Qomplx LLC v. Microsoft Corp

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: Qomplx LLC (New York)
  • Defendant: Microsoft Corporation (Washington)
  • Plaintiff’s Counsel: Irell & Manella LLP
• Case Identification: 1:25-cv-01383, W.D. Tex., 08/28/2025
• Venue Allegations: Plaintiff alleges venue is proper in the Western District of Texas because Microsoft maintains regular and established places of business in the district, including numerous data centers and corporate sales offices, and has committed the alleged acts of infringement within the district.
• Core Dispute: Plaintiff alleges that a range of Defendant’s cloud data analytics and cybersecurity products, including Microsoft Fabric and Microsoft Entra ID, infringe six patents related to large-scale data analysis, risk-based multi-factor authentication, and network threat correlation.
• Technical Context: The technologies at issue address the management and security of large-scale, distributed computer systems, a domain of critical importance for modern enterprise cloud computing and cybersecurity.
• Key Procedural History: The complaint does not allege any prior litigation, Inter Partes Review (IPR) proceedings, or licensing history related to the Asserted Patents.

Case Timeline

Date	Event
2015-10-28	Priority Date for ’424 Patent
2016-04-28	Priority Date for ’663 Patent
2017-10-19	Priority Date for ’934 and ’426 Patents
2021-04-22	Priority Date for ’627 and ’628 Patents
2022-12-27	’663 Patent Issued
2024-11-12	’424 Patent Issued
2025-02-04	’934 Patent Issued
2025-02-18	’426 Patent Issued
2025-05-13	’627 Patent Issued
2025-05-13	’628 Patent Issued
2025-08-28	Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 12,143,424 - “Rapid Predictive Analysis of Very Large Data Sets Using the Distributed Computational Graph”

• Patent Identification: U.S. Patent No. 12,143,424, issued November 12, 2024 (the “’424 Patent”). (Compl. ¶23).

The Invention Explained

• Problem Addressed: The patent asserts that prior art data analysis methods were "too labor intensive and rigid" for very large datasets (Compl. ¶28; ’424 Patent, 4:11-18). Existing data processing "pipelines" were described as "extremely limited" and "rigidly programmed," capable of performing only simple, predefined tasks on data streams (Compl. ¶¶29-30; ’424 Patent, 4:34-40).
• The Patented Solution: The invention proposes a system using a "distributed computational graph" to enable dynamic and efficient analysis of large, unpredictable data streams (Compl. ¶31; ’424 Patent, 4:58-63). The system is designed to "introduce new transformation pipelines just as they are needed," allowing it to scale computing resources up or down to match processing needs, thereby making the overall system more efficient (Compl. ¶¶32, 34; ’424 Patent, 9:35-44). This architecture also provides "the ability to monitor for both operational issues within its components" and "self-modify to maintain optimal operation" (Compl. ¶33; ’424 Patent, 4:49-54).
• Technical Importance: The claimed solution provides improvements to data processing architectures by enabling "smart scaling" that closely matches resource usage to unpredictable data inputs, which can reduce latency and operational costs in cloud computing environments (Compl. ¶34).

Key Claims at a Glance

• The complaint asserts independent claim 1 (Compl. ¶41).
• Claim 1 of the ’424 Patent recites:
  • A distributed computing cluster comprising a first plurality of computer systems, where each system stores data representing a portion of a distributed computational graph that describes data flow between a first and second transformation pipeline.
  • A first computer system is configured to receive a first data stream, apply the first transformation pipeline to generate first output messages, process stored data to determine information about the second transformation pipeline, and transmit the output messages to a second computer system.
  • The second computer system is configured to receive the first output messages and apply the second transformation pipeline to generate second output messages.
  • A third computer system from the first plurality is configured to cause a fourth computer system from a second plurality to execute instructions applying at least one of the transformation pipelines.
• The complaint alleges infringement of "one or more claims," reserving the right to assert additional claims (Compl. ¶39).

U.S. Patent No. 12,218,934 - “Contextual and Risk-Based Multi-Factor Authentication”

• Patent Identification: U.S. Patent No. 12,218,934, issued February 4, 2025 (the “’934 Patent”). (Compl. ¶58).

The Invention Explained

• Problem Addressed: The patent identifies a key fault in conventional multi-factor authentication (MFA) systems: an "over-reliance on a single method of delivery" (Compl. ¶64; ’426 Patent, col. 2:28-29). This vulnerability means that if a single delivery channel, such as a user's email, is compromised, an attacker can trivially reset passwords and intercept one-time codes for other accounts (Compl. ¶64).
• The Patented Solution: The invention claims a contextual, risk-based authentication system that stores information about each access request in a "multidimensional time-series database" (Compl. ¶66; ’426 Patent, col. 18:14-16). The system retrieves historical access information to determine if a current request is "anomalous relative to a baseline profile of access requests" (Compl. ¶66; ’426 Patent, col. 8:23-35). If an anomaly is detected, the system selects an appropriate additional verification method from multiple available options, dynamically adjusting the security requirements based on the perceived risk (Compl. ¶66).
• Technical Importance: This approach improves computer security by moving beyond static MFA rules and dynamically tailoring authentication strength to the context and risk of a specific login attempt, thereby mitigating the risk of cyberattacks that exploit single-channel vulnerabilities (Compl. ¶¶67-68).

Key Claims at a Glance

• The complaint asserts independent claim 1 (Compl. ¶73).
• Claim 1 of the ’934 Patent recites:
  • A computer system configured to receive an authentication request comprising an identifier and password.
  • The system stores information about the request in a multidimensional time-series database.
  • It determines if an additional verification is required by retrieving historical information from the database and determining if the user account is associated with a previous, anomalous access request to a network resource.
  • If additional verification is required, the system selects a method from a plurality of options, prompts the client to complete it, and determines if it was completed correctly.
• The complaint alleges infringement of "one or more claims," reserving the right to assert additional claims (Compl. ¶71).

U.S. Patent No. 12,231,426 - “Contextual and Risk-Based Multi-Factor Authentication”

• Patent Identification: U.S. Patent No. 12,231,426, issued February 18, 2025 (the “’426 Patent”). (Compl. ¶90).
• Technology Synopsis: The ’426 Patent, sharing a similar specification with the ’934 Patent, addresses MFA systems' "over-reliance on a single method of delivery" (Compl. ¶96). The solution uses a multidimensional time-series database to store historical access information and determine if a request is anomalous, specifically when the request involves a "second identifier not associated with the first user account," which then triggers the selection of an appropriate verification method (Compl. ¶98).
• Asserted Claims: Claim 1 is asserted (Compl. ¶105).
• Accused Features: The complaint accuses the Microsoft Entra ID product family of infringement (Compl. ¶¶103-104).

U.S. Patent No. 12,301,627 - “Correlating Network Event Anomalies Using Active and Passive External Reconnaissance to Identify Attack Information”

• Patent Identification: U.S. Patent No. 12,301,627, issued May 13, 2025 (the “’627 Patent”). (Compl. ¶122).
• Technology Synopsis: The patent addresses the inadequacy of prior art "cybersecurity rating methods" (Compl. ¶128). The invention provides a system that represents network entities and relationships in a directed graph, analyzes streaming data to update the graph with new entities or relationships, and identifies potential multi-hop attack paths by calculating which other entities are reachable from a given entity (Compl. ¶¶130, 138).
• Asserted Claims: Claim 1 is asserted (Compl. ¶138).
• Accused Features: The complaint accuses Microsoft Security Exposure Management (“MSEM”) of infringement (Compl. ¶¶136-137).

U.S. Patent No. 12,301,628 - “Correlating Network Event Anomalies Using Active and Passive External Reconnaissance to Identify Attack Information”

• Patent Identification: U.S. Patent No. 12,301,628, issued May 13, 2025 (the “’628 Patent”). (Compl. ¶158).
• Technology Synopsis: The ’628 Patent also addresses deficiencies in prior art cybersecurity rating methods (Compl. ¶164). The claimed system represents a network as a directed graph, modifies the graph based on streaming event data, and for an anomalous event, performs correlations to identify related nodes and event flows that could be part of a cyberattack, generating a second graph to represent these flows (Compl. ¶¶166, 174).
• Asserted Claims: Claim 1 is asserted (Compl. ¶174).
• Accused Features: The complaint accuses Microsoft Fusion, including Microsoft Sentinel and Microsoft Defender, of infringement (Compl. ¶¶172-173).

U.S. Patent No. 11,539,663 - “System and Method for Midserver Facilitation of Long-Haul Transport of Telemetry for Cloud-Based Services”

• Patent Identification: U.S. Patent No. 11,539,663, issued December 27, 2022 (the “’663 Patent”). (Compl. ¶192).
• Technology Synopsis: The patent addresses security and bandwidth problems arising from having thousands of individual devices in an enterprise network connect separately to a cloud service (Compl. ¶¶197-198). The solution uses a "midserver" to act as a gateway that collects, aggregates, and transforms data from local devices before retransmitting it as a single, secure data stream to the cloud, thereby reducing the network's attack surface (Compl. ¶¶199, 203).
• Asserted Claims: Claim 1 is asserted (Compl. ¶208).
• Accused Features: The complaint accuses Azure Monitor pipeline at edge (“Edge Pipeline”) and Azure Monitor of infringement (Compl. ¶¶206-207).

III. The Accused Instrumentality

Product Identification

The complaint accuses multiple Microsoft products: Microsoft Fabric (specifically the Real-Time Intelligence tool and Eventstream); the Microsoft Entra ID product family; Microsoft Security Exposure Management (MSEM); Microsoft Fusion (including Microsoft Sentinel and Microsoft Defender); and Azure Monitor pipeline at edge (“Edge Pipeline”) (Compl. ¶¶39, 71, 103, 136, 172, 206).

Functionality and Market Context

• Microsoft Fabric is alleged to be a unified data analytics platform that runs on a distributed computer cluster (Compl. ¶¶43-44). Its "Eventstream" feature is described as allowing users to define and execute a "distributed computational graph that describes the flow of data between transformation pipeline elements" (Compl. ¶45). A screenshot in the complaint depicts Eventstream receiving data from various input feeds such as Azure Event Hubs and custom applications (Compl. p. 12). Another screenshot illustrates a "no-code experience" for designing event data processing logic using transformations like "Filter," "Aggregate," and "Group by" (Compl. p. 14).
• Microsoft Entra ID is described as a cloud-hosted login system that implements multi-factor authentication, including risk-based policies (Compl. ¶75). The complaint alleges it uses a multi-dimensional time-series database related to the Kusto platform to store historical user data and analyze real-time and offline behavior to determine if an access request is anomalous and requires additional verification steps (Compl. ¶¶78-79). A provided screenshot shows an Entra ID prompt asking a user to approve a sign-in request using the Microsoft Authenticator app (Compl. p. 24).

IV. Analysis of Infringement Allegations

’424 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
A distributed computing cluster comprising: a first plurality of computer systems...	Microsoft Fabric is a data analytics platform running on a distributed computer cluster that includes an auto-scaling plurality of computer systems.	¶¶43-44	col. 1:55-60
wherein the respective first data represents a respective portion of a distributed computational graph and wherein the distributed computational graph describes a flow of output data of a first transformation pipeline to an input of a second transformation pipeline...	Fabric's Eventstream allows a user to define and execute a distributed computational graph that describes the flow of data between transformation pipeline elements.	¶45	col. 4:58-63
wherein a first computer system... is configured to: receive a first stream of input data from a first input feed,	Eventstream is configured to receive input data from various feeds, such as Azure Event Hubs, Azure IoT Hub, and custom applications.	¶46	col. 15:35-40
process the first stream of input data substantially in real time by executing software instructions that apply the first transformation pipeline... to generate first pipeline output messages... and transmit the first pipeline output messages to a second computer system...	Fabric is configured with processing steps that apply transformation pipelines to receive, process, and transmit streams of data in real time. These transformations run across "Capacity Units" which map to multiple computer systems.	¶¶47-48	col. 4:31-34
wherein a third computer system of the first plurality of computer systems is configured to execute software instructions that cause a fourth computer system of the second plurality of computer systems to execute software instructions that apply at least one of the first transformation pipeline and the second transformation pipeline.	Fabric uses an autoscaler that, on an as-needed basis, automatically recruits additional computer systems to apply processing pipelines.	¶49	col. 9:35-44

• Identified Points of Contention:
  • Scope Questions: The claim requires a "third computer system" causing a "fourth computer system" to execute instructions. The complaint's theory relies on an "autoscaler" fulfilling this role. This raises the question of whether an "autoscaler" function can be legally construed as a "third computer system" distinct from the first and second, and whether the dynamically provisioned resources it recruits constitute a "fourth computer system" from a "second plurality of computer systems."
  • Technical Questions: Claim 1 requires the first computer system to "process the respective first data stored in the memory... to determine information about the second transformation pipeline." The complaint alleges Eventstream executes a user-defined graph. What evidence does the complaint provide that the accused system dynamically determines information about the next pipeline from stored data, as opposed to merely executing a pre-configured, static data flow path?

’934 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
store, in a multidimensional time-series database, information about the request,	Microsoft's cloud systems, including Entra ID, allegedly rely on the Kusto platform, which is described as a powerful tool for managing multiple dimensions of time-series data and is used to store information about user login events.	¶¶77-78	col. 2:60-61
retrieving, from the multidimensional time-series database, historical information about previous access requests associated with the user account,	Entra ID stores and retrieves historical data about correct and incorrect password usage and other user behaviors to determine risk profiles.	¶¶77, 79	col. 8:23-35
and determining... whether the user account is associated with a previous access request to a network resource, wherein the previous access request to the network resource is anomalous relative to a baseline profile of access requests;	Entra ID uses data about the real-time and offline behavior of users to determine whether a current access request is anomalous relative to a baseline and should trigger MFA.	¶79	col. 8:30-35
select an additional verification method from a plurality of verification methods,	Entra ID supports and selects from multiple verification methods, including Microsoft Authenticator, Windows Hello for Business, and voice calls.	¶80	col. 2:36-40
cause the client to be prompted to complete the additional verification method, and determine whether the additional verification method has been completed correctly.	A Microsoft tutorial shows Entra ID prompting a client to complete verification via the Microsoft Authenticator app. Microsoft's documentation allegedly explains that Entra ID implements and manages the entire MFA process for natively supported methods.	¶¶81-82	col. 4:6-9

• Identified Points of Contention:
  • Scope Questions: The infringement theory depends on Microsoft's Kusto platform meeting the claim definition of a "multidimensional time-series database." The scope of this term will be a central point of dispute.
  • Technical Questions: The claim requires determining if the user account is associated with a previous access request that was itself "anomalous." The complaint alleges Entra ID analyzes a user's historical behavior to determine if the current request is anomalous. This raises a key technical question: does analyzing a historical behavioral profile to assess a current event meet the claim limitation of identifying a discrete, prior event that was itself anomalous?

V. Key Claim Terms for Construction

U.S. Patent No. 12,143,424

• The Term: "distributed computational graph"
• Context and Importance: This term is the central technical concept of the ’424 Patent. The viability of the infringement allegation against Microsoft Fabric's Eventstream feature, which allows users to define data flows, hinges on whether such user-configured diagrams fall within the patent's definition of this term.
• Intrinsic Evidence for Interpretation:
  • Evidence for a Broader Interpretation: The patent specification describes the invention as proposing "a system for rapid predictive analysis of very large data sets using a distributed computational graph" (’424 Patent, col. 4:58-63), which may suggest the term broadly covers any graphical representation of data transformations in a distributed system.
  • Evidence for a Narrower Interpretation: The specification repeatedly emphasizes the system’s ability to "introduce new transformation pipelines just as they are needed" and to "self-modify to maintain optimal operation" (Compl. ¶¶32-33). Practitioners may focus on this language to argue that the term is limited to graphs that are dynamically and autonomously generated or modified by the system itself in response to real-time conditions, rather than static, user-defined data flow diagrams.

U.S. Patent No. 12,218,934

• The Term: "multidimensional time-series database"
• Context and Importance: This term defines the specific type of data store required by claim 1. The infringement case against Microsoft Entra ID relies on the allegation that its underlying Kusto data platform is such a database. The construction of this term is therefore critical.
• Intrinsic Evidence for Interpretation:
  • Evidence for a Broader Interpretation: The complaint alleges that Kusto is described by Microsoft as a "powerful tool for exploring your data and discovering patterns, identifying anomalies and outliers," and that it is used by many Microsoft services, which may support a plain and ordinary meaning that encompasses any database capable of storing and querying time-series data across multiple dimensions. (Compl. ¶78).
  • Evidence for a Narrower Interpretation: The patent abstract refers to a "multi-dimensional time series data server configured to monitor and record a network's traffic data" (’426 Patent, Abstract). A defendant may argue that this context limits the term to a database specifically structured for network traffic monitoring with particular schemas or performance characteristics, potentially distinguishing it from a more general-purpose analytics platform like Kusto.

VI. Other Allegations

• Indirect Infringement: For each asserted patent, the complaint alleges both induced and contributory infringement. The inducement allegations are based on Microsoft allegedly providing product manuals, advertising, technical support, and other documentation that instruct and encourage customers and end-users to use the accused products in an infringing manner (e.g., Compl. ¶¶52, 84, 116). The contributory infringement allegations state that the accused components are material to the inventions, are not staple articles of commerce, and are known by Microsoft to be especially made for use in an infringing way (e.g., Compl. ¶¶53, 85, 117).
• Willful Infringement: The complaint makes standard allegations of post-suit willfulness, asserting that upon service of the complaint, Microsoft will have explicit written notice of its infringement, and any continued infringing activities will be knowing, intentional, and deliberate (e.g., Compl. ¶¶56, 88, 120). No specific facts supporting pre-suit knowledge are alleged.

VII. Analyst’s Conclusion: Key Questions for the Case

• A core issue will be one of definitional scope: can patent terms rooted in specific technical embodiments, such as "distributed computational graph" and "multidimensional time-series database," be construed broadly enough to read on Microsoft's general-purpose, scalable cloud platforms like Fabric and the Kusto data store?
• A key evidentiary question will be one of functional operation: does the accused Entra ID service, which analyzes a user's historical behavioral profile to assess risk in a current transaction, perform the same function as the claimed invention, which requires identifying a specific previous access request that was itself "anomalous"?
• A central architectural question will be whether the functional components of Microsoft’s complex, auto-scaling cloud services can be mapped to the distinct system elements recited in the claims, such as the "third" and "fourth" computer systems of the ’424 Patent, or if the integrated nature of the accused products creates a mismatch with the claimed architectures.