DETAILED ACTION

1.	Claims 1-20 are presented for consideration

Specification

2.	The disclosure is objected to because of the following informalities: paragraph 0008, line 2, “include a a plurality of network sensors”.  
Appropriate correction is required.

Claim Interpretation

The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.


3.	The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)      the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)      the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)     the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 

Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.

4.	This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitations of claim 1 are: a plurality of network sensors configured to …; and one or more decorator pipelines configured to …. 
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover 
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

5.	Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Vashisht et al. [ US Patent Application No 2019/0207966 ], in view of Kothekar et al. [ US Patent Application No 2017/0366582 ].


a plurality of network sensors [ i.e. cybersecurity sensors ] [ paragraph 0025 ] configured to: 
sense operations of the data network [ i.e. monitors incoming and/or outgoing network traffic ] [ paragraphs 0054, and 0080 ];
responsive to sensing the operations of the data network, generate event data objects that record the operations of the data network [ i.e. generating the distinctive metadata from the artifact, distinctive metadata may include an identifier (e.g. object ID) ] [ paragraphs 0027 ]; and
one or more decorator pipelines configured to:
examine an undecorated event data object; identify a key-value from the undecorated event data object [ i.e. comparing of object IDs such as hash values, checksum or any collection of data to specifically identify the object ] [ paragraphs 0042, and 0073 ]; 
identify, in an Indicator of Compromise (IoC) datastore, an IoC based on a matching of a key-field of the IoC with the key-value [ i.e. DMAE to compare the artifact ID, which may be represented as a hash value or checksum of the distinctive metadata to stored metadata of prior evaluated artifacts ] [ paragraph 0074, 0105, and 0106 ].
Vashisht does not specifically disclose

store the decorated event data object in an event datastore.
Kothekar discloses
decorating the undecorated event data with the identified IoC to generate a decorated event data object [ i.e. identify and create incident artifacts associated with each incident, which also known as indicators of compromise] [ Figure 3; and paragraphs 0048, 0049, and 0057-0064 ]; and
store the decorated event data object in an event datastore [ i.e. incident database that stores incident objects and indicators of compromise associated with one or more incident objects ] [ paragraphs 0046, and 0086 ].
It would have been obvious to a person skill in the art before the effective filing date of the claimed invention to combine the teaching of Vashisht and Kotheka because the teaching of Kotheka would enable to provide method for creating incident objects for data security incidents, wherein each incident object includes incident characteristics [ Kotheka, paragraph 0013 ].

7.	As per claim 2, Vashisht discloses the event datastore, the event datastore configured to: receive a query; and responsive to receiving the query [ i.e. query for stored, consolidated meta-information ] [ paragraphs 0053, and 0104 ], returning the decorated event data object [ i.e. report is generated ] [ paragraphs 0105, and 0125 ].


9.	As per claim 4, Kothekar discloses wherein each similarly-decorated event data object is stored separately by the event datastore in a corresponding memory location, wherein the each of the memory locations stores a separate copy of the same IoC [ i.e. IOCs are stored separately from their associated incident objects ] [ Figures 2 and 3; and paragraphs 0008, and 0061 ].

10.	As per claim 5, Vashisht discloses wherein the IoC datastore stores data received from a threat data provider external to the data network and also stores data from analysis performed within the data network [ i.e. third party based intelligence ] [ paragraphs 0068, 0105, and 0135 ].

11.	As per claim 6, Vashisht disclose wherein the key-field is one of the group consisting of Internet Protocol (IP) address, domain name, and file hash [ i.e. hash value, IP address ] [ paragraphs 0073, 0153, and 0154 ].



13.	As per claims 8-14, they are rejected for similar reasons as stated above in claims 1-7.

14.	As per claims 15-20, they are rejected for similar reasons as stated above in claims 1, 3-7.

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to DUSTIN NGUYEN whose telephone number is (571)272-3971.  The examiner can normally be reached on Monday-Friday 9-6 PST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/DUSTIN NGUYEN/Primary Examiner, Art Unit 2446