DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 2021-01-22 has been entered.


Response to Amendment
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This is in reply to papers filed on 2021-02-10.  Claims 1-4, 7-11, 14-18, 21 are pending. Claims 1, 8, 15 is/are independent.


Response to Arguments
Applicant's arguments have been fully considered but they are not persuasive.
With respect to claim(s) 1 (see page(s) 10 of Applicant’s Remarks), Applicant argues that the prior art of record (in particular, U.S. Publication 20190124104 to Apostolopoulos (hereinafter "Apostolopoulos '104")) does not disclose:
allowing a third party to manually search the one or more artifacts concerning the security event including: receiving a unified search query from the third party concerning a plurality of security-relevant subsystems; parsing the unified query to define a specific query for each of the plurality of security-relevant 
However, Apostolopoulos '104 does disclose ad hoc user queries [Apostolopoulos '104 ¶ 0051-0052] from third party users [Apostolopoulos '104 ¶ 0081, 0050, 0095].  These queries are run against centrally stored merged reformatted data or are mapped to run against centrally stored copies of raw data from various network security devices [Apostolopoulos '104 ¶ 0052, 0133-0134].  While Examiner agrees that Apostolopoulos '104 does not disclose the limitation "providing the respective specific query to each of the plurality of security-relevant subsystems", U.S. Publication 20100125574 to Navas (hereinafter "Navas '574") discloses this subject matter [Navas '574 ¶ 0059-0062, Fig. 2, 0066-0068, Fig. 3].  As detailed in the rejections it would have been obvious to have modified Apostolopoulos '104 with this feature of Navas '574.  Accordingly, Applicant's arguments are unpersuasive.
Applicant’s arguments with respect to the remaining claim(s) is/are based on Applicant’s arguments with respect to claim(s) 1 and have been considered as detailed above.


Information Disclosure Statement PTO-1449
The Information Disclosure Statement(s) submitted by applicant on 2021-02-10, 2021-01-25, 2020-12-17 has/have been considered. The submission is in compliance with the provisions of 37 CFR § 1.97. Form PTO-1449 signed and attached hereto.


Claim Rejections - 35 U.S.C. § 112
The following is a quotation of 35 U.S.C. § 112(b):

Claim(s) 1-4, 7-11, 14-18, 21 is/are rejected under 35 U.S.C. § 112(b) or 35 U.S.C. § 112 ¶ 2 (pre-AIA ) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
In claim 1, the phrase "receiving a unified search query from the third party concerning a plurality of security-relevant subsystems" makes the claims ambiguous and therefore indefinite.  Because the claim fails to clearly state which of multiple possible antecedents the phrase "a plurality of security-relevant subsystems" relates to, the claim is amenable of multiple plausible constructions (e.g., that this is identical to the plurality recited earlier in the claim, or that it is a different plurality), leaving a person having ordinary skill in the art unable to determine what the Applicant does and does not regard as the invention.  See Ex parte Kenichi Miyazaki, 89 U.S.P.Q. 2d 1207, *11 (BPAI 2008).  Claims 8, 15 suffer similar defects mutatis mutandis.
Dependent claims 1-4, 7-11, 14-18, 21 are rejected for the reasons presented above with respect to rejected claims 1, 8, 15 and in view of their dependence thereon.


Summary of Claim Rejections under 35 U.S.C. § 103
The following table summarizes the rejections set forth in detail below of the claims over the prior art.


Apostolopoulos '104 in view of Navas '574 
1
[Wingdings font/0xFC]
2
[Wingdings font/0xFC]
3
[Wingdings font/0xFC]
4
[Wingdings font/0xFC]
7
[Wingdings font/0xFC]
8
[Wingdings font/0xFC]
9
[Wingdings font/0xFC]
10
[Wingdings font/0xFC]
11
[Wingdings font/0xFC]
14
[Wingdings font/0xFC]
15
[Wingdings font/0xFC]
16
[Wingdings font/0xFC]
17
[Wingdings font/0xFC]
18
[Wingdings font/0xFC]
21
[Wingdings font/0xFC]



Claim Rejections - 35 U.S.C. § 103
The following is a quotation of the appropriate paragraphs of AIA  35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. § 103(a) are summarized as follows:
1.	Determining the scope and contents of the prior art.
2.	Ascertaining the differences between the prior art and the claims at issue.
3.	Resolving the level of ordinary skill in the pertinent art.
4.	Considering objective evidence present in the application indicating obviousness or nonobviousness.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim(s) 1-4, 6-11, 13-18, 20-21 is/are rejected under 35 U.S.C. § 103    as being unpatentable over U.S. Publication 20190124104 to Apostolopoulos (hereinafter "Apostolopoulos '104") in view of U.S. Publication 20100125574 to Navas (hereinafter "Navas '574").  Apostolopoulos '104 is prior art to the claims under 35 U.S.C. § 102(a)(2).  Navas '574 is prior art to the claims under 35 U.S.C. § 102(a)(1) and 35 U.S.C. § 102(a)(2).
Per claim 1 (independent):
Apostolopoulos '104 discloses a computer-implemented method, executed on a computing device (method of combining and analyzing security data [Apostolopoulos '104 Abstract, ¶ 0038])
Apostolopoulos '104 discloses receiving platform information from a plurality of security-relevant subsystems, the plurality of security-relevant subsystems including one or more of Content Delivery Network systems, Database Activity Monitoring systems, User Behavior Analytic systems, Mobile Device Management systems, Identity and Access Management systems, Domain Name Server systems, a data lake, a security-relevant software application, and a resource external to the computing platform (ingests security data from diverse subsystems [Apostolopoulos '104 ¶ 0044, 0048]; ingests security data from, e.g., security agent on client machines [Apostolopoulos '104 ¶ 0066], content delivery system [Apostolopoulos '104 ¶ 0059], identity system [Apostolopoulos '104 ¶ 0127], DNS [Apostolopoulos '104 ¶ 0127])
Apostolopoulos '104 discloses processing the platform information to generate processed platform information (parses incoming security data from various formats [Apostolopoulos '104 ¶ 0044, 0050, 0053, 0124, Fig. 7]; stores reformatted event data [Apostolopoulos '104 ¶ 0140, 0150, 0083, 0221, 0226, 0235]; constructs graph of stored events [Apostolopoulos '104 ¶ 0145-0154, 0204, 0210])
Apostolopoulos '104 discloses processing the platform information includes scanning the platform information to detect security events (monitors system and scans for threats and anomalies [Apostolopoulos '104 ¶ 0100-0120, 0137-0140, 0063-0067])
Apostolopoulos '104 discloses obtaining one or more artifacts concerning the security event; obtaining artifact information concerning the one or more artifacts from one or more investigations resources; and generating a conclusion concerning the security event (obtains third-party data and historical data [Apostolopoulos '104 ¶ 0106, 0109, 0112, 0126, 0131], e.g. reputation data or whitelists or blacklists [Apostolopoulos '104 ¶ 0166-0167, 0190, 0243], related to the detected event and uses such information to evaluate the event [Id.])
Apostolopoulos '104 discloses assigning a threat level to the security events (assigns threat scores [Apostolopoulos '104 ¶ 0179, 0194-0196])
Apostolopoulos '104 discloses identifying less threat-pertinent content included within the processed content, as compared to other threat-pertinent content, included within the processed platform information (forwarder separates raw data and routes data based on criteria [Apostolopoulos '104 ¶ 0075-0076, 0083]; routes pre-specified data to real-time analyzer, while storing other data for later batch analysis [Apostolopoulos '104 ¶ 0043, 0049, 0121, 0161-0162, 0235]; for efficiency, real-time analysis uses limited 
Apostolopoulos '104 discloses routing the less threat-pertinent content to a long term storage system (routes pre-specified data to real-time analyzer, while storing other data for later batch analysis [Apostolopoulos '104 ¶ 0043, 0049, 0121, 0161-0162, 0235]; forwarder separates raw data and routes data based on criteria [Apostolopoulos '104 ¶ 0075-0076, 0083]; stores anomaly event data in long-term storage [Apostolopoulos '104 ¶ 0221] )
Apostolopoulos '104 discloses allowing a third party to manually search the one or more artifacts concerning the security event (third parties search historical data [Apostolopoulos '104 ¶ 0081, 0050, 0095]; late-binding schema allows users to write new formulae into manual queries until the moment those queries are executed [Apostolopoulos '104 ¶ 0051-0052]; searches may be run against processed data or stored raw data [Apostolopoulos '104 ¶ 0052, 0133-0134])
Apostolopoulos '104 discloses receiving a unified search query from the third party concerning a plurality of security-relevant subsystems (late-binding schema allows users to write new formulae into manual queries until the moment those queries are executed [Apostolopoulos '104 ¶ 0051-0052]; searches may be run against processed data or stored raw data [Apostolopoulos '104 ¶ 0052, 0133-0134])
Apostolopoulos '104 discloses parsing the unified query to define a specific query for each of the plurality of security-relevant subsystems (late-binding schema allows users to write new formulae into manual queries until the moment those queries are executed [Apostolopoulos '104 ¶ 0051-0052]; searches may be run against processed data or stored raw data [Apostolopoulos '104 ¶ 0052, 0133-0134])
Apostolopoulos '104 does not providing the respective specific query to each of the plurality of security-relevant subsystems
Further:
Navas '574 discloses allowing a third party to manually search the one or more artifacts concerning the security event (LE node 210 receives query for LE system 200 and parses query into component parts Q1-Q4 and routes them to the data sources 230, 240, 250 [Navas '574 ¶ 0059-0061, Fig. 2]; third party queries  [Navas '574 ¶ 0074])
Navas '574 discloses receiving a unified search query from the third party concerning a plurality of security-relevant subsystems (LE node 210 receives query for LE system 200 and parses query into component parts Q1-Q4 and routes them to the data sources 230, 240, 250 [Navas '574 ¶ 0059-0061, Fig. 2]; third party queries  [Navas '574 ¶ 0074])
Navas '574 discloses parsing the unified query to define a specific query for each of the plurality of security-relevant subsystems (LE node 210 receives query for LE system 200 and parses query into component parts Q1-Q4 and routes them to the data sources 230, 240, 250 [Navas '574 ¶ 0059-0061, Fig. 2]; third party queries  [Navas '574 ¶ 0074])
Navas '574 discloses providing the respective specific query to each of the plurality of security-relevant subsystems (LE node 210 receives query for LE system 200 and parses query into component parts Q1-Q4 and routes them to the data sources 230, 240, 250 [Navas '574 ¶ 0059-0061, Fig. 2]; third party queries  [Navas '574 ¶ 0074]; separates event queries into component parts and combines results, e.g. data objects, actionable content, etc., from susbsystems [Navas '574 ¶ 0059-0060, 0062, 0066-0068, Fig. 3])
It would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Apostolopoulos '104 with the query routing of Navas '574 to arrive at an apparatus, method, and product including:
allowing a third party to manually search the one or more artifacts concerning the security event
receiving a unified search query from the third party concerning a plurality of security-relevant subsystems
parsing the unified query to define a specific query for each of the plurality of security-relevant subsystems
providing the respective specific query to each of the plurality of security-relevant subsystems
A person having ordinary skill in the art would have been motivated to combine them at least because routing manual queries to the individual data sources as in Navas '574 would allow the security system of Apostolopoulos '104 the additional flexibility to query additional data fields that were not being routinely collected and stored in centralized storage.  A person having ordinary skill in the art would have been further motivated to combine them at least because Navas '574 teaches [Navas '574 ¶ 0059-0061, Fig. 2] modifying a security event monitoring and analysis system [Apostolopoulos '104 Abstract, ¶ 0038, 0044, 0048] such as that of Apostolopoulos '104 to arrive at the claimed invention; because doing so constitutes use of a known technique (routing of ad hoc queries back to originating data sources [Navas '574 ¶ 0059-0061, Fig. 2]) to improve similar devices and/or methods (security event monitoring and 
Per claim 2 (dependent on claim 1):
Apostolopoulos '104 in view of Navas '574 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Apostolopoulos '104 discloses parsing the platform information into a plurality of subcomponents to allow for compensation of varying formats and/or nomenclature (parses incoming security data from various formats [Apostolopoulos '104 ¶ 0044, 0050, 0053, 0124, Fig. 7]; stores reformatted event data [Apostolopoulos '104 ¶ 0140, 0150, 0083, 0221, 0226, 0235])
Per claim 3 (dependent on claim 1):
Apostolopoulos '104 in view of Navas '574 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Apostolopoulos '104 discloses enriching the platform information by including supplemental information from external information resources (third-party data [Apostolopoulos '104 ¶ 0106-0111, 0194, 0119-0120, 0126])
Per claim 4 (dependent on claim 1):
Apostolopoulos '104 in view of Navas '574 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Apostolopoulos '104 discloses utilizing artificial intelligence to identify one or more patterns defined within the platform information (machine learning identifies anomalies and threat indicators  [Apostolopoulos '104 ¶ 0118, 0162])
Per claim 7 (dependent on claim 1):
Apostolopoulos '104 in view of Navas '574 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Apostolopoulos '104 discloses allowing the third-party to access and search the long term storage system (third parties search historical data [Apostolopoulos '104 ¶ 0081, 0050, 0095])
Per claim 8 (independent):
Apostolopoulos '104 discloses a computer program product residing on a computer readable medium having a plurality of instructions stored thereon which, when executed by a processor, cause the processor to perform operations (memory, processor, computer readable medium, executable instructions [Apostolopoulos '104 ¶ 0266-0268])
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 1 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 9 (dependent on claim 8):
Apostolopoulos '104 in view of Navas '574 discloses the elements detailed in the rejection of claim 8 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 2 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 10 (dependent on claim 8):
Apostolopoulos '104 in view of Navas '574 discloses the elements detailed in the rejection of claim 8 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 3 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 11 (dependent on claim 8):
Apostolopoulos '104 in view of Navas '574 discloses the elements detailed in the rejection of claim 8 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 4 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 14 (dependent on claim 8):
Apostolopoulos '104 in view of Navas '574 discloses the elements detailed in the rejection of claim 8 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 7 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 15 (independent):
Apostolopoulos '104 discloses a computing system including a processor and memory configured to perform operations (memory, processor, computer readable medium, executable instructions [Apostolopoulos '104 ¶ 0266-0268])
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 1 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 16 (dependent on claim 15):
Apostolopoulos '104 in view of Navas '574 discloses the elements detailed in the rejection of claim 15 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 2 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 17 (dependent on claim 15):
Apostolopoulos '104 in view of Navas '574 discloses the elements detailed in the rejection of claim 15 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 3 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 18 (dependent on claim 15):
Apostolopoulos '104 in view of Navas '574 discloses the elements detailed in the rejection of claim 15 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 4 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 21 (dependent on claim 15):
Apostolopoulos '104 in view of Navas '574 discloses the elements detailed in the rejection of claim 15 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 7 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THEODORE C PARSONS whose telephone number is (571)270-1475.  The examiner can normally be reached on MTWRF 7:30-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on (571) 272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.