Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Applicant’s amendment filed on 7/15/2021 has been entered. Applicant has amended claims 1, 3-4, 6-8, 11-12, 15 and 18; canceled claims 13 and 19 and added claim 21. Currently claims 1-12, 14-18 and 20-21 are pending in this application.

 Response to Arguments
Applicant's arguments filed 7/15/2021 have been fully considered but they are not persuasive. 
Applicant argues that:

    PNG
    media_image1.png
    402
    645
    media_image1.png
    Greyscale

IR Lead to edit various attributes of the incident. Exemplary incident attributes may include an incident name (or an identification number), an incident category (such as DDOS, Malware, etc.), a list of event data, a list of IR team members, a corresponding roadmap with at least a task assigned to at least one of the IR team members, and so forth. Depending on the implementation of the embodiments, the incident may be created with default values in all of its attributes based on the event data, including a default roadmap” and Paragraph 0015, “If default values are created for an incident, the IR Lead may be prompted to review the values and either accept the default settings and deploy the default roadmap as is or change the settings manually. In a preferred embodiment, when the IR Lead decides to change the settings, the IR Lead is guided step-by-step by a software program (a wizard) to set the attributes in an incident. The exemplary wizard may provide a list of incident category to choose from, ask a series of pre-programmed questions based on the incident category and the organization's Incident Response Policy, and recommend a list of tasks (by choosing from pre-existing template roadmaps or other processes of building a list of tasks) according to the answers to the questions for the IR Lead to assign to the IR team members, thus creating a roadmap for this incident. After a roadmap is modified, the IR Lead may save the updated roadmap in the database for this category of incidents as a new roadmap or replace the default roadmap”). As a result, it is clear that Loomis 64 discloses forms are . 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-4, 6-9, 12, 15-16 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Loomis et al. (US 2016/0149948 A1), hereinafter, "Loomis 48” in view of Chakravarty et al. (US 2008/0040191 A1), hereinafter, “Chakravarty” and further in view of Loomis (US 2014/0278664 A1), hereinafter, “Loomis 64”.
Regarding Claims 1, 8 and 15, Loomis 48 discloses a computer-based system and corresponding method and a computer program product, wherein the system comprises: 

generating, by the security operations system, a workflow, wherein the workflow is configured to be automatically executed to address the alarm (See, Paragraph 0020, “After receiving the data in step 100, the coordinator can process the data and determine, based on a predefined workflow, what next tool or sensor to utilize in the handling of the event or incident. This predefined workflow can be created by an end user using a visual interface with predefined API definitions for all configured tools and sensors. The user may select the order in which he or she wishes to run the process and save this in the coordinator database for future automated use” and Paragraph 0027, “Throughout the coordinator process, any data received by any tool or sensor in any step can be populated in an incident display or an event display to enable an end user to view the progress of the event or incident and make manual adjustments at any time. Without input from the user during the operation of the coordinator, the coordinator can continue its processes along whatever pre-configured and defined workflows the end user has stored in the database, enabling fully automated operation of a SOC”);
automatically executing, by the security operations system, a first action based on the workflow (See, Paragraph 0030, “The method can further include, at 230, performing, at the server, the determined confirmation action. The action can include, at 235, communicating with at least one second sensor or tool. For example, the communicating can include communicating with a threat intelligence feed. The threat 
receiving, by the security operations system, a security contextual information data including a type of threat and characteristics of a threat (See, Paragraphs 0030, “For example, the communicating can include communicating with a threat intelligence feed. The threat intelligence feed may include an email feed, an RSS feed, an API-connected feed or the like. The first sensor or tool can be the same as or different from the second sensor or tool. Other confirmation actions can also be performed” and 0031, “at 240, receiving, at the server, a response to the communicating with the at least one second sensor or tool. The server can then process this response similar to the way that the original data was processed”); 
executing, by the security operations system, the workflow to generate a second action based on selected form (See, Paragraph 0033, “updating at least one threat rule based on the processing or the response. For example, a sensitivity or threshold for future use by associated tools can be increased or decreased based on processing the data” and Paragraph 0034, “The method can further include, at 270, executing a mitigation action based on the processing or the response. The mitigation action may include remote locking a terminal, remotely wiping a disk drive, switching to a different firewall or proxy server, requiring a user to re-authenticate, or any other mitigation action desired”); and 
automatically executing, by the security operations system, the second action (Paragraph 0034, “The method can further include, at 270, executing a mitigation action 
Loomis 48 does not explicitly disclose wherein the workflow is customizable, by at least one of adding, removing, or modifying a rule for an action, prior to the security operations system receiving an alarm.
Chakravarty discloses wherein a workflow is customizable, by at least one of adding, removing, or modifying a rule for an action, prior to a security operations system receiving an alarm (See, Abstract and Paragraphs 0006, 0026 and 0040).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to provide, in the system of Loomis 48, a record in response to the alarm and populating, by the security operations system, a customizable workflow which is customizable, by at least one of adding, removing, or modifying a rule for an action, prior to a security operations system receiving an alarm as taught by Chakravarty because predefined workflows often have limited flexibility and are not easily customized by a use and customizable workflow solves this problem by providing additional flexibility to customize the workflow which enables the security experts to create and edit workflow instances which results in a greater flexibility (See, Chakravarty, Paragraph 0003). 
The combination of Loomis 48 and Chakravarty does not explicitly disclose receiving, by the security operations system, security contextual data including a type of threat and characteristics of a threat and selecting, by the security operations system, a form from among a plurality of customizable forms based on the type of threat.

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to receive, in the system of Loomis 48 and Chakravarty, security contextual data including a type of threat and characteristics of a threat and selecting, by the security operations system, a form from among a plurality of customizable forms based on the type of threat as taught by Loomis 64 so that “the IR Lead may be prompted to review the values and either accept the default settings and deploy the default roadmap as is or change the settings manually” (See, Loomis 64, Paragraph 0015).
Regarding Claims 2, 9 and 16, the rejection of claims 1, 8 and 15 is incorporated and the combination of Loomis 48, Chakravarty and Loomis 64 further discloses receiving, by the security operations system, the alarm in response to the threat detected on a monitored system, wherein the alarm includes the characteristics of the threat (See, Loomis 48, Paragraph 0028, “a method can include, at 210, receiving, at a server, data from at least one first sensor or tool. The data can be configured to inform the server of an actual or potential threat to at least one computer system or network. The server can be, but does not have to be, a part of the computer system or network under threat. The at least one first sensor or tool can be or include a SIEM tool).
Regarding Claim 3 the rejection of claim 1 is incorporated and the combination of Loomis 48, Chakravarty and Loomis 64 as applied in the rejection of claim 1 does not 
However, Loomis 64 in the same reference disclose automatically populating the selected form with the characteristics of the threat including populating a plurality fields of the selected form with the characteristics of the threat (See, Paragraphs 0012-0015). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to automatically, in the system of Loomis 48, Chakravarty and Loomis 64, populating the selected form with the characteristics of the threat including populating a plurality fields of the selected form with the characteristics of the threat as taught by Loomis 64 in order to “allow the IR Lead to edit various attributes of the incident. Exemplary incident attributes may include an incident name (or an identification number), an incident category (such as DDOS, Malware, etc.), a list of event data, a list of IR team members, a corresponding roadmap with at least a task assigned to at least one of the IR team members, and so forth” (See, Loomis 64, Paragraph 0064).
Regarding Claim 4 the rejection of claim 1 is incorporated and the combination of Loomis 48, Chakravarty and Loomis 64 further discloses wherein the type of threat includes at least one of data loss, denial of service (DoS), malware, virus, or a violation of a user policy (See, Loomis 64, Paragraph 0014, Note: As the feature of security contextual data including a type of threat has been combined in the rejection of claim 1 and this claim further limit the combined feature, a separate motivation to combine statement is not needed. See claim 1).
Claim 6 the rejection of claim 1 is incorporated and the combination of Loomis 48, Chakravarty and Loomis 64 as applied in the rejection of claim 1 does not explicitly disclose automatically populating, by the security operations system, the selected form with the characteristics of the threat.
However, Loomis 64 in the same reference disclose populating, by the security operations system, the selected form with the characteristics of the threat (See, Paragraphs 0012-0015). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to automatically, in the system of Loomis 48, Chakravarty and Loomis 64, populating, by the security operations system, the selected form with the characteristics of the threat as taught by Loomis 64 in order to “allow the IR Lead to edit various attributes of the incident. Exemplary incident attributes may include an incident name (or an identification number), an incident category (such as DDOS, Malware, etc.), a list of event data, a list of IR team members, a corresponding roadmap with at least a task assigned to at least one of the IR team members, and so forth” (See, Loomis 64, Paragraph 0064).
Regarding Claim 7 the rejection of claim 1 is incorporated and the combination of Loomis 48, Chakravarty and Loomis 64 further discloses updating, by the security operations system, the selected form to include the security contextual data (See, Loomis 48, Paragraphs 0023, “After the new data set is sent from the SIEM device in step 103, the coordinator can create a new rule set for a connected firewall, including MD5 hashes, uniform resource locators (URLs), or internet protocol (IP) addresses that returned with positive results from any SIEM tool or threat intelligence feeds involved in 
Regarding Claim 12, the rejections of claim 8  is incorporated and the combination of Loomis 48, Chakravarty and Loomis 64 further discloses updating by the security operations system, the selected form to include the security contextual information data (See, Loomis 48, Paragraphs 0023, “After the new data set is sent from the SIEM device in step 103, the coordinator can create a new rule set for a connected firewall, including MD5 hashes, uniform resource locators (URLs), or internet protocol (IP) addresses that returned with positive results from any SIEM tool or threat intelligence feeds involved in the process. These new rule sets can be sent to the API-connected firewall in step 104, thus eliminating the need for manual configuration of the new firewall rules” and 0033, “A new threat rule can be generated to watch for similar data in the future. Other updates are also permitted” as combined with form selection feature of Loomis 62 as combined in the rejection of claim 8).
Regarding Claim 21, the rejection of claim 1 is incorporated and the combination of Loomis 48, Chakravarty and Loomis 64 further discloses wherein the threat has the capability to impact confidentiality of data, availability of services or integrity of data (See, Loomis, Paragraphs 0006 and 0028).
Claims 5, 10, 11, 14, 17, 18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Loomis 48 in view of Chakravarty and Loomis 64 and further in view of Agbabian (US 7,472,422 B1), hereinafter, “Agbabian”.
Claims 10 and 17, the rejection of claims 9 and 16 is incorporated and the combination of Loomis 48, Chakravarty and Loomis 48 does not explicitly disclose generating, by the security operations system, a record in response to the alarm wherein the record includes a severity level assigned to the record, wherein the severity level is automatically generated based on a threat level identified in the alarm.
Agbabian discloses generating, by a security operations system, a record in response to an alarm wherein the record includes a severity level assigned to the record (See, Fig. 4A, Numeral 404 and also Column 13, lines 16-25 and lines 51-57, Note: Please note that examiner is interpreting the event of Fig. 3, Numeral 302, as an alarm since it includes event characterization data including a severity level and the event generated by the security management module in step 404 as the claimed record), wherein the severity level is automatically generated based on a threat level identified in the alarm (See, Fig. 4A, Numeral 404, Column 13, lines 16-25 and lines 51-57, Note: the security management module simply add time stamp data and location data to populate event which is being interpreted as a record and uses the same event characterization data from the event of Fig. 3 which is being interpreted as an alarm).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to generate, in the system of Loomis 48, Chakravarty and Loomis 48, by the security operations system, a record in response to the alarm wherein the record includes a severity level assigned to the record, wherein the severity level is automatically generated based on a threat level identified in the alarm as taught by Agbabian because this allows management console the ability to provide some rudimentary event correlation configuration by assigning particular alert-
Regarding Claims 5, 14 and 20, the rejection of claims 1, 8 and 15 is incorporated and the combination of Loomis 48, Chakravarty and Loomis 48 does not explicitly disclose generating, by the security operations system, a record in response to the alarm, wherein the record includes a severity level assigned to the record, wherein the severity level is automatically generated based on a threat level identified in the alarm.
Agbabian discloses generating, by a security operations system, a record in response to an alarm wherein the record includes a severity level assigned to the record (See, Fig. 4A, Numeral 404 and also Column 13, lines 16-25 and lines 51-57, Note: Please note that examiner is interpreting the event of Fig. 3, Numeral 302, as an alarm since it includes event characterization data including a severity level and the event generated by the security management module in step 404 as the claimed record), wherein the severity level is automatically generated based on a threat level identified in the alarm (See, Fig. 4A, Numeral 404, Column 13, lines 16-25 and lines 51-57, Note: the security management module simply add time stamp data and location data to populate event which is being interpreted as a record and uses the same event characterization data from the event of Fig. 3 which is being interpreted as an alarm).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to generate, in the system of Loomis 48, Chakravarty and Loomis 48, by the security operations system, a record in response to 
Regarding Claims 11 and 18, the rejection of claims 10 and 17 is incorporated and the combination of Loomis 48, Chakravarty, Loomis 64 and Agbabian as applied in the rejection of claims 10 and 17 does not explicitly disclose automatically, populating, by the security operations system, the selected form with the characteristics of the threat, wherein the selected form is associated with the record.
However, Loomis 64 in the same reference discloses automatically populating, by the security operations system, by the security operations system, the selected form with the characteristics of the threat, wherein the selected form is associated with the record (See, Paragraphs 0012-0015).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to automatically generate, in the system of Loomis 48, Chakravarty, Loomis 64 and Agbabian, by the security operations system, the selected form with the characteristics of the threat, wherein the selected form is associated with the record and selected in response to a type of the threat as taught by Loomis 64 so that “the IR Lead may be prompted to review the values and either accept .

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-3, 5-12, 14-18 and 20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. US 10,552,615. Although the claims at issue are not identical, they are not patentably distinct from each other because claims 1-20 of U.S. Patent No. US 10,552,615 anticipates claims 1-3, 5-12, 14-18 and 20.
Claims 4 and 21 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 10,552,615 in view of Loomis 64.
Claim 4 requires additional limitation of wherein the type of threat includes at least one of data loss, denial of service (DoS), malware, virus, or a violation of a user policy.
Loomis 64 discloses network protection system wherein the type of threat includes at least one of data loss, denial of service (DoS), malware, virus, or a violation of a user policy (See, Loomis 64, Paragraph 0014).

Claim 21 requires additional limitation of wherein the threat has the capability to impact confidentiality of data, availability of services or integrity of data.
Loomis 64 discloses network protection system wherein the threat has the capability to impact confidentiality of data, availability of services or integrity of data (See, Paragraphs 0003-0005).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to protect form threat that has the capability to impact confidentiality of data, availability of services or integrity of data as taught by Loomis 64 for guiding an incident response team to detect, analyze, contain, eradicate, and recover from a threat such as a data breach through a pre-defined set of tasks (See, Loomis, Paragraph 0005).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  





 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to YOGESH PALIWAL whose telephone number is (571)270-1807. The examiner can normally be reached M-F 9:00AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph P Hirl can be reached on 5712723685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






/YOGESH PALIWAL/Primary Examiner, Art Unit 2435