DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR
1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office Action has been withdrawn pursuant to 37 CFR 1.114. Applicant’s submission filed on 02/05/2021 has been entered.


Response to Amendments
This communication is in response to the amendments filed on 5 February 2021:
	Claims 3, 5-9, 11-12, 14-16, 18-19 and 22-24 are amended.
	Claims 1, 4 and 20-21 are canceled.
	Claims 2-3, 5-19 and 22-24 are pending.



Response to Arguments
In response to Applicant’s remarks filed on 5 February 2021:
a.	Applicant’s arguments that several features in the pending claims are neither taught nor suggested, either expressly or inherently, in any of the cited prior art references. For example, no cited reference teaches or suggests “in response to determining the received alert is similar to the given alert, 


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 2-3, 5-10, 12, 14-16, 18-19, 22 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Shahbaz et al. (U.S. PGPub. 2018/0091528), hereinafter Shahbaz, in view of Ylonen (U.S. PGPub. 2020/0099689), in further view of Gannavarapu et al. (U.S. PGPub. 2017/0212726), hereinafter Gannavarapu. 

	Regarding claim 2, Shahbaz as modified by Ylonen and further modified by Gannavarapu teaches The non-transitory machine-readable storage medium of claim 8, wherein the issue comprises a security issue (Shahbaz, Paragraph [0236], see “identify event data of interest (e.g., event data indicating an occurrence of a potential security threat)), and the remediation action resolves the security issue (Shahbaz, Paragraph [0236], see “and/or causing performance of an action to remediate the potential security threat”).

	Regarding claim 3, Shahbaz as modified by Ylonen and further modified by Gannavarapu teaches The non-transitory machine-readable storage medium of claim 8, wherein determining that the received alert is similar to the given alert further comprises:
	comparing a characteristic of a source that generated the received alert to a characteristic of sources that generated the alerts associated with the past processes (Shahbaz, Paragraph [0265], where “actions may be associated with the modular alert causing performance of the actions based on one or more common identifiers is read as “comparing a further characteristic of the source that generated the received alert to further characteristics of the sources that generated alerts associated with the past processes,” where “actions may be associated with the modular alert” is being read as comparing a further characteristic of the source that generated the received alert).

	Regarding claim 5, Shahbaz as modified by Ylonen and further modified by Gannavarapu teaches The non-transitory machine-readable storage medium of claim 3, wherein the characteristic of the source that generated the received alert is selected from among a type of operating system run in the source that generated the received alert, a type of application run in the source that generated the received alert, a version of a program run in the source that generated the received alert, an owner of the source that generated the received alert, or a network to which the source that generated the received alert is connected (Shahbaz, Paragraph [0281], where “modular alert may include a search which returns information indicating a network address from which a network-based attack appears to originate” is read as the further characteristic of the source being selected from among a network to which the source that generated the received alert is connected, due to the search returning information indicating a network address from which a network-based attack appears to originate). 

	Regarding claim 6, Shahbaz as modified by Ylonen and further modified by Gannavarapu teaches The non-transitory machine-readable storage medium of claim 8, wherein determining that the received alert is similar to the given alert further comprises:
	comparing a relationship of a type of the received alert to types of the alerts associated with the past processes in a taxonomy representing alert types (Shahbaz, Paragraph [0233], where “may be presented in a rainbow chart with the warmest color associated with the highest severity of classification” is read as “taxonomy representing alert types” and “may display detailed information about that notable event, including an identification of the correlation” is analogous to comparing the properties of the received alert with the past processes as well as determining a relationship of a type).

	Regarding claim 7, Shahbaz as modified by Ylonen and further modified by Gannavarapu teaches The non-transitory machine-readable storage medium of claim 8, wherein determining that the received alert is similar to the given alert further comprises:
	comparing underlying events of the received alert to underlying events of the alerts associated with the past processes (Shahbaz, Paragraph [0286], where “displays various types of information about a particular security threat…for example, an indication of the underlying event data, and information about the performance of actions associated” is analogous to “comparing underlying events of the received alert to underlying events of the alerts associated with the past processes”).

	Regarding claim 8, Shahbaz teaches A non-transitory machine-readable storage medium storing instructions that upon execution cause at least one processor to (Shahbaz, Paragraph [0334]):
	receive an alert relating to an issue in a computing arrangement (Shahbaz, FIG. 27 and Paragraph [0116], where “the event data was received or generated” is being read as receiving an alert to an issue);
	determine that the received alert is similar to a given alert in an information repository containing information of past processes performed to address respective issues (Shahbaz, Paragraph [0225], where “stored to build a valuable repository of current and historical performance information for the service” is being read as an information repository containing information of past processes performed and where “the repository, itself, may be subject to search query processing” is being read as determining that the received alert is similar to a given alert), the information contained in the information repository comprising information of actions taken in the past processes to address the respective issues (Shahbaz, Paragraph [0225], where “stored to build a valuable repository of current and historical performance information for the service” is being read as an information repository comprising actions taken in the past to address respective issues), wherein the determining comprises:
		comparing, using a distance function, a string representing tasks performed to respond to the received alert to strings representing tasks performed to respond to alerts associated with the past processes (Shahbaz, Paragraph [0115], see “At block 306, an indexer receives data blocks from a forwarder and parses the data to organize the data into events. In an embodiment, to organize the data into events, an indexer may determine a source type associated with each data block…and refer to a source type configuration corresponding to the identified source type. The source type definition may include one or more properties that indicate to the indexer to automatically determine the boundaries of events within the data…event boundaries may be indicated by predefined characters or character strings”, Paragraph [0116], see “At block 308, the indexer determines a timestamp for each event…an indexer may again refer to a source type definition associated with the data to locate one or more properties that indicate instructions for determining a timestamp for each event. The properties may, for example, instruct an indexer to extract a time value from a portion of data in the event, to interpolate time values based on timestamps associated with temporally proximate events, to create a timestamp based on a time the event data was received or generated, to use the timestamp of a previous event, or use any other rules for determining timestamps”, where properties are compared between the received alert and the associated past processes and Paragraph [0123], see “Each indexer 206 may be responsible for storing and searching a subset of the events contained in a corresponding data store 208…By storing events in buckets for specific time ranges, an indexer may further optimize data retrieval process by searching buckets corresponding to time ranges that are relevant to a query”, where events are stored in a bucket for receiving data relevant to a query (past processes) using the corresponding time ranges (distance function), 
		
		trigger performance of the remediation action (Shahbaz, Paragraph [0235], where “specify actions to be performed” is read as “comprises an action” and “in response to the detection of one or more defined triggering conditions based on a query” is read as “trigger performance of a remediation action that comprises an action, identified by the information in the information repository”, due to the query reflecting back on the processing with respect to the information repository).
	Shahbaz does not teach the following limitation(s) as taught by Ylonen: the distance function to calculate edit distances based on respective numbers of edits to be performed on the string representing the tasks performed to respond to the received alert to arrive at the strings representing the tasks performed to respond to the alerts associated with the past processes.
	(Ylonen, Paragraph [0128], see “The actions can comprise atleast one of insertion, deletion and/or modification of authenticator information…The smallest set can be computed using an edit distance algorithm or Levenshtein distance algorithm using an identification of the key pairs of the authorized keys as the symbols for the strings compared by the algorithm”, where “Levenshtein distance algorithm” is defined as a string metric for measuring the difference between two sequences, the Levenshtein distance between two words is the minimum number of single-character edits (insertions, deletions or substitutions) required to change one word into the other). 
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method of configuring modular alert actions and reporting action performance information disclosed of Shahbaz, by implementing techniques for processing changes to authorized keys, comprising of calculating edit distances based on respective number of edits to be performed on two compared strings, disclosed of Ylonen. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for responding to alerts, comprising of calculating edit distances based on the respective number of edits to be performed on two compared strings, wherein the first string pertains to the received alert and the second string pertains to past processes that are similar to the received alert. Calculating edit distances between two strings in order to compare a received alert to a past process of similar alert allows for a more precise comparison of the received alert to past processes by determining the number of edits required to transform the two strings to correspond to one another, which ultimately allows the system to process the information more accurately through the distance algorithm and quickly determine a remediation action to resolve the issue (Ylonen, Paragraph [0128]). 
	Shahbaz as modified by Ylonen do not teach the following limitation(s) as taught by Gannavarapu: in response to determining the received alert is similar to the given alert, determine a remediation action for the issue, wherein the remediation action comprises an action identified by the information in the information repository as having been performed in response to the given alert.
	(Gannavarapu, Paragraph [0021], see “case database 123 stores information regarding how previous or closed cases were addressed such as the work flow history or a case flow history that includes the events, task, and steps, taken to resolve the case. The information on work flow history or patterns of applied steps, tasks, or events stored in case database 123 may be retrieved by case program 122 to determine relevant closed cases similar to the WIP case (e.g., to provide possible direction or steps to the user for proceeding with the WIP case)”.
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method of configuring modular alert actions and reporting action performance information disclosed of Shahbaz and techniques disclosed of Ylonen, by implementing techniques for dynamically determining relevant cases, comprising determining the received alert is similar to the given alert, determine a remediation action for the issue, wherein the remediation action comprises an action identified by the information in the information repository as having been performed in response to the given alert, disclosed of Gannavarapu. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for responding to alerts, comprising of determining the received alert is similar to the given alert, determine a remediation action for the issue, wherein the remediation action comprises an action identified by the information in the information repository as having been performed in response to the given alert. This allows for better security management and effectiveness for responding to alerts, due to the system saving time by determining that a received alert is similar to a given alert and using the information in a repository to apply a remediation action to the similar alert (Gannavarapu, Paragraph [0021]). 

	Regarding claim 9, Shahbaz as modified by Ylonen and further modified by Gannavarapu teaches The non-transitory machine-readable storage medium of claim 8, wherein the instructions upon execution further cause the at least one processor to:
	compute a confidence indicator of the remediation action (Shahbaz, Abstract, where “for causing a network security application to report on the performance of those actions” is read as “based on past processes” and Paragraph [0225], where “each KPI is defined by a search query that derives a KPI value from the machine data of events associated with the entities that provide the service” is read as “a confidence indicator of the remediation action”),
	wherein triggering the performance of the remediation action is based on the computed confidence indicator (Shahbaz, Paragraph [0225], where “The KPI values derived over time may be stored to build a valuable repository of current and historical performance information for the service…and may be subject to search query processing” is read as “triggering the performance of the remediation action is based on the computed confidence indicator”).

	Regarding claim 10, Shahbaz as modified by Ylonen and further modified by Gannavarapu teaches The non-transitory machine-readable storage medium of claim 8, wherein the remediation action comprises:
	determining that the received alert is a true positive alert (Shahbaz, Paragraph [0182], where “facilitates detecting “notable events” that are likely to indicate a security threat” is analogous to determining that the received alert is a true positive alert), and
	performing the action identified by the information in the information repository (Shahbaz, Paragraph [0182], where “notable events can be stored in a dedicated “notable events index,” which can be subsequently accessed” is analogous to storing the true positive alert and determining the action required by the information repository).

	Regarding claim 12, Shahbaz teaches A method performed by a system comprising a hardware processor (Shahbaz, Paragraph [0080]), the method comprising:
	maintaining an information repository comprising information of past processes that have been performed to respond to respective past alerts in a computing arrangement (Shahbaz, Paragraph [0225], see “the KPI values derived over time may be stored to build a valuable repository of current and historical performance information of the service”), the information of the past processes comprising information of remediation actions taken in response to the respective past alerts (Shahbaz, Paragraph [0274], see “display additional information about past event data which triggered the same modular alert, display more detailed information about each of the individual events which triggered the modular alert, or any other information related to the modular alert”);
	receiving an alert relating to an issue in a computing arrangement (Shahbaz, FIG. 27 and Paragraph [0116]);
	determining that the received alert is similar to a given alert of the past alerts (Shahbaz, Paragraph [0225], where “stored to build a valuable repository of current and historical performance information for the service” is being read as an information repository containing information of past processes performed), the determining comprising:
		comparing, using a distance function, a string representing tasks performed to respond to the received alert to strings representing tasks performed to respond to the past alerts (Shahbaz, Paragraph [0115], see “At block 306, an indexer receives data blocks from a forwarder and parses the data to organize the data into events. In an embodiment, to organize the data into events, an indexer may determine a source type associated with each data block…and refer to a source type configuration corresponding to the identified source type. The source type definition may include one or more properties that indicate to the indexer to automatically determine the boundaries of events within the data…event boundaries may be indicated by predefined characters or character strings”, Paragraph [0116], see “At block 308, the indexer determines a timestamp for each event…an indexer may again refer to a source type definition associated with the data to locate one or more properties that indicate instructions for determining a timestamp for each event. The properties may, for example, instruct an indexer to extract a time value from a portion of data in the event, to interpolate time values based on timestamps associated with temporally proximate events, to create a timestamp based on a time the event data was received or generated, to use the timestamp of a previous event, or use any other rules for determining timestamps”, where properties are compared between the received alert and the associated past processes and Paragraph [0123], see “Each indexer 206 may be responsible for storing and searching a subset of the events contained in a corresponding data store 208…By storing events in buckets for specific time ranges, an indexer may further optimize data retrieval process by searching buckets corresponding to time ranges that are relevant to a query”, where events are stored in a bucket for receiving data relevant to a query (past processes) using the corresponding time ranges (distance function)), 
			
			performing the remediation action (Shahbaz, Paragraph [0225] and [0235], where “specify actions to be performed” is being read as comprising an action and where “in response to the detection of one or more defined triggering conditions based on a query” is being read as triggering performance of a remediation action, due to the query reflecting back on the processing with respect to the information repository).
	Shahbaz does not teach the following limitation(s) as taught by Ylonen: the distance function to calculate edit distances based on respective numbers of edits to be performed on the string representing the tasks performed to respond to the received alert to arrive a the strings representing the tasks performed to respond to the alerts associated with the past processes.
	(Ylonen, Paragraph [0128], see “The actions can comprise atleast one of insertion, deletion and/or modification of authenticator information…The smallest set can be computed using an edit distance algorithm or Levenshtein distance algorithm using an identification of the key pairs of the authorized keys as the symbols for the strings compared by the algorithm”, where “Levenshtein distance algorithm” is defined as a string metric for measuring the difference between two sequences, the Levenshtein distance between two words is the minimum number of single-character edits (insertions, deletions or substitutions) required to change one word into the other). 
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method of configuring modular alert actions and reporting action performance information disclosed of Shahbaz, by implementing techniques for processing changes to authorized keys, comprising of calculating edit distances based on respective number of edits to be performed on two compared strings, disclosed of Ylonen. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for responding to alerts, comprising of calculating edit distances based on the respective number of edits to be performed on two compared strings, wherein the first string pertains to the received alert and the second string pertains to past processes that are similar to the received alert. Calculating edit distances between two strings in order to compare a received alert to a past process of similar alert allows for a more precise comparison of the received alert to past processes by determining the number of edits required to transform the two strings to correspond to one another, which ultimately allows the system to process the information more accurately through the distance algorithm and quickly determine a remediation action to resolve the issue (Ylonen, Paragraph [0128]). 
Shahbaz as modified by Ylonen do not teach the following limitation(s) as taught by Gannavarapu: in response to determining the received alert is similar to the given alert, determine a remediation action for the issue, wherein the remediation action comprises an action identified by the information in the information repository as having been performed in response to the given alert.
	(Gannavarapu, Paragraph [0021], see “case database 123 stores information regarding how previous or closed cases were addressed such as the work flow history or a case flow history that includes the events, task, and steps, taken to resolve the case. The information on work flow history or patterns of applied steps, tasks, or events stored in case database 123 may be retrieved by case program 122 to determine relevant closed cases similar to the WIP case (e.g., to provide possible direction or steps to the user for proceeding with the WIP case)”.
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method of configuring modular alert actions and reporting action performance information disclosed of Shahbaz and techniques disclosed of Ylonen, by implementing techniques for dynamically determining relevant cases, comprising determining the received alert is similar to the given alert, determine a remediation action for the issue, wherein the remediation action comprises an action identified by the information in the information repository as having been performed in response to the given alert, disclosed of Gannavarapu. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for responding to alerts, comprising of determining the received alert is similar to the given alert, determine a remediation action for the issue, wherein the remediation action comprises an action identified by the information in the information repository as having been performed in response to the given alert. This allows for better security management and effectiveness for responding to alerts, due to the system saving time by determining that a received alert is similar to a given alert and using the information in a repository to apply a remediation action to the similar alert (Gannavarapu, Paragraph [0021]). 

	Regarding claim 14, Shahbaz teaches A system comprising:
	a processor; and
	a non-transitory storage medium storing instructions executable on the processor to (Shahbaz, FIG. 27, Paragraph [0080] and Paragraph [0334]):
		receive an alert relating to an issue in a computing arrangement (Shahbaz, FIG. 27 and Paragraph [0116], where “the event data was received or generated” is being read as receiving an alert to an issue);
		determine that the received alert is similar to a given alert in an information repository containing information of past processes performed in response to alerts associated with the past processes (Shahbaz, Paragraph [0225], where “stored to build a valuable repository of current and historical performance information for the service” is being read as an information repository containing information of past processes performed), the determining comprising comparing properties associated with the received alert to properties of the alerts associated with the past processes (Shahbaz, Paragraph [0115], see “the source type definition may include one or more properties that indicate to the indexer to automatically determine the boundaries of events within the data”), and the information contained in the information repository comprising information of actions taken in the past processes (Shahbaz, Paragraph [0225], see “stored to build a valuable repository of current and historical performance information for the service”), wherein the comparing comprises:
			comparing, using a distance function, a string representing tasks performed to respond to the received alert to strings representing tasks performed to respond to the alerts associated with the past processes (Shahbaz, Paragraph [0115], see “At block 306, an indexer receives data blocks from a forwarder and parses the data to organize the data into events. In an embodiment, to organize the data into events, an indexer may determine a source type associated with each data block…and refer to a source type configuration corresponding to the identified source type. The source type definition may include one or more properties that indicate to the indexer to automatically determine the boundaries of events within the data…event boundaries may be indicated by predefined characters or character strings”, Paragraph [0116], see “At block 308, the indexer determines a timestamp for each event…an indexer may again refer to a source type definition associated with the data to locate one or more properties that indicate instructions for determining a timestamp for each event. The properties may, for example, instruct an indexer to extract a time value from a portion of data in the event, to interpolate time values based on timestamps associated with temporally proximate events, to create a timestamp based on a time the event data was received or generated, to use the timestamp of a previous event, or use any other rules for determining timestamps”, where properties are compared between the received alert and the associated past processes and Paragraph [0123], see “Each indexer 206 may be responsible for storing and searching a subset of the events contained in a corresponding data store 208…By storing events in buckets for specific time ranges, an indexer may further optimize data retrieval process by searching buckets corresponding to time ranges that are relevant to a query”, where events are stored in a bucket for receiving data relevant to a query (past processes) using the corresponding time ranges (distance function)), 
		
		trigger performance of the remediation action (Shahbaz, Paragraph [0225] and [0235], where “specify actions to be performed” is being read as comprising an action and where “in response to the detection of one or more defined triggering conditions based on a query” is being read as triggering performance of a remediation action, due to the query reflecting back on the processing with respect to the information repository).
	Shahbaz does not teach the following limitation(s) as taught by Ylonen: the distance function to calculate edit distances based on respective numbers of edits to be performed on the string representing the tasks performed to respond to the received alert to arrive a the strings representing the tasks performed to respond to the alerts associated with the past processes.
	(Ylonen, Paragraph [0128], see “The actions can comprise atleast one of insertion, deletion and/or modification of authenticator information…The smallest set can be computed using an edit distance algorithm or Levenshtein distance algorithm using an identification of the key pairs of the authorized keys as the symbols for the strings compared by the algorithm”, where “Levenshtein distance algorithm” is defined as a string metric for measuring the difference between two sequences, the Levenshtein distance between two words is the minimum number of single-character edits (insertions, deletions or substitutions) required to change one word into the other). 
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method of configuring modular alert actions and reporting action performance information disclosed of Shahbaz, by implementing techniques for processing changes to authorized keys, comprising of calculating edit distances based on respective number of edits to be performed on two compared strings, disclosed of Ylonen. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for responding to alerts, comprising of calculating edit distances based on the respective number of edits to be performed on two compared strings, wherein the first string pertains to the received alert and the second string pertains to past processes that are similar to the received alert. Calculating edit distances between two strings in order to compare a received alert to a past process of similar alert allows for a more precise comparison of the received alert to past processes by determining the number of edits required to transform the two strings to correspond to one another, which ultimately allows the system to process the information more accurately through the distance algorithm and quickly determine a remediation action to resolve the issue (Ylonen, Paragraph [0128]). 
Shahbaz as modified by Ylonen do not teach the following limitation(s) as taught by Gannavarapu: in response to determining the received alert is similar to the given alert, determine a remediation action for the issue, wherein the remediation action comprises an action identified by the information in the information repository as having been performed in response to the given alert.
	(Gannavarapu, Paragraph [0021], see “case database 123 stores information regarding how previous or closed cases were addressed such as the work flow history or a case flow history that includes the events, task, and steps, taken to resolve the case. The information on work flow history or patterns of applied steps, tasks, or events stored in case database 123 may be retrieved by case program 122 to determine relevant closed cases similar to the WIP case (e.g., to provide possible direction or steps to the user for proceeding with the WIP case)”.
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method of configuring modular alert actions and reporting action performance information disclosed of Shahbaz and techniques disclosed of Ylonen, by implementing techniques for dynamically determining relevant cases, comprising determining the received alert is similar to the given alert, determine a remediation action for the issue, wherein the remediation action comprises an action identified by the information in the information repository as having been performed in response to the given alert, disclosed of Gannavarapu. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for responding to alerts, comprising of determining the received alert is similar to the given alert, determine a remediation action for the issue, wherein the remediation action comprises an action identified by the information in the information repository as having been performed in response to the given alert. This allows for better security management and effectiveness for responding to alerts, due to the system saving time by determining that a received alert is similar to a given alert and using the information in a repository to apply a remediation action to the similar alert (Gannavarapu, Paragraph [0021]). 

	Regarding claim 15, Shahbaz as modified by Ylonen and further modified by Gannavarapu teaches The system of claim 14, wherein the properties associated with the received alert that are compared to the properties associated with the alerts associated with the past processes further comprise a property selected from among a type of the received alert or underlying events giving rise to the received alert (Shahbaz, Paragraph [0115], see “The source type definition may include one or more properties that indicate to the indexer to automatically determine the boundaries of events within the data…If a source type for the data is unknown to the indexer, an indexer may infer a source type for the data by examining the structure of the data”, which is being read as identifying a property selected from among a type of the received alert (structure of the data) and Paragraph [0286], see “displays various types of information about a particular security threat…for example, an indication of the underlying event data, and information about the performance of actions associated”, which is being read as giving rise to the received alert by indicating underlying event data and information about the performance of actions associated).

	Regarding claim 16, Shahbaz as modified by Ylonen and further modified by Gannavarapu teaches The non-transitory machine-readable storage medium of claim 8, wherein determining that the received alert is similar to the given alert further comprises:
	comparing a program of a source that generated the received alert to programs of sources that generated the alerts associated with the past processes (Shahbaz, See Rejection for Claim 3).

	Regarding claim 18, Shahbaz as modified by Ylonen and further modified by Gannavarapu teaches The non-transitory machine-readable storage medium of claim 8, wherein determining that the received alert is similar to the given alert further comprises:
	comparing a domain name of a source that generated the received alert to domain names of sources that generated the alerts associated with the past processes (Shahbaz, Paragraph [0181], see “The SPLUNK.RTM. APP FOR ENTERPRISE SECURITY can process many types of security-related information. In general, this security-related information can include any information that can be used to identify security threats. For example, the security-related information can include network-related information, such as IP addresses, domain names, asset identifiers, network traffic volumes…and source addresses) (Shahbaz, Paragraph [0265], see “information associated with the performance of either synchronous or asynchronous actions may be associated with the modular alert causing performance of the actions based one one or more common identifiers”, where “common identifiers” is being read as comparing domain names of the source that generated the received alert to domain names of the sources that generated the alerts associated with the past processes to determining an action that should be taken).  

	Regarding claim 19, Shahbaz as modified by Ylonen and further modified by Gannavarapu teaches The method of claim 12, wherein determining that the received alert is similar to the given alert comprises comparing a domain name of a source that generated the received alert to domain names of sources that generated the past alerts (Shahbaz, Paragraph [0181], see “The SPLUNK.RTM. APP FOR ENTERPRISE SECURITY can process many types of security-related information. In general, this security-related information can include any information that can be used to identify security threats. For example, the security-related information can include network-related information, such as IP addresses, domain names, asset identifiers, network traffic volumes…and source addresses) (Shahbaz, Paragraph [0265], see “information associated with the performance of either synchronous or asynchronous actions may be associated with the modular alert causing performance of the actions based one one or more common identifiers”, where “common identifiers” is being read as comparing domain names of the source that generated the received alert to domain names of the sources that generated the alerts associated with the past processes to determining an action that should be taken).  

	Regarding claim 22, Shahbaz as modified by Ylonen and further modified by Gannavarapu teaches The system of claim 14, wherein the comparing of the properties associated with the received alert to the properties of the alerts associated with the past processes comprises comparing a network address of a source that generated the received alert and network addresses of sources that generated the past alerts (Shahbaz, Paragraph [0281], where “modular alert may include a search which returns information indicating a network address from which a network-based attack appears to originate” is read as the common characteristic of the sources being selected from a network address used by sources, which are compared in order to determine origination of the attack).

	Regarding claim 24, Shahbaz as modified by Ylonen and further modified by Gannavarapu teaches The system of claim 14, wherein the comparing of the properties associated with the received alert to the properties of the alerts associated with the past processes comprises comparing a domain name of a source that generated the received alert to domain names of sources that generated the past alerts (Shahbaz, Paragraph [0181], see “The SPLUNK.RTM. APP FOR ENTERPRISE SECURITY can process many types of security-related information. In general, this security-related information can include any information that can be used to identify security threats. For example, the security-related information can include network-related information, such as IP addresses, domain names, asset identifiers, network traffic volumes…and source addresses) (Shahbaz, Paragraph [0265], see “information associated with the performance of either synchronous or asynchronous actions may be associated with the modular alert causing performance of the actions based one one or more common identifiers”, where “common identifiers” is being read as comparing domain names of the source that generated the received alert to domain names of the sources that generated the alerts associated with the past processes to determining an action that should be taken).  


Claims 11 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Shahbaz, in view of Ylonen, in further view of Gannavarapu, in further view of Coffman (U.S. PGPub. 2007/0209074).

	Regarding claim 11, Shahbaz as modified by Ylonen and further modified by Gannavarapu do not teach the following limitation(s) as taught by Coffman: The non-transitory machine-readable storage medium of claim 8, wherein the remediation action comprises:
	determining that the received alert is a false positive alert, and
	providing information to prevent generation of a future alert in response to an event that triggered that received alert.
	(Coffman, Paragraph [0020], see “improve the detection of real threats while decreasing false alarms”, which is analogous to determining whether or not the alert is a false positive alert) (Coffman, Paragraph [0054], see “the eGMIDS, on the other hand, uses the topology of its graph representation in order to develop an understanding of context that greatly reduces the incidence of false alarms”, which is analogous to providing information to prevent generation of a future alert in response to a similar event that enabled the triggering of the received alert).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method of configuring modular alert actions and reporting action performance information disclosed of Shahbaz, techniques disclosed of Ylonen, and techniques disclosed of Gannavarapu, by adding a method of determining if the received alert is a false positive alert and executing appropriate actions to avoid others in the future, disclosed of Coffman.
One of ordinary skill in the art would have been motivated to make this modification in order to detect events that are false alarms and to process the information in order to avoid a similar false alarm in the future (Coffman, Paragraph [0054]).

	Regarding claim 13, Shahbaz as modified by Ylonen and further modified by Gannavarapu do not teach the following limitation(s) as taught by Coffman: The method of claim 12, further comprising:
	determining whether the received alert is a true positive alert or a false positive alert;
	in response to determining that the received alert is a false positive alert, performing the remediation action by providing information to prevent generation of a future alert in response to an event that triggered the received alert.
	(Coffman, Paragraph [0020], see “improve the detection of real threats while decreasing false alarms”, which is analogous to determining whether or not the alert is a false positive alert) (Coffman, Paragraph [0054], see “the eGMIDS, on the other hand, uses the topology of its graph representation in order to develop an understanding of context that greatly reduces the incidence of false alarms”, which is analogous to providing information to prevent generation of a future alert in response to a similar event that enabled the triggering of the received alert).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method of configuring modular alert actions and reporting action performance information disclosed of Shahbaz, techniques disclosed of Ylonen and techniques disclosed of Gannavarapu, by adding a method of determining if the received alert is a false positive alert and executing appropriate actions to avoid others in the future, disclosed of Coffman.
One of ordinary skill in the art would have been motivated to make this modification in order to detect events that are false alarms and to process the information in order to avoid a similar false alarm in the future (Coffman, Paragraph [0054]).

Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Shahbaz, in view of Ylonen, in further view of Gannavarapu, in further view of Block et al. (U.S. PGPub. 2016/0034361), hereinafter Block.

	Regarding claim 17, Shahbaz as modified by Ylonen and further modified by Gannavarapu do not teach the following limitation(s) as taught by Block: The non-transitory machine-readable storage medium of claim 16, wherein the program of the source that generated the received alert comprises an operating system, and the programs of the sources that generated the alerts associated with the past processes comprise operating systems, and wherein the comparing of the program of the source that generated the received alert to the programs of the sources that generated the alerts associated with the past processes comprises comparing the operating system of the source that generated the received alert to the operating system of the sources that generated the alerts associated with the past processes. 
	(Block, Paragraph [0013], see “Rules including conditions may be stored to correlate the events. The distributed event correlation system can apply the rules to the events to detect certain types of activities and perform certain functions in response to detecting the activities”, where “correlate the events” is analogous to comparing the events based on the operating system logs) (Block, Paragraph [0029], see “Other examples of data sources 201 may include security detection and proxy systems, access and policy controls, core service logs and log consolidators, network hardware…Examples of core service logs and log consolidators include operating system logs, database audit logs, application logs…”).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method of configuring modular alert actions and reporting action performance information disclosed of Shahbaz, techniques disclosed of Ylonen, and techniques disclosed of Gannavarapu, by implementing a distributed event correlation system, comprising of the program of the source that generated the received alert, as well as, the program of the source that is associated with the past processes, comprising of an operating system or an application, disclosed of Block.
One of ordinary skill in the art would have been motivated to make this modification in order to implement a system and method for responding to alerts, comprising of the program of the source that generated the received alert, as well as, the program of the source that is associated with the past processes, comprising of an operating system or an application. Determining the program of the source for the received alert, as well as, the past alerts, where the program of the source comprises of an operating system or an application, allows for the system to compare and contrast operating system logs and/or application logs, between the received alert and the past alerts, to help determine a relationship between the two, which introduces the capability for a received event to be processed and remediated quicker (Block, Paragraph [0029]). 


Claim 23 is rejected under 35 U.S.C. 103 as being unpatentable over Shahbaz, in view of Ylonen, in further view of Gannavarapu, in further view of Dumas et al. (U.S. PGPub. 2011/0296419), hereinafter Dumas.

	Regarding claim 23, Shahbaz as modified by Ylonen and further modified by Gannavarapu do not teach the following limitation(s) as taught by Dumas: The non-transitory machine-readable storage medium of claim 8, wherein the tasks performed to respond to the received alert comprise a partial sequence of tasks performed so far to respond to the received alert.
	(Dumas, Paragraph [0006], see “A plurality of event-based applications within an event-based execution environment is associated with the instance of the process model, at least one of the event-based applications being associated with at least one of the tasks. The instance of the process model is executed by detecting and producing events at a sequence of the event-based applications, the events including a task-enabling event that triggers the at least one of the event-based applications to perform the at least one task in association with at least one external application) (Dumas, Paragraph [0008], see “executing the instance of the process model by detecting and producing events at a sequence of the event-based applications may include waiting for a completion object at a router object, the completion object signifying a completion of one of the tasks by a first connector object, and outputting the task-enabling event from the router to activate the at least one of the event-based applications…”, where “waiting for a completion object at a router object” is analogous to a partial sequence of tasks performed so far to respond to the received alert). 
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method of configuring modular alert actions and reporting action performance information disclosed of Shahbaz, techniques disclosed of Ylonen, and techniques disclosed of Gannavarapu, by implementing an event-based coordination of process-oriented composite applications, comprising of a partial sequence of tasks performed so far to respond to the received alert, disclosed of Dumas. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement a system and method for responding to alerts, comprising of a partial sequence of tasks performed so far to respond to the received alert. This allows for better organization and management of the system for responding to alerts by keeping track of the tasks performed so far to respond to the received alert (Dumas, Paragraphs [0006] and [0008]). 


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODMAN ALEXANDER MAHMOUDI whose telephone number is (571)272-8747.  The examiner can normally be reached on M-F 11:00am – 7:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571) 272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/RODMAN ALEXANDER MAHMOUDI/Examiner, Art Unit 2433                                                      

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433