DETAILED ACTION
This Notice of Allowability is in response to interview on 4/1/2021. Claims 1-5, 7-15 and 17-20 are pending of which claims 1 and 11 are independent claims.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
This application claims priority to and the benefit of under 35 USC 119 of U.S. provisional patent application titled "A cyber threat defense system with various improvements," filed February 20, 2018, serial number 62/632,623.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 05/10/2019 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Claim Interpretation
The phrase “appliance extension” in claims 1-10 is a software stored in memory as recited in claim 1. Thus, it does not invoke 112(f).

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Thomas S. Ferrill (Reg. No. 42532) on 04/01/2021.
The application has been amended as follows:
Please amending claims as the following:
1.  (Currently Amended)  An apparatus, comprising:
	an appliance extension configured to perform functions with i) a monitoring module configured to monitor metrics and receive alerts regarding potential cyber threats on a system that includes 1) an email system, 2) a network, 3) a Software as a Service (SaaS) environment, 4) a cloud system, and 5) any combination of the email system, the network, the SaaS environment, and the cloud system, ii) an investigative module configured to retrieve and display metrics on a user interface to support investigations on potential cyber threats, as well as iii) a remote response module configured to observe and send one or more control signals to an autonomous response module to take actions to counter one or more detected cyber threats, remotely from this appliance extension, where the appliance extension has the user interface to be displayed on a display screen, and instructions associated with one or more of the modules, which at least includes the autonomous response module, the investigative module, the remote response module, and the monitoring module, to be stored in one or more memories and to be executed by one or more processors, where the appliance extension is a mobile application installed on a smart mobile device that needs to be registered, where the appliance extension is designed and constructed to be a secure extension of a second user interface of a cyber security appliance installed in the system with a limited set of functions including the monitoring, the investigating, and the taking actions to counter the detected cyber threat, all of which an operator can securely take from the mobile application running on the smart mobile device; rather than, needing to log into the cyber security appliance and investigate potential cyber threats at a location where the cyber security appliance is installed in the system, where the registered mobile application on the smart device and the cyber security appliance is configured to communicate securely via a backend server, via at least 1) using a secure protocol as well as 2) requiring a need to authenticate communications with a unique and verifiable signature, not a public Internet Protocol (IP) address, from i) an instance of the registered mobile application, ii) the cyber security appliance installed in the system, or iii) unique signatures of both the cyber security appliance and the instance of the registered mobile application.

2.  (Currently Amended)  The apparatus of claim 1, further comprising:
	
the instance of the appliance extension as well as configured that when the administrator revokes the particular user’s permission to use the appliance extension, then a communication is sent to the appliance extension to cause deletions of data and instructions for the appliance extension to occur. 

3.  (Currently Amended)  The apparatus of claim 1, wherein a[[the]] remote response module on the appliance extension is configured to i) approve and initiate suggested actions to counter a detected cyber threat by [[an]]the autonomous response module in the cyber security appliance as well as ii) have a first button on the user interface to confirm that the cybersecurity appliance itself can take autonomous actions to counter the detected cyber threat in accordance with recommendations made by the autonomous response module in the cyber security appliance.  

4.  (Original)  The apparatus of claim 1, wherein the investigative module is further configured to investigate breaches by having a button to view additional contextual information from the cyber security appliance as well as being able to add comments into one or more existing records stored on the cyber security appliance.  

5.  (Currently Amended)  The apparatus of claim 4, wherein the investigative module is further i) configured to support flagging one or more of the breaches, flagging one or more of the alerts, and any combination of flagging both, as well as ii) configured to support collaborative features including the ability to 1) add [[the]]a comment on one or  with an option to put the comment on a window associated with that breach, where records containing breach information are formatted to be exportable with the one or more comments and whom on the team has been assigned to follow up on the breach. 

6.  (Canceled)    

7.  (Original)  The apparatus of claim 1, where the monitoring module is further configured to receive data payload in communications securely transmitted from the cyber security appliance, via using a security protocol as well as encrypting data payload itself being transmitted between the appliance extension and the cyber security appliance installed in the system, where the appliance extension has one or more cypher algorithms to decipher the encrypted data payload.

8.  (Currently Amended)  The apparatus of claim 7, where the investigative module is further configured such that contextual information is provided and then an operator [[may]]can acknowledge, comment upon, perform an initial investigation, and assign specific detected cyber threats to a security team member without needing to be present onsite with the cyber security appliance installed in the system.

9.  (Currently Amended)  The apparatus of claim 1, where the investigative module is further configured to retrieve and display historic contextual data for investigation can be happening as well as an ability to retrieve additional data associated with a particular device and/or a particular model that has been breached from data stored on the cyber security appliance protecting that system.  

10.  (Currently Amended)  The apparatus of claim 1, the instance of the registered mobile application is required to be registered with [[a]]the backend server that is configured to communicate with the cyber security appliance, and authenticate its user; and in addition, the instance of the registered mobile application is configured to cooperate with a camera of the smart mobile device to scan a Quick Response (QR) code generated from within the second user interface for the cyber security appliance, which will also be utilized to verify whether this instance of the registered mobile application is allowed to communicate with the cyber security appliance installed in the system.  

11.  (Currently Amended)  A method for an appliance extension for a cyber security appliance, comprising:
Software as a Service (SaaS) environment, 4) a cloud system, and 5) any combination of the email system, the network, the SaaS environment, and the cloud system, ii) an investigative module configured to retrieve and display metrics on a user interface to support investigations on potential cyber threats, as well as iii) a remote response module configured to observe and send one or more control signals to an autonomous response module to take actions to counter one or more detected cyber threats, remotely from this appliance extension; 
	configuring the user interface to be displayed on a display screen; and 
	configuring instructions associated with one or more of the modules, which at least includes the autonomous response module, the investigative module, the remote response module, and the monitoring module, to be stored in one or more memories and to be executed by one or more processors, where the appliance extension is a mobile application installed on a smart mobile device that needs to be registered;
configuring the appliance extension to be a secure extension of a second user interface of the cyber security appliance installed in the system with a limited set of functions including the monitoring, the investigating, and the taking actions to counter the detected cyber threat, all of which an operator can securely take from the mobile application running on the smart mobile device; rather than, needing to log into the cyber security appliance and investigate potential cyber threats at a location where the cyber security appliance is installed in the system; 
configuring the registered mobile application on the smart device and the cyber security appliance to communicate securely via a backend server, via at least 1) using a secure protocol as well as 2) requiring a need to authenticate communications with a unique and verifiable signature, not a public Internet Protocol (IP) address, from i) an instance of the registered mobile application, ii) the cyber security appliance installed in the system, or iii) unique signatures of both the cyber security appliance and the instance of the registered mobile application.

12.  (Currently Amended)  The method of claim 11, further comprising:
	
	configuring a permissions module to allow an administrator to authorize a particular user that can download and register [[an]]the instance of the appliance extension; as well as 
	configuring when the administrator revokes the particular user’s permission to use the appliance extension, then a communication is sent to the appliance extension to cause deletions of data and instructions for the appliance extension to occur. 

13.  (Currently Amended)  The method of claim 11, further comprising:
	configuring [[the]]a remote response module on the appliance extension to i) approve and initiate suggested actions to counter a detected cyber threat by [[an]]the autonomous response module in the cyber security appliance as well as ii) have a first 

14.  (Original)  The method of claim 11, further comprising:
	configuring the investigative module to investigate breaches by having a button to view additional contextual information from the cyber security appliance as well as being able to add comments into one or more existing records stored on the cyber security appliance.  

15.  (Currently Amended)  The method of claim 14, further comprising:
	configuring the investigative module i) to support flagging one or more of the breaches, flagging one or more of the alerts, and any combination of flagging both, as well as ii) to support collaborative features including the ability to 1) add [[the]]a comment on one or more of the breaches as well as 2) assign one or more breaches to a particular team member with an option to put the comment on a window associated with that breach, where records containing breach information are formatted to be exportable with the one or more comments and whom on the team has been assigned to follow up on the breach. 

16.  (Canceled)  

17.  (Original)  The method of claim 11, further comprising:


18.  (Currently Amended)  The method of claim 11, further comprising:
	configuring the investigative module to retrieve and display historic contextual data for investigation purposes, where the user interface is configured to populate alerts and breaches from the cyber security appliance protecting the system that are contextualized with historic data including a chain of historically recent devices and models that have been breached to give an operator insight and context into what cyber threat [[may]]can be happening as well as an ability to retrieve additional data associated with a device and/or a model that has been breached from data stored on the cyber security appliance protecting that system.  

19.  (Currently Amended)  The method of claim 11, 
	the instance of the registered mobile application is required to be registered with [[a]]the backend server that is configured to communicate with the cyber security appliance, and authenticate its user; and in addition, the instance of the registered mobile application is Quick Response (QR) generated from within the second user interface for the cyber security appliance, which will also be utilized to verify whether this instance of the registered mobile application is allowed to communicate with the cyber security appliance installed in the system.  

20.  (Original)  A non-transitory computer readable medium comprising computer readable code operable, when executed by one or more processing apparatuses in the computer system to instruct a computing device to perform the method of claim 11.

Allowable Subject Matter
Claims 1-5, 7-15 and 17-20 are allowed.
The following is an examiner’s statement of reasons for allowance: 
The closest prior arts of record are Pratt et al. (US 10,673,880), Kirti et al. (US 2015/0319185) and Scheidler et al. (US 2018/0167402).
Pratt et al. teaches techniques for processing anomalies detected using user-specified rules with anomalies detected using machine-learning based behavioral analysis models to identify threat indicators and security threats to a computer network. 
Kirti et al. teaches a method for detecting threat activity in a cloud application using past activity data from cloud applications.
Scheidler et al. teaches a method for determining computer system security threats, the computer system including user accounts established on the computer system.

Other independent claim recites features similar to those recited in independent claim 1, and are therefore allowable for reasons similar to those given above. Dependent claims are allowed by virtue of their dependencies.
None of the prior art of record either taken by itself or in any combination, would have anticipated or made obvious the invention of the present application at or before the time it was filed.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHANG DO whose telephone number is (571)270-7837.  The examiner can normally be reached on Monday-Friday 8:00 - 5:00 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SALEH NAJJAR can be reached on (571)272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 






/KHANG DO/Primary Examiner, Art Unit 2492