DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 10 May 2021 has been entered.
Claims 1-28 are pending.
This Action is Non-Final.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-25 are rejected under 35 U.S.C. 103 as being unpatentable over Reybok, JR. et al. (US 20170171231) (herein after “Reybok”) in view of Amsler (US 20140201836) and further in view of Manadhata et al. (US 20180268304).

for at least one threat indicator in the set, initiating a query programmatically to each of a set of one or more security knowledge bases, wherein the query to at least one of the security knowledge bases is scoped by information in the data set (see paragraphs [0052]-[0053] initiating queries to the groups and/or databases; see also paragraphs [0045] and [0063]-[0067]); 
receiving responses to the queries programmatically, wherein a response provides an indication that the threat indicator identified in the query has been seen in data sources comprising the security knowledge base; adjusting the initial severity indicia based on the indications returned from querying the security knowledge bases to compute and output a score (see paragraphs [0052]-[0055] and [0098] where the responses to the queries are used to update threat and velocity scores); and 
taking an action based on the score (see paragraphs [0052]-[0054] and [0061]).
While the Reybok system generally updates scores and performs actions based on the updated scores, it fails to explicitly disclose the scores are priorities.
However, Amsler teaches assigning a priority based on a severity score (see, for example, paragraphs [0034] and [0039]).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to include priorities in the Reybok system.
Motivation to do so would have been to distinguish between situations that are truly dangerous, those that are suspicious, and those that are low-priority problems (see Amsler paragraph [0039]).

However, Manadhata et al. teaches associating a relative weighting to each security knowledge base in a set of security knowledge bases and adjusting the initial severity indicia based on the relative weighting and the indications returned from querying the security knowledge bases to compute and output a priority (see paragraphs [0035]-[0041] where the validation metrics, i.e. output priority, are calculated and adjusted based on “different weights may be assigned to threat intelligence information collected from different sources depending on the source's reliability over time”).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to include weights for the different knowledge bases in the modified Reybok and Amsler system.
Motivation to do so would have been to adjust the scores depending on the source’s reliability (see Manadhata et al. paragraph [0041]).
As per claims 2, 10, and 18, the modified Reybok, Amsler, and Manadhata et al. system discloses the action is one of: adjusting an investigative workflow, issuing a notification or alert, updating a security analysis visualization, and providing a command to execute an external computing action (see Reybok paragraphs [0054] and [0061], “pertinent client networks can be notified”).
As per claims 3, 11, and 19, the modified Reybok, Amsler, and Manadhata et al. system discloses the set of characteristics are one of: one or more industries associated with the enterprise, and one or more geographic areas associated with activities of the enterprise (see paragraph [0053]).
As per claims 4, 12, and 20, the modified Reybok, Amsler, and Manadhata et al. system discloses the security knowledge bases comprise one of: a managed security service that collects, aggregates and 
As per claims 5, 13, and 21, Reybok (alone or in combination with Manadhata et al.) discloses the use of various pieces of information regarding cyber threat assessments, but fails to explicitly disclose, the cyber threat assessment is an advisory having a text description of a cyber-attack, a threat indicator in the advisory is an Indicator of Compromise (IOC), and the initial severity indicia provided in the advisory is specified as a result of a security analysis.
However, Amsler teaches the cyber threat assessment is an advisory having a text description of a cyber-attack, a threat indicator in the advisory is an Indicator of Compromise (IOC), and the initial severity indicia provided in the advisory is specified as a result of a security analysis (see paragraphs [0045], [0066], and [0110]).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to include the assessment data of Amsler in the Reybok (alone or in combination with Manadhata et al.) system.
Motivation, as recognized by one of ordinary skill in the art, to do so would have been to provide detailed information about each incident to a human analyst.
As per claims 6, 14, and 22, the modified Reybok, Amsler, and Manadhata et al. system discloses receiving additional responses from the set of one or more knowledge bases and updating the priority based at least in part of indications identified in the additional responses (see Reybok paragraphs [0052] and [0098]).
As per claims 7, 8, 15, 16, 23, and 24, the modified Reybok, Amsler, and Manadhata et al. system discloses adjusting the initial severity indicia based on the indications returned from querying the 
As per claim 25, the modified Reybok, Amsler, and Manadhata et al. system discloses network-accessible threat intelligence service for characterizing a cyber threat assessment, the cyber threat assessment having an initial severity indicia and comprising a set of one or more threat indicators, comprising: associating a relative weighting to each security knowledge base in a set of security knowledge bases (see Manadhata et al. paragraph [0041]); for each of set of enterprise entities, receiving a data set identifying a set of characteristics associated with the enterprise entity (see Reybok paragraph [0053]); for at least one threat indicator in the set, initiating a query programmatically to each of a set of one or more security knowledge bases, wherein the query to at least one of the security knowledge bases for each of the enterprise entities is scoped by information in the data set received from the enterprise entity (see Reybok paragraphs [0052]-[0054]); receiving responses to the queries programmatically, wherein a response provides an indication that the threat indicator identified in the query has been seen in data sources comprising the security knowledge base (see Reybok paragraphs [0052]-[0054]); adjusting the initial severity indicia based on the relative weighting and the indications returned from querying the security knowledge bases to compute and output to each enterprise entity an indication of a severity of the cyber threat with respect to the enterprise entity; wherein an indication of the severity associated with a first enterprise entity is distinct from an indication of the .
Claims 26-28 are rejected under 35 U.S.C. 103 as being unpatentable over the modified Reybok, Amsler, and Manadhata et al. system as applied to claims 1, 9, and 17 above, and further in view of Yamada et al. (US 20190166164).
As per claims 26-28, the modified Reybok, Amsler, and Manadhata et al. system generally discloses the adjustment of weights over time (see Manadhata et al. paragraph [0041] weighting based on reliability over time), but fails to explicitly disclose automatically adjusting the relative weighting of the security knowledge bases in the set of security knowledge bases based on a determined accuracy of the computed priority.
However, Yamada et al. teaches automatically adjusting the relative weighting of the security knowledge bases in the set of security knowledge bases based on a determined accuracy of the computed priority (see paragraphs [0114]-[0122]).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to adjust the weighting of the knowledge bases in the modified Reybok, Amsler, and Manadhata et al. system.
Motivation, as recognized by one of ordinary skill in the art, to do so would have been to ensure the weighting is accurate and up-to-date.

Response to Arguments
Applicant’s arguments with respect to claim(s) 1-28 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: the remaining references put forth on the PTO-892 form are directed to querying and weighting security knowledge bases.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL J PYZOCHA whose telephone number is (571)272-3875.  The examiner can normally be reached on Monday-Thursday 7:30am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hadi Armouche can be reached on (571) 270-3618.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/Michael Pyzocha/               Primary Examiner, Art Unit 2419