DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are presented for examination.
The three information disclosure statements filed 4/24/2019 have been considered.

Election/Restrictions
Restriction to one of the following inventions is required under 35 U.S.C. 121:
I. Claims 1-10, 14, 15, 17, 18, and 20, drawn to data loss detection, classified in G06F21/88.
II. Claims 11-13, 16, and 19, drawn to attack detection, classified in G06F21/55.
The inventions are independent or distinct, each from the other because:
Inventions I. and II. are related as subcombinations disclosed as usable together in a single combination.  The subcombinations are distinct if they do not overlap in scope and are not obvious variants, and if it is shown that at least one subcombination is separately usable.  In the instant case, subcombination II. has separate utility such as controlling infiltration of contaminating content.  See MPEP § 806.05(d).
The examiner has required restriction between subcombinations usable together. Where applicant elects a subcombination and claims thereto are subsequently found allowable, any claim(s) depending from or otherwise requiring all the limitations of the allowable subcombination will be examined for patentability in accordance with 37 CFR 1.104.  See MPEP § 821.04(a).  Applicant is advised that if any claim presented in a continuation or divisional application is anticipated by, or includes all the limitations of, a claim that is allowable in the 
Restriction for examination purposes as indicated is proper because all the inventions listed in this action are independent or distinct for the reasons given above and there would be a serious search and/or examination burden if restriction were not required because one or more of the following reasons apply: the inventions have acquired a separate status in the art in view of their different classification, the inventions require a different field of search, etc.
During a telephone conversation with Attorney Ernest Beffel, Reg. No. 43489, on 2/26/2021 a provisional election was made with traverse to prosecute the invention of Group I., claims 1-10, 14, 15, 17, 18, and 20.  Affirmation of this election must be made by applicant in replying to this Office action.  Claims 11-13, 16, and 19 are withdrawn from further consideration by the examiner, 37 CFR 1.142(b), as being drawn to a non-elected invention.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the 

Claims 1-6, 8-10, 14, 15, 17, 18, and 20 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated by Zimmermann et al. (U.S. Patent Application Publication Number 2018/0027006), hereinafter referred to as Zimmermann.
Regarding claim 1, Zimmermann discloses a tangible non-transitory computer readable storage media, including program instructions loaded into memory that, when executed on processors, cause the processors to implement a method of incident-driven and user-targeted data loss prevention, the method including: a cloud access security broker (abbreviated CASB) controlling exfiltration of sensitive content in documents stored on cloud-based services in use by users of an organization by monitoring manipulation of the documents (paragraph 97, cloud security fabric, and paragraph 114, CSF hosts security services including context analysis services, etc.); in response to receiving an indication that credentials of a particular one of the users have been compromised, the CASB identifying one or more of the cloud-based services that the particular one of the users has access to and at least one document location on the cloud-based services to inspect for sensitive documents (paragraph 264, identifying sensitive data and compromised account); the CASB performing deep inspection of documents identified as stored at the document location and detecting at least some sensitive documents (paragraph 114, analyze documents for sensitive information); and based on the detected sensitive documents, the CASB determining a data exposure for the organization due to the compromised credentials of the particular one of the users (paragraph 384, identify exposure levels).
Regarding claim 2, Zimmermann discloses wherein the compromised credentials include a single sign-on (abbreviated SSO) authentication for accessing the one or more of the cloud-based services (paragraph 111, SSO).
Regarding claim 3, Zimmermann discloses wherein the data exposure is determined based on a count of the detected sensitive documents (paragraph 570, tracks access to documents with sensitive information).
Regarding claim 4, Zimmermann discloses program instructions that, when executed on processors, cause the processors to implement the method including: the CASB measuring regulatory compliance based on the count of the detected sensitive documents and detecting regulatory violations; and flagging the regulatory violations for reporting to a regulatory authority (paragraph 549, reporting for compliance requirements).
Regarding claim 5, Zimmermann discloses wherein compromise of the documents subject to the data exposure is determined based on determination by the CASB that the detected sensitive documents were transmitted out of the at least one of the cloud-based services from the identified document location on or after a date of interest (paragraph 114, sensitive data shared outside of organization).
Regarding claim 6, Zimmermann discloses wherein the transmission is detected based on examination of activity logs previously generated, in advance of receiving the indication, from document deposit to, retrieval from, and sharing via the at least one of the cloud-based services (paragraph 120, event logs).
Regarding claim 8, Zimmermann discloses program instructions that, when executed on processors, cause the processors to implement the method including: in response to receiving an indication that a particular one of the users has exited the organization, the CASB identifying at least one document location on at least one of the cloud-based services that the particular one of the users continued to have access to post-exit; the CASB performing deep inspection of documents stored at the identified document location and detecting at least some sensitive 
Regarding claim 9, Zimmermann discloses wherein date of interest is at least one of when the credentials were compromised and when the exit occurred (paragraph 533, detection date).
Regarding claim 10, Zimmermann discloses program instructions that, when executed on processors, cause the processors to implement the method including: in response to detecting the at least some sensitive documents, triggering a security action, wherein the security action is encrypting the sensitive documents with a key not acessible via the compromised credential (paragraph 120, encrypting sensitive data).
Regarding claim 14, Zimmermann discloses a tangible non-transitory computer readable storage media, including program instructions loaded into memory that, when executed on processors, cause the processors to implement a method of incident-driven and user-targeted data loss prevention, the method including: a cloud access security broker (abbreviated CASB) controlling exfiltration of sensitive content in documents stored on cloud-based services in use by users of an organization by monitoring manipulation of the documents (paragraph 97, cloud security fabric, and paragraph 114, CSF hosts security services including context analysis services, etc.); in response to receiving an indication that credentials of a particular one of the users have been compromised, the CASB identifying one or more of the cloud-based services that the particular one of the users has access to and at least one document location on the cloud-based services to inspect for sensitive documents (paragraph 264, identifying sensitive data and compromised account); the CASB detecting at least some sensitive documents identified as 
Regarding claim 15, Zimmermann discloses a computer-implemented method including executing on a processor the program instructions from the non-transitory computer readable storage media (paragraph 597, processor executes program instructions).
Regarding claim 17, Zimmermann discloses a computer-implemented method including executing on a processor the program instructions from the non-transitory computer readable storage media (paragraph 597, processor executes program instructions).
Regarding claim 18, Zimmermann discloses a system for incident-driven and user-targeted data loss prevention, the system including a processor, memory coupled to the processor, and computer instructions from the non-transitory computer readable storage media loaded into the memory (paragraph 597, computing platform).
Regarding claim 20, Zimmermann discloses a system for incident-driven and user-targeted data loss prevention without needing to perform content sensitivity scan, the system including a processor, memory coupled to the processor, and computer instructions loaded into .

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Zimmermann in view of Brisebois et al. (U.S. Patent Application Publication Number 2017/0331777), hereinafter referred to as Brisebois.
Zimmermann disclosed techniques for securing enterprise computing systems.  In an analogous art, Brisebois disclosed techniques for managing emails based on data loss prevention policies.  Both systems are directed toward the detection and prevention of data loss.
Regarding claim 7, Zimmermann does not explicitly state wherein the at least one of the cloud-based services is a cloud-hosted email service and the identified document location is at least one of inbox folder, sent folder, outbox folder, drafts folder, and deleted folder.  However, identifying and managing email services for data loss prevention was well known in the art as evidenced by Brisebois.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Zimmermann by adding the ability that the at least one of the cloud-based services is a cloud-hosted email service and the identified document location is at least one of inbox folder, sent folder, outbox folder, drafts folder, and deleted folder as provided .

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Brisebois et al. (U.S. Patent Application Publication Number 2017/0329972) disclosed techniques for assessing the risk associated with data loss prevention policy violations.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Victor Lesniewski whose telephone number is (571)272-2812.  The examiner can normally be reached on Monday thru Friday, 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished 




/Victor Lesniewski/Primary Examiner, Art Unit 2493