Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Mr. Jay Wahlquist on 2/22/21. 
The application has been amended as follows:

Amendments to the Claims

1.	(Currently Amended)  A computer-implemented method for automated endpoint detection and response, the method comprising:
receiving one or more security alerts;
selecting a subset of the one or more security alerts for processing;
determining a type of alert for each of the security alerts of the subset of the one or more security alerts;
executing, based on one or more types of security alerts in the subset of the one or more security alerts, one or more queries automatically to collect information linking content in the subset of the one or more security alerts with one or more other related processes not included in the subset of the one or more security alerts;
identifying, based on the information collected by the one or more queries, the one or more other related processes, wherein the one or more other related processes are related to information contained within the subset of the one or more security alerts; [[and]]
displaying a full flow of a malware attack, wherein the full flow includes the information contained within the subset of the one or more security alerts and the one or more other related processes; and
providing an initial response to the malware attack.

2.	(Cancelled)

3.	(Currently Amended)  The method of claim 1 [[2]], wherein the executing one or more queries automatically is further based on the type of alert for each of the security alerts of the subset of the one or more security alerts.

4.	(Original)  The method of claim 1, wherein the one or more security alerts comprises at least two security alerts; and further comprising:
linking two or more security alerts, based upon the identifying of one or more related processes, wherein at least one of the one or more related processes is a subject of one or more security alerts.



6.	(Currently Amended)  The method of claim 1 [[5]], wherein the initial response to the malware attack is an action taken automatically to quarantine one or more files.

7.	(Currently Amended)  The method of claim 1 [[5]], wherein the initial response to the malware attack is a suggested course of action presented to a user.

8.	(Currently Amended)  A system for automated endpoint detection and response, the system comprising:
one or more processors; and
a memory communicatively coupled to the one or more processors,
wherein the memory comprises instructions which, when executed by the one or more processors, cause the one or more processors to perform a method comprising:
receiving one or more security alerts;
selecting a subset of the one or more security alerts for processing;
determining a type of alert for each of the security alerts of the subset of the one or more security alerts;
executing, based on one or more types of security alerts in the subset of the one or more security alerts, one or more queries automatically to collect information linking content in the subset of the one or more security alerts with one or more other related processes not included in the subset of the one or more security alerts
identifying, based on the information collected by the one or more queries, the one or more other related processes, wherein the one or more other related processes are related to information contained within the subset of the one or more security alerts; [[and]]
displaying a full flow of a malware attack, wherein the full flow includes the information contained within the subset of the one or more security alerts and the one or more other related processes; and
providing an initial response to the malware attack.

9.	(Cancelled)

10.	(Currently Amended)  The system of claim 8 [[9]], wherein the executing one or more queries automatically is further based on the type of alert for each of the security alerts of the subset of the one or more security alerts.

11.	(Original)  The system of claim 8, wherein the one or more security alerts comprises at least two security alerts; and further comprising:
linking two or more security alerts, based upon the identifying of one or more related processes, wherein at least one of the one or more related processes is a subject of one or more security alerts.



13.	(Currently Amended)  The system of claim 8 [[12]], wherein the initial response to the malware attack is an action taken automatically to quarantine one or more files.

14.	(Canceled)  

15.	(Currently Amended)  A computer program product for automated endpoint detection and response, the computer program product comprising a computer readable storage medium having program instructions embodied therewith, wherein the computer readable storage medium is not a transitory signal per se, the program instructions executable by a computer to perform a method comprising: 
receiving a plurality of security alerts;
selecting a subset of the plurality of security alerts for processing;
determining a type of alert for each of the security alerts of the subset of security alerts;
executing, based on one or more types of security alerts in the subset of security alerts, one or more queries automatically to collect information linking content in the subset of security alerts with one or more other related processes not included in the subset of security alerts

displaying a full flow of a malware attack, wherein the full flow includes the information contained within the subset of security alerts and the one or more other related processes; and
providing an initial response to the malware attack.

16.	(Cancelled)

17.	(Canceled)  

18.	(Previously Presented)  The computer program product of claim 15, wherein the plurality of security alerts comprises at least two security alerts; and further comprising:
linking two or more security alerts, based upon the identifying of the one or more other related processes, wherein at least one of the one or more other related processes is a subject of one or more security alerts not included in the subset of security alerts.

19.	(Currently Amended)  The computer program product of claim 15, 


20.	(Currently Amended)  The computer program product of claim 15, 


21.	(Previously Presented) The computer program product of claim 15, wherein executing the one or more queries automatically comprises:
	determining that a first security alert in the subset of security alerts has a first type;
	identifying a list of potential queries for the first type;
	executing queries on the list of potential queries using information contained in the first security alert.

22.	(Previously Presented) The method of claim 1, wherein: 
	the one or more security alerts include a plurality of security alerts,
	the subset of the one or more security alerts does not contain all of the one or more security alerts, 
	each of the one or more security alerts has an associated priority value, and 
	the subset of the one or more security alerts includes the security alerts in the plurality of security alerts that have a higher priority value than the security alerts that are not included in the subset of security alerts.

Claims
The claims filed on 1/13/21 are acknowledged.  
The claims filed on 1/27/21 (supplemental response) are acknowledged.  

Drawings
The drawings filed on 1/13/21 are acknowledged.  

Response to Arguments
Applicant's remarks, pages 8-11, filed on 1/27/21, with respect to the art rejection of the claims have been fully considered and they are persuasive as amended and in the light of the Examiner's amendments.

Allowable Subject Matter
Claims 1, 3, 4, 6-8, 10, 11, 13, 15, 18-22 are allowed.
This communication warrants no examiner's reason for allowance, as applicant's reply makes evident the reason for allowance, satisfying the record as whole as required by rule 37 CFR 1.104 (e). Thus, the reason for allowance is in all probability evident from the record and no statement for examiner's reason for allowance is necessary (see MPEP 1302.14).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARESH PATEL whose telephone number is (571) 272-3973.  The examiner can normally be reached on Monday-Friday.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin, can be reached at (571) 272-3862.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.


/HARESH N PATEL/Primary Examiner, Art Unit 2493