DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Remarks
In a response filed on February 16, 2021, Applicant amends claims 1-6, 8, 14-17, 19, 21 and 25.
Claims 1-11 and 13-25 are presented for examination.
Allowable Subject Matter
Claims 1-11 and 13-25 are allowed.
Reasons for Allowance
According to 37 CFR 1.104(e), if the examiner believes that the record of the prosecution as a whole does not make clear his or her reasons for allowing a claim or claims, the examiner may set forth such reasoning. Accordingly, Examiner concludes that, for clarity, the record requires that Examiner set forth reasons for the allowance of claims 1-25. The applicant or patent owner may file a statement commenting on the following reasons for allowance within THREE MONTHS FROM THE “MAILING DATE” of this communication.
The following is an examiner’s statement of reasons for allowance.
For example, the cited prior art of record comprises inter alia the following references:
		US 2014/0289853 A1		Teddy et al.
		US 2015/0128274 A1		Giokas


Regarding claim 1, Teddy teaches a distributed security system (100, FIG. 1) (¶ 16) that uses one or more threat intelligence feed repositories that store threat events associated with security incidents, the threat events including threat indicators for characterizing the threat events (¶ 57 “the threat intelligence feed received from threat intelligence system 220”; note: Teddy’s “threat intelligence” may store/include malicious “events” [see ¶ 19]), the distributed security system comprising:
a security policy system (155, FIG. 1 / 220, FIGS. 2-3) located outside an enterprise network, the security policy system storing observable events (286, FIG. 2 / 375, FIG. 3) for security incidents detected by and sent from user devices (120-125, FIG. 1 / 210, FIG. 2 / 305-320, FIG. 3) located within the enterprise network (145, FIG. 1 / 250, FIGS. 2-3), the observable events including observable indicators for characterizing the observable events (¶ 16, 18, 19, 20, 21, 58, 63, 64 “threat intelligence system 155/220”; ¶ 30 “a large enterprise network 250 employing host devices 210”; ¶ 36, 58, 63 “Threat intelligence data 286 can be observable events/based on observations of multiple different sensors collected from multiple domains”; ¶ 64 “threat intelligence data 286…obtained from the host devices 305-320; note: threat intelligence system 220 may include/store observable events 286/375 [see ¶ 58, 64], also note that FIG. 4 illustrates that security policy system 220 is located “outside” Teddy’s enterprise network [see FIG. 4]),
wherein the security policy system (155, FIG. 1 / 220, FIGS. 2-3) is located in a network (150, FIG. 1) that is remote to the enterprise network (145, FIG. 1) and that is remote to networks that include the one or more threat intelligence feed repositories (¶ 57 “data collected within the domain…from antimalware clients…may be…a threat intelligence feed”; ¶ 16, 30 “large enterprise network 145/250 employing host devices 210”; note: the network of Teddy’s threat intelligence systems may be located “throughout the world,” which implicitly includes remotes areas [see ¶ 19]); and
an on-premises connector (215, FIG. 2 / 325-340, FIG. 3) located within the enterprise network and executing on one of the user devices (¶ 59, 29 “connector/ antimalware client 215”; ¶ 30 “a large enterprise network 250 employing host devices 210”), the on-premises connector:
compares the observable indicators received from the security policy system with the threat indicators (¶ 66 “antimalware client 215 can apply the subset of detection and assessment provisioned on it to make a cursory assessment of the file 410”; ¶ 65 “data…not identified or included in the local caches…can provide updates to the local caches”; ¶ 59 “antimalware client 325-340…preliminary assessments of files on the host device”; note: Teddy implies that data 375 may be “received” from system 155/220, and Teddy’s clients 215/ 325-340 may “assess” by comparing a local file to “cache” data such as intelligence data 375, also note that Teddy’s “observable indicators” may include “URLs, IP addresses, or other source information” [see ¶ 66, 65]); and
in response to determining that any observable indicators match any threat indicators, provides access to the threat events and the observable events having the matching indicators (¶ 65 “the host device matching/detecting a file described in the antimalware support system data”; ¶ 68 “for a match/detected 
In an analogous art, Giokas teaches: compare (320, FIG. 3) observable indicators from a security policy system (120, FIG. 2) with the threat indicators received from the one or more threat intelligence feed repositories (202a-n, FIG. 2) located outside the enterprise network (204, FIG. 2) (¶ 91, 121 “compare 320…threat indicators with the indexed logs”; ¶ 126 “receive threat indicators from heterogeneous sources… sources may include threat intelligence repositories…crowd sourced from various feeds …normalizer can…remove duplicate threat information, and categorize the threats into lists of threat indicators”; ¶ 23 “logs are indicative of a status of…computer network… generate indexed logs from the…logs”; ¶ 78 “the status of one or more machines 102, 106 in the network 104 are monitored/observed”).
In an analogous art, Singla teaches: one or more threat intelligence feed repositories being subscription-based threat intelligence feed repositories that validate the on-premises connector (example: 130, FIG. 1) as a legitimate subscriber (¶ 24, 38 “threat data may be received as part of intelligence feed/feed information subscribed to”; note: an individual may join Singla’s “communities”  via a “subscription” [see ¶ 49], also note that it is implicit that service providers “validate” their “subscribers” before serving them [see ¶ 38, 49; MPEP § 2144.01]).
However, the prior art of record, alone or in combination, does not explicitly disclose: a distributed security system that uses one or more threat intelligence feed repositories that store threat events associated with security incidents, the threat , wherein the security policy system is located in a network that is remote to the enterprise network and that is remote to networks that include the one or more threat intelligence feed repositories; and an on-premises connector located within the enterprise network and executing on one of the user devices, the on-premises connector: receives the observable indicators from the security policy system located outside the enterprise network; receives the threat indicators from the one or more threat intelligence feed repositories located outside the enterprise network, the one or more threat intelligence feed repositories being subscription-based threat intelligence feed repositories that validate the on-premises connector as a legitimate subscriber; compares the observable indicators received from the security policy system with the threat indicators received from the one or more threat intelligence feed repositories located outside the enterprise network; and in response to determining that any observable indicators match any threat indicators, provides access to the threat events and the observable events having the matching indicators.
Regarding claims 14 and 25, Teddy teaches a method for retrieving information associated with security incidents from one or more threat intelligence feed repositories that store threat events associated with security incidents (note: Teddy’s “threat intelligence” may store/include malicious “events” [see ¶ 19]), the method comprising:

storing the observable events within a security policy system (155, FIG. 1 / 220, FIGS. 2-3) located outside the enterprise network (note: threat intelligence system 220 may include/store event data 286/375 [see ¶ 58, 64], and FIG. 4 illustrates that security policy system 220 is located “outside” Teddy’s enterprise network [see FIG. 4]),
wherein the security policy system (155, FIG. 1 / 220, FIGS. 2-3) is located in a network (150, FIG. 1) that is remote to the enterprise network (145, FIG. 1) and that is remote to networks that include the one or more threat intelligence feed repositories (¶ 57 “data collected within the domain…from antimalware clients…may be…a threat intelligence feed”; ¶ 16, 30 “large enterprise network 145/250 employing host devices 210”; note: the network of Teddy’s threat intelligence systems may be located “throughout the world,” which implicitly includes remotes areas [see ¶ 19]);
comparing, by an on-premises connector (215, FIG. 2 / 325-340, FIG. 3), the observable indicators (example: 375, FIG. 3) received from the security policy system 
matching, by the on-premises connector, the observable indicators to the threat indicators to determine matching indicators (¶ 65 “the host device matching/detecting a file described in the antimalware support system data”; ¶ 68 “a match/detected file”; ¶ 97 “matches/instances where the reputation or identified characteristics of the file indicate that the file is potentially malicious or risky”); and
providing, by the on-premises connector, access to the threat events and the observable events having the matching indicators (¶ 68 “for a match/detected file [] provide/send this information/observable threat”).
In an analogous art, Giokas teaches: comparing (320, FIG. 3) the observable indicators received from the security policy system (120, FIG. 2) with threat indicators of the threat events received from the one or more threat intelligence feed repositories (202a-n, FIG. 2) located outside the enterprise network (204, FIG. 2) (¶ 91, 121 “compare 320…threat indicators with the indexed logs”; ¶ 126 “receive threat indicators 
In an analogous art, Singla teaches: one or more threat intelligence feed repositories being subscription-based threat intelligence feed repositories that validate the on-premises connector (example: 130, FIG. 1) as a legitimate subscriber (¶ 24, 38 “threat data may be received as part of intelligence feed/feed information subscribed to”; note: an individual may join Singla’s “communities”  via a “subscription” [see ¶ 49], also note that it is implicit that service providers “validate” their “subscribers” before serving them [see ¶ 38, 49; MPEP § 2144.01]).
However, the prior art of record, alone or in combination, does not explicitly disclose: a method for retrieving information associated with security incidents from one or more threat intelligence feed repositories that store threat events associated with security incidents, the method comprising: receiving, from one or more user devices located within an enterprise network, detected observable events associated with security incidents, the observable events including observable indicators for characterizing the observable events; storing the observable events within a security policy system located outside the enterprise network, wherein the security policy system is located in a network that is remote to the enterprise network and that is remote to networks that include the one or more threat intelligence feed repositories; receiving, by an on-premises connector located within the enterprise network and executing on one of the user devices, the observable indicators from the security policy system located outside the enterprise network; receiving, by the on-premises connector, threat indicators of the threat events from the one or more threat intelligence feed repositories located outside the enterprise network, the one or more threat intelligence feed repositories being subscription-based threat intelligence feed repositories that validate the on-premises connector as a legitimate subscriber; comparing, by the on-premises connector, the observable indicators received from the security policy system with the threat indicators of the threat events received from the one or more threat intelligence feed repositories located outside the enterprise network; matching, by the on-premises connector, the observable indicators to the threat indicators to determine matching indicators; and providing, by the on-premises connector, access to the threat events and the observable events having the matching indicators.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kalish Bell whose telephone number is (571) 272-5294.  The examiner can normally be reached on 9am-5pm, M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool.  To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair.  Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).  If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/KALISH K BELL/Examiner, Art Unit 2432


/MORSHED MEHEDI/Primary Examiner, Art Unit 2432