DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claim 13 is rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.  Please note that claim 13 fails to further limit the subject matter of claims 8 and 12 as the limitation recited in claim 13 is duplicate of limitations recited in claim 12.  Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-2, 8-9, 12-13, 15-16 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Loomis et al. (US 2016/0149948 A1), hereinafter, "Loomis 48” in view of Chakravarty et al. (US 2008/0040191 A1), hereinafter, “Chakravarty”.
Regarding Claims 1, 8 and 15, Loomis 48 discloses a computer-based system and corresponding method and a computer program product, wherein the system comprises: 
a processor and a tangible, non-transitory memory configured to communicate with the processor, the tangible, non-transitory memory having instructions stored thereon that, in response to execution by the processor, cause a security operations system to perform operations (See, Paragraph 0017) comprising: 
generating, by the security operations system, a workflow, wherein the workflow is configured to be automatically executed to address the alarm, and wherein the workflow comprises a first action (See, Paragraph 0020, “After receiving the data in step 
automatically executing, by the security operations system, the first action of the workflow (See, Paragraph 0030, “The method can further include, at 230, performing, at the server, the determined confirmation action. The action can include, at 235, communicating with at least one second sensor or tool. For example, the communicating can include communicating with a threat intelligence feed. The threat intelligence feed may include an email feed, an RSS feed, an API-connected feed or the like. The first sensor or tool can be the same as or different from the second sensor or tool. Other confirmation actions can also be performed”); 
receiving, by the security operations system, a security contextual information in response to a request including characteristics of a threat (See, Paragraphs 0030, “For example, the communicating can include communicating with a threat intelligence feed. 
enriching, by the security operations system, the workflow to generate a second action (See, Paragraph 0033, “updating at least one threat rule based on the processing or the response. For example, a sensitivity or threshold for future use by associated tools can be increased or decreased based on processing the data” and Paragraph 0034, “The method can further include, at 270, executing a mitigation action based on the processing or the response. The mitigation action may include remote locking a terminal, remotely wiping a disk drive, switching to a different firewall or proxy server, requiring a user to re-authenticate, or any other mitigation action desired”); and 
automatically executing, by the security operations system, the second action of the workflow (Paragraph 0034, “The method can further include, at 270, executing a mitigation action based on the processing or the response. The mitigation action may include remote locking a terminal, remotely wiping a disk drive, switching to a different firewall or proxy server, requiring a user to re-authenticate, or any other mitigation action desired”).
Loomis 48 does not explicitly disclose wherein the workflow is customizable, by at least one of adding, removing, or modifying a rule for an action, prior to the security operations system receiving an alarm.

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to provide, in the system of Loomis 48, a record in response to the alarm and populating, by the security operations system, a customizable workflow which is customizable, by at least one of adding, removing, or modifying a rule for an action, prior to a security operations system receiving an alarm as taught by Chakravarty because predefined workflows often have limited flexibility and are not easily customized by a use and customizable workflow solves this problem by providing additional flexibility to customize the workflow which enables the security experts to create and edit workflow instances which results in a greater flexibility (See, Chakravarty, Paragraph 0003). 
Regarding Claims 2, 9 and 16, the rejection of claims 1, 8 and 15 is incorporated and the combination of Loomis 48 and Chakravarty further discloses receiving, by the security operations system, the alarm in response to the threat detected on a monitored system, wherein the alarm includes the characteristics of the threat (See, Loomis 48, Paragraph 0028, “a method can include, at 210, receiving, at a server, data from at least one first sensor or tool. The data can be configured to inform the server of an actual or potential threat to at least one computer system or network. The server can be, but does not have to be, a part of the computer system or network under threat. The at least one first sensor or tool can be or include a SIEM tool).
Claims 12, 13 and 19, the rejections of claims 8 and 15 is incorporated and the combination of Loomis 48 and Chakravarty further discloses updating by the security operations system, a form to include the security contextual information (See, Paragraphs 0023, “After the new data set is sent from the SIEM device in step 103, the coordinator can create a new rule set for a connected firewall, including MD5 hashes, uniform resource locators (URLs), or internet protocol (IP) addresses that returned with positive results from any SIEM tool or threat intelligence feeds involved in the process. These new rule sets can be sent to the API-connected firewall in step 104, thus eliminating the need for manual configuration of the new firewall rules” and 0033, “A new threat rule can be generated to watch for similar data in the future. Other updates are also permitted.”).

Claims 6 and 7 are rejected under 35 U.S.C. 103 as being unpatentable over Loomis 48 in view of Chakravarty and further in view of Loomis (US 2014/0278664 A1), hereinafter, “Loomis 64”.
Regarding Claim 6, the rejection of claim 1 is incorporated and the combination of Loomis 48 and Chakravarty does not explicitly disclose populating, by the security operations system, a form with the characteristics of the threat, wherein the form is associated with a record and selected in response to a type of the threat.
The combination of Loomis 48 and Chakravarty does not explicitly disclose generating, by the security operations system, a record in response to the alarm and populating, by the security operations system, a form with the characteristics of the 
Loomis 64 discloses generating, by the security operations system, a record in response to the alarm (See, Paragraphs 0012 and 0013) and populating, by the security operations system, a form with the characteristics of the threat, wherein the form is associated with the record and selected in response to a type of the threat (See, Paragraph 0015).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to generate, in the system of Loomis 48 and Chakravarty, a record in response to the alarm and populating, by the security operations system, a form with the characteristics of the threat, wherein the form is associated with the record and selected in response to a type of the threat as taught by Loomis 64 so that “the IR Lead may be prompted to review the values and either accept the default settings and deploy the default roadmap as is or change the settings manually” (See, Loomis 64, Paragraph 0015).
Regarding Claim 7 the rejection of claim 6 is incorporated and the combination of Loomis 48, Chakravarty and Loomis 64 further discloses updating, by the security operations system, the form to include the security contextual data (See, Loomis 48, Paragraphs 0023, “After the new data set is sent from the SIEM device in step 103, the coordinator can create a new rule set for a connected firewall, including MD5 hashes, uniform resource locators (URLs), or internet protocol (IP) addresses that returned with positive results from any SIEM tool or threat intelligence feeds involved in the process. These new rule sets can be sent to the API-connected firewall in step 104, thus .

Claims 3, 5, 10, 14, 17 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Loomis 48 in view of Chakravarty and further in view of Agbabian (US 7,472,422 B1), hereinafter, “Agbabian”.
Regarding Claims 3, 10 and 17, the rejection of claims 2, 9 and 16 is incorporated and the combination of Loomis 48 and Chakravarty does not explicitly disclose generating, by the security operations system, a record in response to the alarm wherein the record includes a severity level assigned to the record, wherein the severity level is automatically generated based on a threat level identified in the alarm.
Agbabian discloses generating, by a security operations system, a record in response to an alarm wherein the record includes a severity level assigned to the record (See, Fig. 4A, Numeral 404 and also Column 13, lines 16-25 and lines 51-57, Note: Please note that examiner is interpreting the event of Fig. 3, Numeral 302, as an alarm since it includes event characterization data including a severity level and the event generated by the security management module in step 404 as the claimed record), wherein the severity level is automatically generated based on a threat level identified in the alarm (See, Fig. 4A, Numeral 404, Column 13, lines 16-25 and lines 51-57, Note: the security management module simply add time stamp data and location data to populate event which is being interpreted as a record and uses the same event characterization data from the event of Fig. 3 which is being interpreted as an alarm).

Regarding Claims 5, 14 and 20, the rejection of claims 1, 8 and 15 is incorporated and the combination of Loomis 48 and Chakravarty does not explicitly disclose generating, by the security operations system, a record in response to the alarm, wherein the record includes a severity level assigned to the record, wherein the severity level is automatically generated based on a threat level identified in the alarm.
Agbabian discloses generating, by a security operations system, a record in response to an alarm wherein the record includes a severity level assigned to the record (See, Fig. 4A, Numeral 404 and also Column 13, lines 16-25 and lines 51-57, Note: Please note that examiner is interpreting the event of Fig. 3, Numeral 302, as an alarm since it includes event characterization data including a severity level and the event generated by the security management module in step 404 as the claimed record), wherein the severity level is automatically generated based on a threat level identified in the alarm (See, Fig. 4A, Numeral 404, Column 13, lines 16-25 and lines 51-57, Note: 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to generate, in the system of Loomis 48 and Chakravarty, by the security operations system, a record in response to the alarm wherein the record includes a severity level assigned to the record, wherein the severity level is automatically generated based on a threat level identified in the alarm as taught by Agbabian because this allows management console the ability to provide some rudimentary event correlation configuration by assigning particular alert-able records with a certain severity level to a specific notification action. It also allows translation of the log into a spoken language on the fly using the language identifier and event type identifier (See, Agbabian, Column 31, line 42- Column 32, line 3).

Claims 4, 11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Loomis 48 in view of Chakravarty and Agbabian and further in view of Loomis 64.
Regarding Claims 4, 11 and 18, the rejection of claims 3, 10 and 17 is incorporated and the combination of Loomis 48, Chakravarty and Agbabian does not explicitly disclose populating, by the security operations system, a form with the characteristics of the threat, wherein the form is associated with the record and selected in response to a type of the threat.
Loomis 64 discloses populating, by the security operations system, a record in response to the alarm (See, Paragraphs 0012 and 0013) and populating, by the security 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to generate, in the system of Loomis 48 and Chakravarty, a record in response to the alarm and populating, by the security operations system, a form with the characteristics of the threat, wherein the form is associated with the record and selected in response to a type of the threat as taught by Loomis 64 so that “the IR Lead may be prompted to review the values and either accept the default settings and deploy the default roadmap as is or change the settings manually” (See, Loomis 64, Paragraph 0015).

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 12 and 18 of U.S. Patent No. US 10,552,615. Although the claims at issue are not identical, they are not patentably distinct from each other because claims 1, 12 and 18 of U.S. Patent No. US 10,552,615 anticipates claims 1-20.
Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to YOGESH PALIWAL whose telephone number is (571)270-1807.  The examiner can normally be reached on M-F 9:00AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph P Hirl can be reached on 5712723685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/YOGESH PALIWAL/           Primary Examiner, Art Unit 2435