information in memory: Versata; Analyzing data: Genetic Techs; Determining: OIP Techs; Electronic recordkeeping: Alice Corp). Claims 27, 34 similarly recites limitations of (output the additional event as an additional new event; and send at least a portion of the global state to the first stage process of the other computing node and to the first stage process of the additional computing node) that would be insignificant post-solution data outputting, and are insignificant extra solution activities which are well understood routine and conventional activities, see (Presenting offers and gathering statistics, OIP Techs and Receiving or transmitting data over a network, e.g., using the Internet to gather data, Symantec) and See (MPEP 2106.05(g) or 2106.05(d) for Receiving or transmitting data over a network, e.g. see Intellectual Ventures v. Symantec; Storing and retrieving information in memory: Versata; Analyzing data: Genetic Techs; Determining: OIP Techs; Electronic recordkeeping: Alice Corp). Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. The claims are directed to an abstract idea. Accordingly, these additional elements do not amount to significantly more than the judicial exception. The claims are not patent eligible. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 21-23, 26, 28-30, 33, 35-37, 40 are rejected under 35 U.S.C. 103 as being unpatentable over Ahuja et al (US 20180083985) in view of Christie et al (or hereinafter “Chris”) (US 20050165861) and WILLCOX et al (or hereinafter “Wi”) (US 20210365464) As to claims 21, 35, Ahuja teaches a system comprising: or one or more non-transitory computer-accessible storage media storing program instructions that when executed on or across one or more processors of a computing node, cause the one or more processors to implement a second stage process to (paragraphs 33, 116-117): “a computing node comprising one or more processors and memory, wherein the computing node is configured to implement a second stage process to:” as a security service e.g., 110 (fig. 1, paragraph 36) or 306 as a computing node (fig. 3) includes a processor and memory (fig. 1, paragraphs 33-34), the security service 110 or 306 is configured to perform various actions that includes a second action as a second stage process to (paragraphs 33-34, 58); “receive, from a first stage process of another computing node, an event as a possible new event” as receive, from an action as a first stage process of one or more components e.g., network devices, user devices, servers, operating systems, user applications as another computing node, a subevent as an event (paragraphs 51-52, 57, 78-79). The network device(s) or the server of servers is represented as another computing node. Since the subevent that is generated and corresponds to an occurrence of an action is interpreted as a possible new event. For example, subevents may be generated by network devices, user devices, servers, operating systems, user applications, etc. Examples of subevents include, but are not limited to, network status and configuration messages, a device powering on, a device powering off, a device failure, an application error, status and events within a virtual environment, etc. A subevent may correspond to an occurrence of an action itself (e.g., by detecting an incoming/outgoing network message, detecting a device failure, etc.), or a subevent may be represented by data describing a corresponding action (e.g., a log entry describing a received network message, a push notification indicating that a server reboot occurred, etc.) (paragraph 51). A subevent refers to an action or occurrence related to one or more components of a computing environment, and a security event refers to a defined pattern of one or more particular subevent occurrences (paragraph 57); “in response to reception of the event as a possible new event: determine, based on a key for the event and a global state, whether the event is……” as in response to the receiving the subevent that is generated and corresponds to an occurrence of an action is interpreted as a possible new event (paragraphs 51-52), determine, based on timestamp of the subevent as a key for event and state data, which is stored in a security event state table in a remote storage and accessed by one or more applications or servers for updating (fig. 3, paragraphs 79, 86, 90), is represented as a global state (paragraph 65, fig. 4), whether the subevent is a subevent filter (fig. 6, paragraphs 80-83); “in response to a determination that the event is……, update the global state based on the key for the event to generate an updated global state that indicates ……” as in response to a determination that event is the subevent filter, update the data state, which is stored in a security event state table in a remote storage and accessed by one or more applications or servers for updating (fig. 3, paragraphs 79, 86, 90), is represented as a global state (paragraph 65, fig. 4), based on the timestamp of the subevent as the key for the event to generate the updated data state as an updated global state that indicates a new security event has occurred (paragraph 82-84, fig. 6). For example, a subevent processing microservice 340 may update one or more subevent counters, subevent data fields, timestamp fields, security event state data, etc. As described above in reference to FIGS. 4-5, updating the state data may include incrementing/decrementing one or more counters, storing one or more timestamps or other data included with or derived from the associated subevent, determining a next state from a state table based on the subevent matching an associated filter (paragraph 82). At block 610, in response to determining that the updated state data indicates that a new security event has occurred, security event data is generated. For example, a subevent processing microservice 340 may generate a message, notification, log entry, or any other type of data to indicate that the security event has occurred. The security event data may include data from one or more of the subevents that triggered the security event, based on one or more of the security event state items stored in association with the corresponding security event definition, or based on any other source of information related to the comprising subevents. For example, if a subevent processing microservice 340 detects an occurrence of a brute-force password attack security event, the microservice may generate security event state data indicating the type of security event, one or more source and/or destination IP addresses associated with the event, a time at which the attack started or ended, etc (paragraph 84). For example, each of security event states 740-760 may correspond to one of a plurality of states of a state table stored in association with the security event definition for the malware security event. In this example, state A 740 is an initial default state at which zero matching subevents are recorded. Thus, state data associated with the state A 740 indicates a subevent counter 742 value of “0”, a subevent data 744 value of “0”, and a subevent timestamp value of “0” (paragraph 90). Ahuja does not explicitly teach the limitations a global reoccurring event that has been received by the second stage process of the computing node from one or more other first stage processes of one or more additional computing nodes prior to reception of the event from the first stage process; not a global reoccurring event; the event is not a global reoccurring event. Wi teaches limitations “……that has been received by the second stage process of the computing node from one or more other first stage processes of one or more additional computing nodes prior to reception of the event from the first stage process” as a primary event that is received by secondary event handler (510) as the second stage process of a client 502 as the computing node from a writer thread 518 one first stage process of one or more caches as one or more additional computing nodes or a join frame work 504 as additional computing node (fig. 5, paragraphs 130, 133) before receiving secondary event from a process secondary command as a first stage process (paragraphs 130-133). In particularly: since no secondary events were found, the method (600a) determines that the primary event was received before any secondary events and thus the event was received in-order. In one embodiment, the method (600a) awaits confirmation that the primary event was written to the backing store (522) prior to returning the event to the client (502). In one embodiment, the writer thread (518) delivers the event to the client (502) upon the completed write to the backing store (522). In one embodiment, the writer thread (518) calls the deliverEvent and ackEvent methods on the primary event handler (508) to deliver the marked event (paragraph 130). At a later time, a client (502) receives a secondary event to be joined with the primary event. In the illustrated embodiment, in step 614a, the method (600a) receives this later secondary event from the client. In one embodiment, the client (502) calls a process Secondary command on the join interface (514) to transmit this event to the method (600a) (paragraph 131). Wi and Ahuja disclose a method of updating data in response to receiving an event. These references are same field with application’s field. Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to apply Wi’s teaching to Ahuja’s system in order to reduce unnecessary get operations issued to a data store for receiving events quickly, to use a stream processing engine with additional hardware and software to harden inaccuracies detected during stream processing, and further to provide a level of accuracy provided by larger batches. Chris teaches limitations “a global reoccurring event” as a new event, which is a duplicate object i.e., an object that already exists in a forum database of remote site of a network (paragraphs 15, 12), is represented as a global reoccurring event (paragraphs 127-128, 133 79); “not a global reoccurring event” the new event, which is not a duplicate object i.e., an object that already exists in a forum database of remote site of a network (paragraphs 15, 12), is represented as a global reoccurring event (paragraphs 129, 133 79). “the event is not a global reoccurring event” as the new event, which is not a duplicate object i.e., an object that already exists in a forum database of remote site of a network (paragraphs 15, 12), is represented as a global reoccurring event (paragraphs 129, 133 79). Chris further teaches limitations “receive, from a first stage process of another computing node, an event as a possible new event” as receive, from cloud-based platform hosted by the host server 100 as a first stage process of another computing node, an event that is new event as a possible new event (paragraphs 121-22, 125); “in response to reception of the event as a possible new event: determine……whether the event is a global reoccurring event” as in response to reception of the event as a new event (paragraphs 121, 127): determine the new event, which is a duplicate object i.e., an object that already exists in a forum database of remote site (paragraph 15) of a network (paragraph 12), is represented as a global reoccurring event (paragraphs 129, 133 79); “ in response to a determination that the event is not a global reoccurring event” as in response to reception of the event as a new event (paragraphs 121, 127): determine the new event, which is not a duplicate object i.e., an object that already exists in a forum database of remote site (paragraph 15) of a network (paragraph 12), is represented as a global reoccurring event (paragraphs 129, 133 79). Chris and Ahuja disclose a method of updating a state in response to receiving an event. These references are same field with application’s field. Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to apply Chris’s teaching to Ahuja’s system in order to minimize unnecessary transmissions, number of messages concurrently in-transit among computing devices, to maintain latency information to determine transmission failures, and further to synchronize information among computing devices such as information must be replicated from one computing device to another computing device. As to claims 22, 29, 36, Ahuja and Chris teach limitation “wherein the second stage process is configured to output the event as a new event or outputting the event as a new event or program instructions that when executed on or across the one or more processors further cause the one or more processors to implement the second stage process to: output the event as a new event” as instructions that are executed by a processor cause the processor to perform the second action of the actions as a second stage to (Ahuja: paragraphs 33-34, 58) obtain the new event (Chris: paragraph 131). As to claims 23, 30, 37, Ahuja and Chris teach limitation “wherein the global state comprises a global lookup table” as the state data, which is stored in a security event state table in a remote storage and accessed by one or more applications or servers for updating (Ahuja: fig. 3, paragraphs 79, 86, 90), is represented as the global state includes (Ahuja: paragraph 65, fig. 4), event table or forum database, which is located at each remote site and accessed to determine whether an object exist in the event table, is represented as a global lookup table (Chris: paragraphs 15, 127, 166, 138); “wherein to determine that the event is not a global reoccurring event, the second stage process is configured to: determine, based on the key for the event, that an entry for the event does not exist in the global lookup table; or wherein determining that the event is not a global reoccurring event comprises: determining, based on the key for the event, that an entry for the event does not exist in the global lookup table; or wherein to determine that the event is not a global reoccurring event, the program instructions when executed on or across the one or more processors further cause the one or more processors to implement the second stage process to: determine, based on the key for the event, that an entry for the event does not exist in the global lookup table” as determination that the subevent (Ahuja: paragraph 82-84, fig. 6) is not a duplicate object i.e., an object that already exists in a forum database of the remote site, is represented as a global reoccurring event (Chris: paragraphs 129, 133, 79), instructions that are executed by a processor cause the processor to perform the second action of the actions as a second stage to (Ahuja: paragraphs 33-34, 58) determine, based on timestamp as a key for the subevent as the event , that (Ahuja: paragraphs 82-84, fig. 6) an entry for the event or object does not exist in the remote site’s event table as the global lookup table (Chris: paragraphs 166, 133, 79). As to claims 26, 33, 40, Ahuja and Chris teach limitations “wherein the second stage process is configured to” as the second action of the actions as a second stage process to (Ahuja: paragraphs 33-34, 58): or a second process (Chris: paragraphs 33, 116-117): or “program instructions that when executed on or across the one or more processors further cause the one or more processors to implement the second stage process to:” as instructions that are executed by a processor to perform the action of the actions to (Ahuja: paragraphs 33-34, 58) “receive, from a first stage process of an additional computing node, an additional event as a possible new event” as receive subevents that includes a second subevent as an additional event from an application of applications 302 of (Ahuja: paragraph 54; Chris: paragraph 131) a second computer of computers 202A as additional computing node (Chris: fig. 2A, paragraphs 49-50); “in response to reception of the additional event as a possible new event: determine, based on a key for the additional event and the global state, whether the additional event is a global reoccurring event or in response to receiving the additional event as a possible new event: determining, based on a key for the additional event and the global state, whether the additional event is a global reoccurring event” as in response to the receiving a second subevent as the additional event that is generated and corresponds to an occurrence of an action is interpreted as a possible new event (Ahuja: paragraphs 51-52), determine, based on timestamp as a key of the second subevent as the additional event and the state data, which is stored in a security event state table in a remote storage and accessed by one or more applications or servers for updating (Ahuja: fig. 3, paragraphs 79, 86, 90), is represented as a global state (Ahuja: paragraph 65, fig. 4), whether the subevent is (Ahuja: fig. 6, paragraphs 80-83) a new event, which is a duplicate object i.e., an object that already exists in a forum database of remote site of a network (Chris: paragraphs 15, 12), is represented as a global reoccurring event (Chris: paragraphs 127-128, 133 79); “in response to a determination that the additional event is not a global reoccurring event, update the global state based on the key for the additional event” as in response to a determination that the second subevent of the subevents as the additional event is (Ahuja: paragraph 82-84, fig. 6) not a duplicate object i.e., an object that already exists in a forum database of the site e.g., site, is represented as a global reoccurring event (Chris: paragraphs 129, 133, 79), update the data state that is stored in a security event state table in a remote storage, is represented as the global state (Ahuja: paragraph 65, fig. 4), based on a timestamp as the key for the second subevent as the additional event (Ahuja: paragraph 82-84, fig. 6). Claim 28 has the same limitation as discussed in claim 21; thus claim 28 is rejected under the same reason as discussed in claim 21. In addition, Ahuja further teaches limitations: “performing, by a second stage process of a computing node:” as performing, by a second action as a second stage process of a security service e.g., 110 (fig. 1, paragraph 36) or 306 as a computing node (fig. 3) (paragraphs 33-34, 58): “in response to receiving the event as a possible new event: determining, based on a key for the event and a global state, whether the event is a global reoccurring event” as in response to the receiving the subevent that is generated and corresponds to an occurrence of an action is interpreted as a possible new event (paragraphs 51-52), determine, based on timestamp of the subevent as a key for subevent and state data that is stored in a security event state table in a remote storage (paragraph 65, fig. 4), whether the subevent as the event is e.g., matches a subevent filter (fig. 6, paragraphs 80-83); “in response to determining that the event is……, updating the global state based on the key for the event to generate an updated global state that indicates ……” as in response to a determination that event is the subevent filter, update the data state, which is stored in a security event state table in a remote storage and accessed by one or more applications or servers for updating (fig. 3, paragraphs 79, 86, 90), is represented as a global state (paragraph 65, fig. 4), based on the timestamp of the subevent as the key for the event to generate the updated data state as an updated global state that indicates a new security event has occurred (paragraph 82-84, fig. 6). For example, a subevent processing microservice 340 may update one or more subevent counters, subevent data fields, timestamp fields, security event state data, etc. As described above in reference to FIGS. 4-5, updating the state data may include incrementing/decrementing one or more counters, storing one or more timestamps or other data included with or derived from the associated subevent, determining a next state from a state table based on the subevent matching an associated filter (paragraph 82). At block 610, in response to determining that the updated state data indicates that a new security event has occurred, security event data is generated. For example, a subevent processing microservice 340 may generate a message, notification, log entry, or any other type of data to indicate that the security event has occurred. The security event data may include data from one or more of the subevents that triggered the security event, based on one or more of the security event state items stored in association with the corresponding security event definition, or based on any other source of information related to the comprising subevents. For example, if a subevent processing microservice 340 detects an occurrence of a brute-force password attack security event, the microservice may generate security event state data indicating the type of security event, one or more source and/or destination IP addresses associated with the event, a time at which the attack started or ended, etc (paragraph 84). For example, each of security event states 740-760 may correspond to one of a plurality of states of a state table stored in association with the security event definition for the malware security event. In this example, state A 740 is an initial default state at which zero matching subevents are recorded. Thus, state data associated with the state A 740 indicates a subevent counter 742 value of “0”, a subevent data 744 value of “0”, and a subevent timestamp value of “0” (paragraph 90). Claims 24, 27, 31, 38 are rejected under 35 U.S.C. 103 as being unpatentable over Ahuja in view of Chris and Wi and further in view of FÄRNLÖF et al (or hereinafter “Fa”) (US 20220159061) As to claims 24, 31, 38, Ahuja and Chris teach limitation “wherein the second stage process is configured to” as the second action as a second stage process to (Ahuja: paragraphs 33-34, 58) obtain the new event (Chris: paragraph 131; Chris: figs. 4-5, paragraphs 103-104) or “program instructions that when executed on or across the one or more processors further cause the one or more processors to implement the second stage process to” as instructions that executed by a processor to perform the action of the actions to (Ahuja: paragraphs 33-34, 58) obtain the new event (Chris: paragraph 131; Chris: figs. 4-5, paragraphs 103-104). Ahuja and Chris do not explicitly teach limitation send at least a portion of the global state to the first stage process to update a local state of the first stage process. Fa teaches limitation “send at least a portion of the global state to the first stage process to update a local state of the first stage process” as publish update(s) of the global state as a portion of the global state to a first sequencer service of a node e.g., client as the first stage process to write the update(s) into a locally maintained copy of the global state that exists in shared memory on each one of the nodes (abstract, fig. 1A, 8, paragraphs 126-130, 133). Writing the update(s) into a locally maintained copy of the global state that exists in shared memory on each one of the nodes is representing as updating a local state of the first stage process. In particularly, one of the computing nodes includes a sequencer service that receives updates from the plurality of computing nodes. The sequencer service maintains or annotates messages added to the global state of the system. Updates to the global state are published to the plurality of computing nodes. Monitoring services on the other computing nodes write the updates into a locally maintained copy of the global state that exists in shared memory on each one of the nodes. Client computer processes on the nodes may then subscribe to have updates “delivered” to the respective client computer processes (abstract). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to apply Fa’s teaching to Ahuja’s system in order to allow for faster processing and decreased usage of network bandwidth as the content of the message may be irrelevant to the sequencer service and its logical location within the global state of the distributed system. As to claims 27, 34, Ahuja and Chris teach limitation “wherein the second stage process is configured to:” as the second action as a second stage process to (Ahuja: paragraphs 33-34, 58); “output the additional event as an additional new event” as to obtain the next new even as additional new event (Chris: paragraph 131). Ahuja and Chris do not explicitly teach limitation send at least a portion of the global state to the first stage process of the other computing node and to the first stage process of the additional computing node. Fa teaches limitations “send at least a portion of the global state to the first stage process of the other computing node and to the first stage process of the additional computing node” as publish updates of the global state as a portion of the global state to a first sequencer service of first computing node e.g., client 110A or 112A as other computing node and a second sequencer of second computing node e.g., client 110B or 112B as the additional computing node (abstract, fig. 1A, 8, paragraphs 126-130, 133). In particularly, one of the computing nodes includes a sequencer service that receives updates from the plurality of computing nodes. The sequencer service maintains or annotates messages added to the global state of the system. Updates to the global state are published to the plurality of computing nodes. Monitoring services on the other computing nodes write the updates into a locally maintained copy of the global state that exists in shared memory on each one of the nodes. Client computer processes on the nodes may then subscribe to have updates “delivered” to the respective client computer processes (abstract). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to apply Fa’s teaching to Ahuja’s system in order to allow for faster processing and decreased usage of network bandwidth as the content of the message may be irrelevant to the sequencer service and its logical location within the global state of the distributed system. Claims 25, 32, 39 are rejected under 35 U.S.C. 103 as being unpatentable over Ahuja in view of Chris and Wi and further in view of Sawyer et al (US 20140379586). As to claims 25, 32, 39, Ahuja and Chris teach limitation “wherein the second stage process is configured to:” as the second action as a second stage process to (Ahuja: paragraphs 33-34, 58) or “program instructions that when executed on or across the one or more processors further cause the one or more processors to implement the second stage process to” as instructions that executed by a processor to perform the second action of the actions as the second state process to (Ahuja: paragraphs 33-34, 58); “receive, from the first stage process of the other computing node, ……that corresponds to another event obtained by the first stage process” as receive, from application(s) or microservice(s) (Ahuja: paragraph 57), subevent(s) that correspond to network message as another event sent by (Ahuja: paragraph 89) a first process as the first stage process (Chris: paragraph 28); “in response to reception of……, update a global state based on a key for the other event or in response to receiving of……, updating a global state based on a key for the other event” as in response to the receiving a second subevent (Ahuja: paragraphs 51-52), determining that second subevent is the subevent filter, and then updating the data state, which is stored in a security event state table in a remote storage and accessed by one or more applications or servers for updating (Ahuja: fig. 3, paragraphs 79, 86, 90), is represented as a global state (Ahuja: paragraph 65, fig. 4), based on a second timestamp as key of the second subevent as the other event (Ahuja: paragraph 82-84, fig. 6). Ahuja and Chris do not explicitly teach limitation a promote state event; the promote state event. Sawyer teaches limitations a promote state event; the promote state event (as newer state event as a promote state event that is used to move the item from its current state on the mobile device 500 to its newer state in the event, for example including updating icon repository file 582: paragraph 127). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to apply Sawyer’s teaching to Ahuja’s system in order to allow for communication between a remote synchronization client and remote devices and further to reduce data duplication stored in storage device. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Contact Information Any inquiry concerning this communication or earlier communications from the examiner should be directed to CAM-Y T TRUONG whose telephone number is (571)272-4042. The examiner can normally be reached (571) 272 4042. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHERIEF BADAWI can be reached at (571) 272-9782. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /CAM Y T TRUONG/Primary Examiner, Art Unit 2169