DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
	Applicant’s Remarks, filed November 24th, 2020, has been fully considered and entered. Accordingly, Claims 1-8, 10-11, and 13-23 are pending in this application. Claims 1, 7, 10, 11, 13, 15, 19, 21, and 22 were amended. Claim 12 was canceled. Claim 23 was added. Claims 1, 7, and 19 are independent claims.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.

3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-3, 5-8, 10-11, 14-16, and 18-22 are being rejected under 35 U.S.C. 103 as being unpatentable over Gruss et al. (US 9,601,000 B1) in view of Levi (US 2010/0095381 A1), further in view of Grigoryan et al. (US 2017/0371878 A1).
Regarding claim 1, Gruss teaches a system, comprising:
a non-transitory memory; and one or more hardware processors configured to read instructions from the non-transitory memory to cause the system to (see Gruss, [Column 6, Lines 6-9], “The processing circuitry 64 is constructed and arranged to operate in accordance with the various software constructs 70 stored in the memory 62.”):
receive an indication of an occurrence of a trigger event associated with a plurality of alert items related to a configuration item (CI) of a configuration management database (CMDB) (see Gruss, [Column 4, Lines 48-65], “Each alert 42 can take the form of a notification message indicating that an activity or event has occurred or been detected (e.g., an output from a sensor). As the alert prioritization server 28 receives each incoming alert 42, the alert prioritization server 28 updates count data to represent encounter of that incoming alert 42.”);

However, Gruss does not explicitly teach:
receive an indication of an occurrence of a trigger event associated with a plurality of alert items related to a configuration item (CI) of a configuration management database (CMDB);

Levi teaches:
receive an indication of an occurrence of a trigger event associated with a plurality of alert items related to a configuration item (CI) of a configuration management database (CMDB) (see Levi, Paragraph [0019], “a Risk Analysis Engine 200 is electronically coupled to a configuration management database (CMDB) 210”); 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined Gruss (teaching data-driven alert prioritization) in view of Levi (teaching a device, method and program product for prioritizing security flaw mitigation task in a business service), and arrived at a system that incorporates a configuration management database. One of ordinary skill in the art would have been motivated to make such a combination for the purposes of reporting risks of an organization's IT infrastructure and prioritizing the reported risks so that the risks can be addressed by IT managers in order of importance (see Levi, Paragraph [0002]). In addition, both the references (Gruss and Levi) teach features that are directed to analogous art and they are directed to the same field of endeavor, such as risk management. The close relation between both of the references highly suggests an expectation of success.

The combination of Gruss, and Levi further teaches:
in response to receiving the indication and for each alert item of the plurality of alert items associated with the trigger event: obtain a score value for each of a plurality of categories from a category mapping table, wherein each score value relates to a characteristic or degree of a corresponding category for the respective alert item of the plurality of alert items (see Gruss, [Column 6, Lines 36-47], “the control circuitry establishes particular attributes to use as scoring factors” [Column 8, Lines 36-46], “After normalization, the alert prioritization server 28 combines the raw measures multiplicatively (with an appropriate exponent sign) to produce an internal score for the specific attribute.” Examiner interprets “score value” as “internal score,” and “alert categories” as “attributes.”);
obtain a logarithmic weight value from a category order table corresponding to each of the plurality of categories, wherein each logarithmic weight value relates to an importance or criticality of the corresponding category (see Gruss, [Column 12, Lines 35-53], “different alert types may be associated with different prior severity scores. In this case, one may count an occurrence of an attribute associated with a riskier rule by a weight greater than 1 for the case of positive sign, and vice versa. For example, a high severity rule would be equivalent to 1.5 medium severity rules for the case of positive sign, and to 0.66 medium severity rules for the case of negative sign. Since distinct attributes are counted, and since each attribute may be associated with a different rule severity, the maximum severity associated with the attribute is taken. The internal risk score (or simply internal score, IS) is computed as…”);

However, the combination of Gruss, and Levi do not explicitly teach:
obtain a logarithmic weight value from a category order table corresponding to each of the plurality of categories, wherein each logarithmic weight value relates to an importance or criticality of the corresponding category;

Grigoryan teaches:
obtain a logarithmic weight value from a category order table corresponding to each of the plurality of categories, wherein each logarithmic weight value relates to an importance or criticality of the corresponding category (see Grigoryan, Paragraph [0063], “The weight may be linear, exponential, or logarithmic function with respect to the alert level.”); 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined Gruss (teaching data-driven alert prioritization) in view of Levi (teaching a device, method and program product for prioritizing security flaw see Grigoryan, Paragraph [0064]). In addition, the references (Gruss, Levi, and Grigoryan) teach features that are directed to analogous art and they are directed to the same field of endeavor, such as risk management. The close relation between the references highly suggests an expectation of success.

The combination of Gruss, Levi, and Grigoryan further teaches:
and calculate a priority score for the respective alert item of the plurality of alert items by only adding together products of each score value for the respective alert item of the plurality of alert items and its corresponding logarithmic weight value (see Levi, Paragraph [0032], “Once Risk Analysis Engine 230 has determined a single vulnerability score (SCIx) and a weight (WCIx) for each CI, an overall business service vulnerability score (BSx) is determined for the business service associated with the business services model. An exemplary overall business service vulnerability score (BSx) may be determined based on the following function: BSx=((SCI1*WCI1)+, . . . , +(SCIn*WCIn)), where the overall business service vulnerability score (BSx) is based on the sum of each single vulnerability score (SCIx) multiplied by its single weight (WCIx).”); 
and display the plurality of alert items on a user interface, wherein the plurality of alert items is sorted based on their respective priority scores (see Levi, Figures 4-7, Paragraph [0041], “FIG. 6 illustrates a topology view for a specific business service. This view enables a user to view the asset name, the IP address, the service, and a calculated risk score (on an asset by asset basis).”).  

Regarding claim 2, Gruss in view of Levi, further in view of Grigoryan teaches all the limitations of claim 1. Gruss further teaches:
a number of services affected by the respective alert item; a severity level of the respective alert item; a role of the respective alert item; a number of secondary see Gruss, [Column 6, Lines 36-47], “… the control circuitry establishes particular attributes to use as scoring factors… the particular attributes include a source, a destination, an alert type (or rule), and a timestamp, perhaps among other attributes. … these attributes (i.e., source, destination, alert type, and timestamp) can be necessary features of each alert 42.”).

Regarding claim 3, Gruss in view of Levi, further in view of Grigoryan teaches all the limitations of claim 1. Gruss, and Levi further teaches:
group the plurality of alert items into one or more groups based on the respective priority scores of the plurality of alert items (see Gruss, [Column 9, Lines 12-21], “For example, the alert prioritization server 28 can sort the alert entries 142 on the list 140 based on overall significance score to form a sorted list 160 of alert entries 142. The sorted list 160 ranks the alert entries based on significance (e.g., with the highest significance alert entries 142 at the top of the sorted list 160. Furthermore, the alert prioritization server 28 can display a sorted and abbreviated list 170 based on the sorted list 160 of alert entries 142.” Also, see Levi, Figures 4-7). 

Regarding claim 5, Gruss in view of Levi, further in view of Grigoryan teaches all the limitations of claim 1. Gruss further teaches:
recalculate the priority score for the respective alert item based on the plurality of alert (508) (see Gruss, [Column 13, Lines 11-30], “Once daily recalculate the raw measures for all attributes”).

Regarding claim 6, Gruss in view of Levi, further in view of Grigoryan teaches all the limitations of claim 5. Gruss further teaches:
a change in a number of services affected by the respective alert item; a change in number or class of the CI associated with the respective alert item; a change in a number of secondary alert items for the respective alert; an addition of one or see Gruss, [Column 10, Lines 28-36], [Column 12, Lines 35-53], “suppose that a user device gets infected with malware, and the malware propagates to other devices that the user device communicates with. Multiple alerts 42 are triggered on activities of the infected users (i.e., by the user devices), resulting in an increase in the number of alerts 42 per this specific group. Accordingly, this change is identified by the alert prioritization server 28 and higher significance is assigned to these alerts 42.”).

Regarding claim 7, Gruss teaches a non-transitory program storage device, readable by a programmable control device and comprising instructions stored thereon to cause one or more programmable control devices to:   
receive a plurality of alerts related to configuration items (CIs) stored in a configuration management database (CMDB) (see Gruss, [Column 4, Lines 27-29 & 48-56], “The alert prioritization server 28 is constructed and arranged to receive alerts from the other components of the electronic environment 20”); 

However, Gruss does not explicitly teach:
receive a plurality of alerts related to configuration items (CIs) stored in a configuration management database (CMDB);

Levi teaches:
receive a plurality of alerts related to configuration items (CIs) stored in a configuration management database (CMDB) (see Levi, Paragraph [0019], “a Risk Analysis Engine 200 is electronically coupled to a configuration management database (CMDB) 210”); 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined Gruss (teaching data-driven alert prioritization) in view of Levi (teaching a device, method and program product for prioritizing security flaw mitigation task in a business service), and arrived at a machine that incorporates a configuration see Levi, Paragraph [0002]). In addition, both the references (Gruss and Levi) teach features that are directed to analogous art and they are directed to the same field of endeavor, such as risk management. The close relation between both of the references highly suggests an expectation of success.

The combination of Gruss, and Levi further teaches:
receive an indication of an occurrence of a trigger event associated with the plurality of alerts: in response to receiving the indication and for each alert of the plurality of alerts: obtain a score value from a category mapping table for each of a plurality of alert categories, wherein each score value relates to a characteristic or degree of a corresponding alert category for the respective alert of the plurality of alerts (see Gruss, [Column 6, Lines 36-47], “the control circuitry establishes particular attributes to use as scoring factors” [Column 8, Lines 36-46], “After normalization, the alert prioritization server 28 combines the raw measures multiplicatively (with an appropriate exponent sign) to produce an internal score for the specific attribute.” Examiner interprets “score value” as “internal score,” and “alert categories” as “attributes.”);
obtain a logarithmic weight value from a category order table corresponding to each of the plurality of alert categories for each of the plurality of alerts, wherein each logarithmic weight value relates to an importance or a criticality of the corresponding alert category (see Gruss, [Column 12, Lines 35-53], “different alert types may be associated with different prior severity scores. In this case, one may count an occurrence of an attribute associated with a riskier rule by a weight greater than 1 for the case of positive sign, and vice versa. For example, a high severity rule would be equivalent to 1.5 medium severity rules for the case of positive sign, and to 0.66 medium severity rules for the case of negative sign. Since distinct attributes are counted, and since each attribute may be associated with a different rule severity, the maximum severity associated with the attribute is taken. The internal risk score (or simply internal score, IS) is computed as…”);

However, the combination of Gruss, and Levi do not explicitly teach:
obtain a logarithmic weight value from a category order table corresponding to each of the plurality of alert categories for each of the plurality of alerts, wherein each logarithmic weight value relates to an importance or a criticality of the corresponding alert category;

Grigoryan teaches:
obtain a logarithmic weight value from a category order table corresponding to each of the plurality of alert categories for each of the plurality of alerts, wherein each logarithmic weight value relates to an importance or a criticality of the corresponding alert category (see Grigoryan, Paragraph [0063], “The weight may be linear, exponential, or logarithmic function with respect to the alert level.”); 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined Gruss (teaching data-driven alert prioritization) in view of Levi (teaching a device, method and program product for prioritizing security flaw mitigation task in a business service), further in view of Grigoryan (teaching methods and systems to evaluate data center performance and prioritize data center objects and anomalies for remedial actions), and arrived at a machine that incorporates a logarithmic weight value. One of ordinary skill in the art would have been motivated to make such a combination for the purposes of indicating the seriousness of an alert (see Grigoryan, Paragraph [0064]). In addition, the references (Gruss, Levi, and Grigoryan) teach features that are directed to analogous art and they are directed to the same field of endeavor, such as risk management. The close relation between the references highly suggests an expectation of success.

The combination of Gruss, Levi, and Grigoryan further teaches:
and calculate a priority score for the respective alert by only determining a summation of products of each score value for the respective alert with its corresponding logarithmic weight value (see Levi, Paragraph [0032], “Once Risk Analysis Engine 230 has determined a single vulnerability score (SCIx) and a weight (WCIx) for each CI, an overall business service vulnerability score (BSx) is determined for the business service associated with the business services model. An exemplary overall business service vulnerability score (BSx) may be determined based on the following function: BSx=((SCI1*WCI1)+, . . . , +(SCIn*WCIn)), where the overall business service vulnerability score (BSx) is based on the sum of each single vulnerability score (SCIx) multiplied by its single weight (WCIx).”); 
and display the plurality of alert items on a user interface, wherein the plurality of alert items is sorted based on their respective priority scores (see Levi, Figures 4-7, Paragraph [0041], “FIG. 6 illustrates a topology view for a specific business service. This view enables a user to view the asset name, the IP address, the service, and a calculated risk score (on an asset by asset basis).”). 
 
Regarding claim 8, Gruss in view of Levi, further in view of Grigoryan teaches all the limitations of claim 7. Gruss further teaches:
a number of services affected by the respective alert; a severity level of the respective alert; a role of the respective alert; a number of secondary alerts for the respective alert; or a class of CIs associated with the respective alert (see Gruss, [Column 6, Lines 36-47], “… the control circuitry establishes particular attributes to use as scoring factors… the particular attributes include a source, a destination, an alert type (or rule), and a timestamp, perhaps among other attributes. … these attributes (i.e., source, destination, alert type, and timestamp) can be necessary features of each alert 42.”).

Regarding claim 10, Gruss in view of Levi, further in view of Grigoryan teaches all the limitations of claim 1. Grigoryan further teaches:
wherein each of the plurality of alert categories comprises a different corresponding logarithmic weight value, wherein the corresponding logarithmic weight value comprises a numerical value that is a factor of ten (see Grigoryan, Paragraph [0063], “The weight may be linear, exponential, or logarithmic function with respect to the alert level.”).

Regarding claim 11, Gruss in view of Levi, further in view of Grigoryan teaches all the limitations of claim 7. Gruss further teaches:
group the plurality of alerts into one or more groups based on the respective priority scores of the plurality of alerts, where the one or more groups reflect the criticality of respective alerts in each group of the one or more groups (see Gruss, [Column 7, Lines 3-19 & 38-56], [Column 9, Lines 12-21], “the above-listed attributes may be adjusted (e.g., by truncation, by enrichment, etc.) to represent logically related groups of corresponding constructed (or enhanced) attributes. Possible constructed attributes include, by way of example: Source Group—A superset of sources such as all devices of a user's business unit. Destination Group—A superset of destinations such as all devices with a particular prefix in the destination IP address. Alert Type Group—A superset or generalization of particular alert types such as alerts reporting unfamiliar devices (e.g., “login from unfamiliar location”, “new unknown source”, etc.), or alerts reporting blocked access (e.g., “insufficient privileges”, “unsuccessful login”, etc.), and so on. Additionally, one may consider further intersections of attributes, e.g., all communications of the same source and destination group pair.”).

Regarding claim 14, Gruss in view of Levi, further in view of Grigoryan teaches all the limitations of claim 7. Gruss further teaches:
recalculate the priority score for the respective alert upon the occurrence of the trigger event (see Gruss, [Column 13, Lines 11-30], “Once daily recalculate the raw measures for all attributes”).


a change in a number of services affected by the respective alert; a change in severity of the respective alert; a change in role of the respective alert; a change in number or class of CI associated with the respective alert; a change in a number of secondary alerts for the respective alert; a passage of a predetermined amount of time; an addition of one or more CIs to the CMDB; or a deletion of one or more CIs from the CMDB (see Gruss, [Column 10, Lines 28-36], [Column 12, Lines 35-53], “suppose that a user device gets infected with malware, and the malware propagates to other devices that the user device communicates with. Multiple alerts 42 are triggered on activities of the infected users (i.e., by the user devices), resulting in an increase in the number of alerts 42 per this specific group. Accordingly, this change is identified by the alert prioritization server 28 and higher significance is assigned to these alerts 42.”).

Regarding claim 16, Gruss in view of Levi, further in view of Grigoryan teaches all the limitations of claim 7. Gruss further teaches:
store, as metadata associated with the respective alert, information reflecting how the priority score for the respective alert was calculated (see Gruss, [Column 8, Lines 57-65], “FIG. 4 shows a list 140 of generated alert entries 142(1), 142(2), 142(3), 142(4), 142(5), . . . (collectively, alert entries 142) which is maintained within the alert database 78 (also see FIG. 2).”).

Regarding claim 18, Gruss in view of Levi, further in view of Grigoryan teaches all the limitations of claim 7. Gruss, and Levi further teaches:
store, in the CMDB, historical priority score information for the plurality of alerts over a period of time (see Gruss, [Column 2, Lines 41-47], “This list may serve as a historical log of alerts that can later be sorted, further processed, etc.” Also, see Levi, Paragraph [0019], “a Risk Analysis Engine 200 is electronically coupled to a configuration management database (CMDB) 210”). 


receiving a plurality of alerts related to configuration items (CIs) stored in a configuration management database (CMDB) (see Gruss, [Column 4, Lines 27-29 & 48-56], “The alert prioritization server 28 is constructed and arranged to receive alerts from the other components of the electronic environment 20”); 

However, Gruss does not explicitly teach:
receiving a plurality of alerts related to configuration items (CIs) stored in a configuration management database (CMDB); 

Levi teaches:
receiving a plurality of alerts related to configuration items (CIs) stored in a configuration management database (CMDB) (see Levi, Paragraph [0019], “a Risk Analysis Engine 200 is electronically coupled to a configuration management database (CMDB) 210”); 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined Gruss (teaching data-driven alert prioritization) in view of Levi (teaching a device, method and program product for prioritizing security flaw mitigation task in a business service), and arrived at a method that incorporates a configuration management database. One of ordinary skill in the art would have been motivated to make such a combination for the purposes of reporting risks of an organization's IT infrastructure and prioritizing the reported risks so that the risks can be addressed by IT managers in order of importance (see Levi, Paragraph [0002]). In addition, both the references (Gruss and Levi) teach features that are directed to analogous art and they are directed to the same field of endeavor, such as risk management. The close relation between both of the references highly suggests an expectation of success.

The combination of Gruss, and Levi further teaches:
receiving an indication of an occurrence of a trigger event associated with the plurality of alerts: in response to receiving the indication and for each alert of the see Gruss, [Column 6, Lines 36-47], “the control circuitry establishes particular attributes to use as scoring factors” [Column 8, Lines 36-46], “After normalization, the alert prioritization server 28 combines the raw measures multiplicatively (with an appropriate exponent sign) to produce an internal score for the specific attribute.” Examiner interprets “score value” as “internal score,” and “alert categories” as “attributes.”);
obtaining a logarithmic weight value from a category order table corresponding to each of the plurality of alert categories for each of the plurality of alerts, wherein each logarithmic weight value relates to an importance or criticality of the corresponding alert category (see Gruss, [Column 12, Lines 35-53], “different alert types may be associated with different prior severity scores. In this case, one may count an occurrence of an attribute associated with a riskier rule by a weight greater than 1 for the case of positive sign, and vice versa. For example, a high severity rule would be equivalent to 1.5 medium severity rules for the case of positive sign, and to 0.66 medium severity rules for the case of negative sign. Since distinct attributes are counted, and since each attribute may be associated with a different rule severity, the maximum severity associated with the attribute is taken. The internal risk score (or simply internal score, IS) is computed as…”);

However, the combination of Gruss, and Levi do not explicitly teach:
obtaining a logarithmic weight value from a category order table corresponding to each of the plurality of alert categories for each of the plurality of alerts, wherein each logarithmic weight value relates to an importance or a criticality of the corresponding alert category;

Grigoryan teaches:
obtaining a logarithmic weight value from a category order table corresponding to each of the plurality of alert categories for each of the plurality of alerts, wherein see Grigoryan, Paragraph [0063], “The weight may be linear, exponential, or logarithmic function with respect to the alert level.”); 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined Gruss (teaching data-driven alert prioritization) in view of Levi (teaching a device, method and program product for prioritizing security flaw mitigation task in a business service), further in view of Grigoryan (teaching methods and systems to evaluate data center performance and prioritize data center objects and anomalies for remedial actions), and arrived at a method that incorporates a logarithmic weight value. One of ordinary skill in the art would have been motivated to make such a combination for the purposes of indicating the seriousness of an alert (see Grigoryan, Paragraph [0064]). In addition, the references (Gruss, Levi, and Grigoryan) teach features that are directed to analogous art and they are directed to the same field of endeavor, such as risk management. The close relation between the references highly suggests an expectation of success.

The combination of Gruss, Levi, and Grigoryan further teaches:
and calculating a priority score for the respective alert by only determining a summation of products of each score value for the respective alert with its corresponding logarithmic weight value (see Levi, Paragraph [0032], “Once Risk Analysis Engine 230 has determined a single vulnerability score (SCIx) and a weight (WCIx) for each CI, an overall business service vulnerability score (BSx) is determined for the business service associated with the business services model. An exemplary overall business service vulnerability score (BSx) may be determined based on the following function: BSx=((SCI1*WCI1)+, . . . , +(SCIn*WCIn)), where the overall business service vulnerability score (BSx) is based on the sum of each single vulnerability score (SCIx) multiplied by its single weight (WCIx).”); 
and displaying the plurality of alert items on a user interface, wherein the plurality of alert items is sorted based on their respective priority scores (see Levi, Figures 4-7, Paragraph [0041], “FIG. 6 illustrates a topology view for a specific business service. This view enables a user to view the asset name, the IP address, the service, and a calculated risk score (on an asset by asset basis).”). 
 
Regarding claim 20, Gruss in view of Levi, further in view of Grigoryan teaches all the limitations of claim 19. Gruss further teaches:
a number of services affected by the respective alert; a severity level of the respective alert; a role of the respective alert; a number of secondary alerts for the respective alert; or a class of Cis associated with the respective alert (see Gruss, [Column 6, Lines 36-47], “… the control circuitry establishes particular attributes to use as scoring factors… the particular attributes include a source, a destination, an alert type (or rule), and a timestamp, perhaps among other attributes. … these attributes (i.e., source, destination, alert type, and timestamp) can be necessary features of each alert 42.”).

Regarding claim 21, Gruss in view of Levi, further in view of Grigoryan teaches all the limitations of claim 1. Grigoryan further teaches:
wherein the category order table comprises the logarithmic weight values according to a logarithmic scale comprising ten as a base value raised to an exponent value, wherein the exponent value comprises a negative real number or positive real number (see Grigoryan, Paragraph [0063], “The weight may be linear, exponential, or logarithmic function with respect to the alert level.”).

Regarding claim 22, Gruss in view of Levi, further in view of Grigoryan teaches all the limitations of claim 1. Gruss, and Grigoryan further teaches:
wherein the plurality of categories comprises a first category indicative of an enterprise service and a second category indicative of an alert severity, wherein a first logarithmic weight value corresponding to the first category is larger than a second logarithmic weight value corresponding to the second category, such that a first alert item having the first logarithmic weight value has a higher priority score than a second alert item having the second logarithmic weight value (see Gruss, [Column 6, Lines 36-47], “the control circuitry establishes particular attributes to use as scoring factors” Also, see Grigoryan, Paragraph [0063], “The weights may be selected to give more influence or weight to higher alert levels than to lower alert levels. The weight may be linear, exponential, or logarithmic function with respect to the alert level.”).

Claims 4, and 13 are being rejected under 35 U.S.C. 103 as being unpatentable over Gruss in view of Levi in view of Grigoryan, further in view of Chari et al. (US 2017/0286671 A1).
Regarding claim 4, Gruss in view of Levi, further in view of Grigoryan teaches all the limitations of claim 1. Gruss further teaches:
apply one or more supervised or semi-supervised machine learning techniques to historical user activity data for the system (see Gruss, [Column 2, Lines 41-47], “This list may serve as a historical log of alerts that can later be sorted, further processed, etc.”). 

However, the combination of Gruss, Levi, and Grigoryan do not explicitly teach:
apply one or more supervised or semi-supervised machine learning techniques to historical user activity data for the system.

Chari teaches:
apply one or more supervised or semi-supervised machine learning techniques to historical user activity data for the system (see Chari, Paragraph [0081], “Malicious user activity detector 302 also may utilize semi-supervised machine learning processes, such as, for example, semi-supervised machine learning process 236 in FIG. 2.”). 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined Gruss (teaching data-driven alert prioritization) in view of Levi (teaching a device, method and program product for prioritizing security flaw mitigation task in a business service) in view of Grigoryan (teaching methods and systems to see Chari, Paragraph [0081]). In addition, the references (Gruss, Levi, Grigoryan, and Chari) teach features that are directed to analogous art and they are directed to the same field of endeavor, such as risk management. The close relation between the references highly suggests an expectation of success. 

Regarding claim 13, Gruss in view of Levi, further in view of Grigoryan teaches all the limitations of claim 7. Gruss, and Levi further teaches:
apply one or more supervised or semi-supervised machine learning techniques to historical user activity data for the CMDB (see Gruss, [Column 2, Lines 41-47], “This list may serve as a historical log of alerts that can later be sorted, further processed, etc.” Also, see Levi, Paragraph [0019], “a Risk Analysis Engine 200 is electronically coupled to a configuration management database (CMDB) 210”). 

However, the combination of Gruss, Levi, and Grigoryan do not explicitly teach:
apply one or more supervised or semi-supervised machine learning techniques to historical user activity data for the CMDB.

Chari teaches:
apply one or more supervised or semi-supervised machine learning techniques to historical user activity data for the CMDB (see Chari, Paragraph [0081], “Malicious user activity detector 302 also may utilize semi-supervised machine learning processes, such as, for example, semi-supervised machine learning process 236 in FIG. 2.”). 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined Gruss (teaching data-driven alert prioritization) see Chari, Paragraph [0081]). In addition, the references (Gruss, Levi, Grigoryan, and Chari) teach features that are directed to analogous art and they are directed to the same field of endeavor, such as risk management. The close relation between the references highly suggests an expectation of success.

Claims 17 are being rejected under 35 U.S.C. 103 as being unpatentable over Gruss in view of Levi in view of Grigoryan, further in view of Stoyanov (US 2013/0166963 A1).
Regarding claim 17, Gruss in view of Levi, further in view of Grigoryan teaches all the limitations of claim 16. However, the combination of Gruss, Levi, and Grigoryan do not explicitly teach:
wherein the metadata comprises a JavaScript Object Notation (JSON) representation of the information reflecting how the priority score for the respective one of the plurality of alerts was calculated.

Stoyanov teaches:
wherein the metadata comprises a JavaScript Object Notation (JSON) representation of the information reflecting how the priority score for the respective one of the plurality of alerts was calculated (see Stoyanov, Paragraph [0016], “BPM runtime can push events in the PI alerting event queue with a corresponding JavaScript Object Notation (JSON) format.”).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined Gruss (teaching data-driven alert prioritization) in view of Levi (teaching a device, method and program product for prioritizing security flaw mitigation task in a business service) in view of Grigoryan (teaching methods and systems to see Stoyanov, Paragraph [0016]). In addition, the references (Gruss, Levi, Grigoryan, and Stoyanov) teach features that are directed to analogous art and they are directed to the same field of endeavor, such as risk management. The close relation between the references highly suggests an expectation of success.

Response to Arguments
Applicant’s Arguments, filed November 24th, 2020, have been fully considered, but are moot in light of the new grounds of rejection. 

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HUSAM TURKI SAMARA whose telephone number is (571)272-6803.  The examiner can normally be reached on Monday - Thursday, Alternate Fridays.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Apu Mofiz can be reached on (571)-272-4080.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/HUSAM TURKI SAMARA/Examiner, Art Unit 2161

















/APU M MOFIZ/Supervisory Patent Examiner, Art Unit 2161