DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This is in response to the correspondence filed on 11/08/21.  Claims 1-20 are pending, of which Claims 16-20 remaining withdrawn from consideration.  Accordingly, Claims 1-15 have been considered below.

Claim Rejections - 35 USC § 112
The amendments and/or arguments submitted by Applicant have been considered and are persuasive; thus, the previous claim rejection(s) have been withdrawn.
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 2-6, 12 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 2, 3 and 6
Claims 4 and 5 recite the limitation "the alert" throughout the claims.  There is insufficient antecedent basis for this limitation in the claims.  Examiner notes that the preceding claim language establishes at least four separate and distinct instances of an “alert” (see lines 4, 7 and 17 of Claim 1; and line 2 of Claim 4); thus, render the claims indefinite in that it is unclear as to which one the limitation in question should be in reference to.
Claim 12 recites the limitation "the alert" in line 2.  There is insufficient antecedent basis for this limitation in the claim.  Examiner notes that the preceding claim language establishes at least two separate and distinct instances of an “alert” (see lines 7 and 23 of Claim 7); thus, renders the claim indefinite in that it is unclear as to which one the limitation in question should be in reference to.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1-13 and 15 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Chari et al. (2017/0286671).
Claim 1:  Chari et al. discloses a method for managing alert processes based on integrated feedback, the method comprising:
identifying an alert policy defining a condition that, when satisfied by a detected activity, triggers an alert to be sent to a client(malicious user activity detector monitors user activity and generates alert when user is suspected of aberrant behavior)  [page 3, paragraph 0033 | page 4, paragraph 0039];
detecting a first activity(user accessing protected assets) [page 7, paragraph 0069];
determining that the first activity satisfies the condition in the alert policy(aggregated risk score greater than an alert threshold) [page 7, paragraph 0070];
generating and sending a first alert to the client, the first alert indicating that the first activity that satisfies the condition in the alert policy has been detected(send alerts for analyst feedback) [page 7, paragraph 0070];
receiving a client feedback from the client, indicating at least whether the first alert is false positive(normal access behavior) [page 8, paragraph 0079];
modifying the alert policy based on the client feedback, the modified alert policy now specifying whether an alert is to be (i) sent to the client, (ii) modified and then sent to the client, (iii) suspended for a period of time, or (iv) disabled(malicious user activity detector may selectively prioritize/suppress different alerts depending on feedback and learning) [page 8, paragraphs 0079-0081];
subsequent to modifying the alert policy,
detecting a second activity(user access related to a future potential user activity alert) [page 7, paragraph 0069];
(generate user activity alert based on analysis) [page 7, paragraph 0070 | page 8, paragraph 0078];
prior to generating a second alert, determining that the second activity shares a relationship with previously received client feedback that caused the alert policy to be modified(compare to prior user activity alerts and any corresponding feedback) [page 6, paragraph 0059 | page 8, paragraphs 0079-0080]; and
generating or, alternatively, refraining from generating the second alert based on the modified alert policy(prevent/limit future false positives and/or duplicate/redundant alerts) [pages 7-8, paragraphs 0077 & 0081].
Claim 2:  Chari et al. discloses the method of claim 1, wherein the method includes generating the alert [page 4, paragraph 0040].
Claim 3:  Chari et al. discloses the method of claim 2, wherein the method further includes modifying, based on the alert policy, an instruction indicating at least one of: how the alert is to be presented, when the alert is to be presented, or to which set of one or more clients the alert is to be presented [page 8, paragraphs 0079-0080].
Claim 4:  Chari et al. discloses the method of claim 3, wherein the previously received client feedback was previously received in response to a previously generated alert, the previously generated alert sharing one or more common attributes with the alert, and wherein the previously generated alert was provided to a previous client based on a particular activity that was being performed and that satisfied the condition(analyst provides feedback to a previously received false positive alert) [pages 7-8, paragraphs 0077 & 0081].
Claim 5:  Chari et al. discloses the method of claim 4, wherein current client feedback is received in response to the alert being sent to the client, and wherein the alert policy is further (analyst can provide any number of feedback samples depending desired accuracy) [page 6, paragraph 0059 | page 8, paragraphs 0079-0080 & 0084].
Claim 6:  Chari et al. discloses the method of claim 1, wherein the method further includes: subsequent to the alert being sent to the client, receiving current feedback specifying one or more changes that the client is requesting be made to the alert(analyst can provide any number of feedback samples depending desired accuracy) [page 6, paragraph 0059 | page 8, paragraphs 0079-0080 & 0084]; further modifying the alert policy based on the current feedback to incorporate the one or more changes [page 6, paragraph 0059 | page 8, paragraphs 0079-0080]; determining whether a subsequent activity satisfies a new condition that is defined by the newly modified alert policy [page 7, paragraph 0070 | page 8, paragraph 0078]; and prior to generating a new alert to the client or to another client, determining whether to (i) send, (ii) modify and then send, (iii) suspend, or (iv) disable the new alert based on the newly modified alert policy [pages 7-8, paragraphs 0077 & 0081].
Claim 7:  Chari et al. discloses a computer system comprising:
a processor [page 3, paragraph 0030]; and
a hardware storage device having stored thereon computer-executable instructions that are executable by the processor to cause the computer system to [page 1, paragraph 0015]:
identify a first security incident occurring in response to a detected first activity being performed in a usage context of a resource [page 7, paragraph 0069];
generate a first alert based on an alert policy [page 7, paragraph 0070];
send the first alert to a client [page 7, paragraph 0070];

translate the feedback into a standard form by removing any client data from the feedback(analyst feedback labels are submitted to a semi-supervised learning machine for training the analytic models used by the malicious user activity detector) [page 8, paragraphs 0081-0082];
modify the alert policy by incorporating the requested alert configuration change into the alert policy [page 8, paragraphs 0079-0081];
subsequent to modifying the alert policy,
identify a second security incident occurring in response to a second detected activity being performed in the usage context of a resource [page 7, paragraph 0069];
generate a second alert based on the modified alert policy, such that the second alert incorporates the requested alert configuration change [pages 7-8, paragraphs 0077 & 0081].
Claim 8:  Chari et al. discloses the computer system of claim 7, wherein the resource is a user account or a server computer system [page 10, paragraph 0100].
Claim 9:  Chari et al. discloses the computer system of claim 7, wherein the requested alert configuration change requests that subsequent alerts associated with the usage context of the resource should be prevented from being sent to the client [page 8, paragraphs 0079-0080].
Claim 10:  Chari et al. discloses the computer system of claim 7, wherein, as a result of translating the feedback into the standard form by removing any client data from the feedback, the translated feedback is permitted to be used outside of a scope of the client such that the translated feedback is permissible for use with other clients(feedback submitted to the semi-supervised learning machine for training analytic models used by the malicious user activity detector to monitor a plurality of users) [page 6, paragraph 0067 | page 8, paragraphs 0081-0082].
Claim 11:  Chari et al. discloses the computer system of claim 7, wherein the feedback indicates that the detected activity is to be whitelisted such that the feedback indicates subsequent alerts should be prevented from being sent to the client when subsequent activity corresponding to the detected activity is detected [page 8, paragraphs 0079-0080].
Claim 12:  Chari et al. discloses the computer system of claim 7, wherein an interactive feedback menu is provided with the alert, the interactive feedback menu being configured to receive the feedback detailing the requested alert configuration change [figure 4].
Claim 13:  Chari et al. discloses the computer system of claim 7, wherein machine learning is used to analyze the feedback and to incorporate the requested alert configuration change into the alert policy [page 8, paragraph 0081].
Claim 15:  Chari et al. discloses the computer system of claim 7, wherein the alert policy is applicable to a plurality of clients, including the client [page 6, paragraph 0067].

Allowable Subject Matter
Claim 14 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Response to Arguments
Applicant's arguments filed 11/08/21 have been fully considered but they are not persuasive.
Applicant generally argues that the prior art of record does not explicitly disclose receiving feedback, indicating whether an alert is a false positive and/or modifying a security policy based on the client feedback, as claimed.
Initially, Examiner notes that the pending claims do not appear to recite the modification of a “security policy”; however, it will be assumed that Applicant intended to argue that the prior art does not disclose the modification of the alert policy.
Accordingly, Examiner notes that Chari et al. appears to reasonably disclose receiving feedback indicating whether an alert is a false positive(analyst provides feedback that indicates normal access behavior) [page 8, paragraph 0079] and modifying an alert policy based on the client feedback(malicious user activity detector may selectively prioritize/suppress different alerts depending on feedback and learning) [page 8, paragraphs 0079-0081].
Therefore, Examiner respectfully disagrees and submits that the prior art of record does in fact disclose the allegedly deficient features for the reasons noted above and as further clarified in the prior art rejection.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EDWARD ZEE whose telephone number is (571)270-1686. The examiner can normally be reached Monday-Friday 9AM-5PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571)272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) 



/EDWARD ZEE/Primary Examiner, Art Unit 2435