DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Applicant’s claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. 

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 14 May 2021 have been considered by the examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 21-28, 30-31, 33, 36, 38 and 40 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 9,848,008. Although the claims at issue are not identical, they are not patentably the claims of the instant application slightly broaden the scope of the claism of the ‘008 Patent and on that basis the claims of the ‘008 Patent anticipate the claims of the instant application.
As to claim 21, the ’008 Patent discloses a computer-implemented method, comprising (Claim 1: A method comprising): 
adding, to a timeline view for a network security investigation, one or more events that reflect activity in an information technology environment, wherein each event of the one or more events is positioned in the timeline view according to a timestamp associated with the event (Claim 1: inserting into the timeline view, one or more user-selected events that contain data that reflects activity in an information technology environment, wherein each user-selected event is positioned on the timeline according to a timestamp associated with the event, wherein each user-selected event is represented on the timeline by a graphical indicator); 
adding, to the timeline view, one or more workflow events reflecting investigative activity performed in association with the network security investigation, wherein each investigative event is positioned in the timeline view according to a timestamp associated with the investigative event (Claim 1: inserting into the timeline view, one or more user-selected investigative events reflecting investigative activity performed in association with a security investigation of one or more of the user-selected events, ; and 
causing display of the timeline view, wherein each event of the one or more events and each workflow event of the one or more workflow events is represented in the timeline view by a respective graphical indicator (Claim 1: causing display of a timeline view of events in an information technology security investigation). 
As to claim 22, the ’008 Patent discloses the computer-implemented method of claim 21, wherein an event of the one or more events is associated with a security incident involving one or more computing devices of the information technology environment (Claim 2: The method of claim 1, wherein each user-selected investigative event corresponds to an entry in a workflow log, the workflow log including a plurality of log entries corresponding to user actions involving one or more graphical user interfaces). 
As to claim 23, the ’008 Patent discloses the computer-implemented method of claim 21, wherein a workflow event of the one or more workflow events represents activity performed to investigate at least one of the one or more events reflecting activity in the information technology environment (Claim 3: The method of claim 1, further comprising: wherein each user-selected investigative event corresponds to an entry in a workflow log, the workflow log including a plurality of log entries corresponding to user actions involving one or more graphical user interfaces; causing . 
As to claim 24, the ’008 Patent discloses the computer-implemented method of claim 21, wherein a workflow event of the one or more workflow events represents a user interaction with a network security application including at least one of: viewing a dashboard interface, executing a search query, filtering a displayed data set, or interacting with a notable event (Claim 3: The method of claim 1, further comprising: wherein each user-selected investigative event corresponds to an entry in a workflow log, the workflow log including a plurality of log entries corresponding to user actions involving one or more graphical user interfaces; causing display of a workflow log view displaying information describing one or more log entries of the plurality of log entries).
As to claim 25, the ’008 Patent discloses the computer-implemented method of claim 21, further comprising: detecting a user interaction with a network security application; and storing a workflow event reflecting the user interaction in a data store (Claim 2: The method of claim 1, wherein each user-selected investigative event corresponds to an entry in a workflow log, the workflow log including a plurality of log entries corresponding to user actions involving one or more graphical user interfaces).
As to claim 26, the ’008 Patent discloses the computer-implemented method of claim 21, wherein a workflow event of the one or more workflow events indicates at The method of claim 1, wherein each user-selected investigative event corresponds to an entry in a workflow log, the workflow log including a plurality of log entries corresponding to user actions involving one or more graphical user interfaces).
As to claim 27, the ’008 Patent discloses the computer-implemented method of claim 21, further comprising: receiving input selecting a workflow event to be added to the timeline view; adding the workflow event to the timeline view; and causing display of the timeline view including the workflow event (Claim 1: inserting into the timeline view, one or more user-selected investigative events reflecting investigative activity performed in association with a security investigation of one or more of the user-selected events, wherein each user-selected investigative event is represented on the timeline by a graphical indicator and Claim  2 : The method of claim 1, wherein each user-selected investigative event corresponds to an entry in a workflow log, the workflow log including a plurality of log entries corresponding to user actions involving one or more graphical user interfaces).
As to claim 28, the ’008 Patent discloses the computer-implemented method of claim 21, further comprising causing display of a workflow log, wherein the workflow log displays a plurality of workflow events including the one or more workflow events, and The method of claim 1, further comprising: wherein each user-selected investigative event corresponds to an entry in a workflow log, the workflow log including a plurality of log entries corresponding to user actions involving one or more graphical user interfaces; causing display of a workflow log view displaying information describing one or more log entries of the plurality of log entries.).
  As to claim 30, the ’008 Patent discloses the computer-implemented method of claim 21, further comprising: adding, to the timeline view, a user-generated note or screenshot; and causing display of the timeline view including the user-generated note or screenshot (Claim 4: The method of claim 1, further comprising: receiving input to add a note to the timeline view; and in response to receiving the input to add the note to the timeline view, causing display of an identifier of the note at a particular location on the timeline view).  
 As to claim 31, the ’008 Patent discloses the computer-implemented method of claim 21, wherein the timeline view is displayed as part of a first graphical interface, and wherein the method further comprises: receiving input to navigate to a second graphical interface; and causing display of the timeline view as part of the second graphical interface (Claim 10: The method of claim 1, further comprising: wherein causing display of the timeline view includes causing displaying of a first graphical user interface including the timeline view; . 
As to claim 33, the ’008 Patent discloses the computer-implemented method of claim 21, wherein a respective graphical indicator corresponding to a workflow event of the one or more workflow events includes at least one of: a name of a graphical interface associated with the workflow event, an identifier of an action associated with the workflow event, or an identifier of a user associated with the workflow event (Claim 9: The method of claim 1, further comprising: receiving input selecting a particular event identifier from a plurality of event identifiers, the particular event identifier corresponding to a particular event from the one or more displayed user-selected events or the one or more user-selected investigative events; and in response to receiving the selection of the particular event identifier, causing display of a detail view of the particular event.).
As to claim 36, the ’008 Patent discloses the computer-implemented method of claim 21, further comprising: receiving input adding a user to an investigation associated with the timeline view; receiving input associated with the user selecting a workflow event to be added to the timeline view; determining that the user is permitted to access the timeline view; adding the workflow event to the timeline view; and causing display of the timeline view including the workflow event (Claim 6: The method of .  
As to claim 38, the ’008 Patent discloses the computer-implemented method of claim 21, further comprising: receiving input selecting an event or workflow event displayed on the timeline view; and causing display of a graphical interface including additional information about the event or workflow event (Claim 4: The method of claim 1, further comprising: receiving input to add a note to the timeline view; and in response to receiving the input to add the note to the timeline view, causing display of an identifier of the note at a particular location on the timeline view).  
As to claim 40, the ’008 Patent discloses a non-transitory computer-readable storage medium storing instructions which, when executed by one or more processors, cause performance of operations comprising (Claim 11: One or more non-transitory computer-readable storage media, storing instructions, which when executed by one or more processors cause performance of): 
adding, to a timeline view for a network security investigation, one or more events that reflect activity in an information technology environment, wherein each event of the one or more events is positioned in the timeline view according to a timestamp associated with the event (Claim 11: inserting into the timeline view, one or more user-selected events that contain data that ; 
adding, to the timeline view, one or more workflow events reflecting investigative activity performed in association with the network security investigation, wherein each investigative event is positioned in the timeline view according to a timestamp associated with the investigative event (Claim 11: inserting into the timeline view, one or more user-selected investigative events reflecting investigative activity performed in association with a security investigation of one or more of the user-selected events, wherein each user-selected investigative event is represented on the timeline by a graphical indicator); and 
causing display of the timeline view, wherein each event of the one or more events and each workflow event of the one or more workflow events is represented in the timeline view by a respective graphical indicator (Claim 11: causing display of a timeline view of events in an information technology security investigation).  

Claim 39 is rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 9,848,008 in view of Claim 1 of U.S. Patent 10,778,712 (Patent Family member). 
claim 39, the ‘008 Patent discloses all recited elements of claim 21 from which claim 39 depends.
The ‘008 Patent does not expressly disclose the computer-implemented method of claim 21, further comprising: causing display of a graphical interface including identifiers of a plurality of network security investigations including the network security investigation; receiving input selecting the network security investigation; and causing display of the timeline view responsive to the input selecting the network security investigation.  
The ‘712 Patent discloses the computer-implemented method of claim 21, further comprising: causing display of a graphical interface including identifiers of a plurality of network security investigations including the network security investigation; receiving input selecting the network security investigation; and causing display of the timeline view responsive to the input selecting the network security investigation (Claim 1: A method, comprising: causing display of a user-selected investigation timeline among one or more investigation timelines, the user-selected investigation timeline associated with a particular information technology security investigation; wherein the user-selected investigation timeline includes one or more computer network security event identifiers that represent one or more computer network security events, wherein each computer network security event identifier is positioned on the user-selected investigation timeline according to a timestamp associated with the computer network security event; assigning 
As the ‘008 Patent and the ‘712 Patent are members of the same patent family, they are analogous art, and one of ordinary skill would have sufficient motivation to combine the specific teachings. 

Claims 21-28, 30-31, 33, 36, 38-40 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 9,516,052. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application slightly broaden the scope of the claims of the ‘052 Patent and on that basis the claims of the ‘052 Patent anticipate the claims of the instant application in a manner substantially similar to those expressed in the rejection over U.S. Patent 9,848,008 above.

Allowable Subject Matter
Claims 29, 32, 34-35 and 37 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Prior Art
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
U.S. Patent Application Publication No. 2003/0154396 by Godwin et al. discloses display of a timeline of events
U.S. Patent Application Publication No. 2008/0294663 by Heinley et al. discloses a user accessible timeline
U.S. Patent Application Publication No. 2011/0119100 by Ruhl et al. discloses graphical display of anomalies
U.S. Patent Application Publication No. 2011/0179017 by Meyers et al. discloses a graphical display of events with queries
U.S. Patent Application Publication No. 2013/0227689 by Pietrowcz et al. discloses display of a timeline of events
U.S. Patent Application Publication No. 2015/0128267 by Gupta et al. discloses a network forensics system
U.S. Patent Application Publication No. 2015/0324581 by Singla et al. discloses the display on an interface of security events

Conclusion




Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL S MCNALLY whose telephone number is (571)270-1599. The examiner can normally be reached Monday-Friday, 8:30 AM - 5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469)295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MICHAEL S. MCNALLY
Primary Examiner
Art Unit 2432



/Michael S McNally/Primary Examiner, Art Unit 2432