Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1.This action is responsive to the communication filed on August 23, 2019. At this time, claims 1-20 are pending and addressed below. 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
 Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-14, and 18-20 are rejected under 35 U.S.C 102(a)(2) as being anticipated over Milazzo, US pat.No 20200186569.  

Claims 1, 13, 18. Milazzo  discloses a method, performed by one or more processors, (See abstract; The cognitive computing system processes the natural language content from the one or more corpora and the security event log data to identify attack characteristics applicable to the security event log data.) comprising: 
receiving a plurality of system event records; (See   [0070]; input data 114 from electronic content sources 102 external to the monitored computing environment 104 )
processing the plurality of system event records using a set of event detectors to determine that a suspicious system event has occurred; (See   [0072 ]; That is, the knowledge extracted by the cognitive 
sending, to a client device, a plurality of properties associated with the suspicious system event; (See   [0032]; collective knowledge of attacks or threats obtained from client specific security event logs and data ) receiving, from the client device, a selection indicator indicating a selected one or more properties of the plurality of properties; (See [0020]; The security log information may specify various events associated with the particular managed endpoint devices that represent events of interest to security evaluations, e.g., failed login attempts, password changes, network traffic patterns, system configuration changes, See [0032] and [0034]; extraction of attack characteristics  see also  [0074]; and extracts attack characteristics 120 from the ingested information via the cognitive computing system 112. Examples of these attack characteristics 120 include a type of event specified in a security log, source identifier (e.g., Internet Protocol (IP) addresses, Uniform Resource Locators (URLs), domains, etc.), file hashes, anti-virus and/or firewall signatures (i.e. unique identifiers given to a known threat so that the threat can be identified in the future), attack vector/method (i.e., a path or means by which a hacker can gain access to a computer system for malicious purposes), and the like. )
generating one or more new event detectors based on the selected one or more properties; (See [ 0032    ]; a SIEM rule generator of the SIEM rules management system generates a new SIEM rules specifying the attack characteristics extracted from the ingested information  )
and adding the one or more new event detectors to the set of event detectors. (See [0032]; The automatically generated SIEM rule generated by the SIEM may be stored in a SIEM rule repository)Claim 2. Milazzo discloses the method of claim 1, wherein the plurality of system event records comprise system log records. (See [0008 ]; and security event log data from a monitored computing environment.)Claim 3.  Milazzo discloses the method of claim 1, wherein the plurality of system event records comprise records generated by a security monitoring application. (See [ 0008 ]; and security event log data from a 
Claim 7. Milazzo discloses the method of claim 1, wherein the suspicious system event is associated with one or more system descriptors, wherein the one or more system descriptors comprise one or more properties of one or more systems on which the suspicious system event occurred. (See [0070]) Claim 8. Milazzo discloses the method of claim 7, comprising sending the one or more system descriptors to the client device. (See [0032]) Claim 9. Milazzo discloses the method of claim 7, wherein the one or more system descriptors are associated with one or more vulnerability descriptors, wherein the one or more vulnerability descriptors comprise properties of one or more known security vulnerabilities of the one or more systems on which the suspicious system event occurred. (See [0070-0071] and [0048 ])Claim 10. Milazzo discloses the method of claim 9, comprising sending the one or more vulnerability descriptors to a client device.  (See [0035])Claim 11. Milazzo discloses the method of claim 1, comprising: 
receiving a second plurality of system event records; (See [0070]; event from external data 114 and internal data 114) 
and determining a second one or more system event records of the second plurality of system event records to be indicative of an occurrence of a second suspicious system event based on the one or more new event detectors. (See [0070])  
 Claim 12. Milazzo discloses the method of claim 11, further comprising sending a plurality of properties associated with the second suspicious system event to the client device. (See [0074];      ) Claim 14. Milazzo discloses the computing system of claim 13, wherein the operations further comprise receiving an event descriptor, wherein the event descriptor comprises the plurality of properties associated with the suspicious system event. (See [0070]) 



Claim19. Milazzo discloses the computer readable medium of claim 18, wherein the plurality of system event records comprise system log records. (See [0008 ]; and security event log data from a monitored computing environment.)Claim 20. The computer readable medium of claim 18, wherein the plurality of system event records comprise records generated by a security monitoring application. (See [0008 ]; and security event log data from a monitored computing environment.) 

s 15, 16, 17 are rejected under 35 U.S.C 103 as being unpatentable over  Milazzo, US pat.No 20200186569 in view of Joseph, IDS submitted, US pat.No 20180084012.   

Claim 15. Milazzo discloses the computing system of claim 13, wherein the operations further comprise: receiving one or more system descriptors, wherein the one or more system descriptors comprise one or more properties of one or more systems on which the suspicious system event occurred; (See [0070])
Milazzo does not appear to explicitly disclose  and displaying the one or more properties of the one or more systems.  
However, Joseph discloses and displaying the one or more properties of the one or more systems. (See Joseph, [0105]) 
Milazzo and Joseph are analogous art because they are from the same field of endeavor which is intrusion detection. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Milazzo with the teaching of Joseph to include the display device of to render the information to a viewer. 
Claim 16. Milazzo discloses the computing system of claim 15, wherein the operations further comprise comprising: receiving one or more vulnerability descriptors associated with the one or more system descriptors, wherein the one or more vulnerability descriptors comprise one or more properties of one or more known security vulnerabilities of the one or more systems on which the suspicious system event occurred; (See [0070])
Milazzo does not appear to explicitly disclose and displaying the one or more properties of the one or more known security vulnerabilities. 
However, Joseph discloses and displaying the one or more properties of the one or more known security vulnerabilities. (See Joseph, [0105]) 
Milazzo and Joseph are analogous art because they are from the same field of endeavor which is intrusion detection. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Milazzo with the teaching of Joseph to 
Claim 17.  Milazzo discloses the computing system of claim 13, wherein the operations further comprise: receiving, from the server, a plurality of properties associated with a second suspicious system event, wherein the server has determined that the second suspicious system event has occurred based on one or more new event detectors, the one or more new event detectors generated by the server based on the selection indicator;  (See, [0020], [0032], [0070],  [0074] )    
Milazzo does not appear to explicitly disclose and displaying the plurality of properties associated with the second suspicious system event.  
However, Joseph discloses and displaying the plurality of properties associated with the second suspicious system event.  (See Joseph, [0105]) 
Milazzo and Joseph are analogous art because they are from the same field of endeavor which is intrusion detection. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Milazzo with the teaching of Joseph to include the display device of to render the information to a viewer. 
                                                               Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Colquhoun, US pat.No 20210097172.
Renner, US pat.No 20210149790. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSNEL JEUDY whose telephone number is (571)270-7476.  The examiner can normally be reached on M-F 10:00-8:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

Date: 8/4/2021




/JOSNEL JEUDY/Primary Examiner, Art Unit 2438