DETAILED ACTION
This action is in response to an IDS filed 1/26/2022 and an Examiner’s interview conducted 3/8/2021.  Claims 1, 7, 13 and 19 were amended on 2/23/2021.  Claims 1-24 are pending and are examined.  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 1/26/2022 was filed after the mailing date of the Notice of Allowance on 1/10/2022.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below.  Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312.  To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee. 
Authorization for this Examiner’s amendment was given in a telephone interview with Alexa Derkasch on 3/8/2021.
Claims 1, 7, 13 and 19 are amended.  This application has been amended as follows:
1. (Currently Amended)	A computer-implemented method, executed on a computing device, comprising:
generating, via a Security Information and Event Management system, system-defined consolidated platform information from a plurality of security-relevant subsystems within a computing platform, the plurality of security-relevant subsystems including one or more of Content Delivery Network systems, Database Activity Monitoring systems, User Behavior Analytic systems, Mobile Device Management systems, Identity and Access Management systems, and Domain Name Server systems;
obtaining one or more artifacts concerning a detected security event from a plurality of sources, wherein the plurality of sources are associated with the computing platform and maintained by the Security Information and Event Management system, wherein the plurality of sources includes at least one of one or more log files defined for the computing platform and two or more security-relevant subsystems from the plurality of security-relevant subsystems deployed within the computing platform; 
obtaining artifact information concerning the one or more artifacts from the plurality of sources associated with the computing platform; 
assigning a threat level to the detected security event based, at least in part, upon the one or more artifacts; 
generating a conclusion concerning the detected security event based, at least in part, upon the detected security event, the one or more artifacts, and the artifact information; [[and]]
executing a remedial action plan based upon, at least in part, the assigned threat level, wherein executing the remedial action plan includes:
determining that the assigned threat level is low, including permitting a suspect activity corresponding to the security event to continue;
determining that the assigned threat level is moderate, including generating a security event report based, at least in part, upon the one or more artifacts respective to the security event, and providing the security event report to a third party for review; and
determining that the assigned threat level is high, including executing a threat mitigation plan, the threat mitigation plan including shutting down a stream of content corresponding to the security event and closing a port respective to the computing device; and
allowing the third party to manually search through the one or more artifacts within the computing platform.

7. (Currently Amended)	A computer program product residing on a non-transitory computer readable medium having a plurality of instructions stored thereon which, when executed by a processor, cause the processor to perform operations comprising:
generating, via a Security Information and Event Management system, system-defined consolidated platform information from a plurality of security-relevant subsystems within a computing platform, the plurality of security-relevant subsystems including one or more of Content Delivery Network systems, Database Activity Monitoring systems, User Behavior Analytic systems, Mobile Device Management systems, Identity and Access Management systems, and Domain Name Server systems;
obtaining one or more artifacts concerning a detected security event from a plurality of sources, wherein the plurality of sources are associated with the computing platform and maintained by the Security Information and Event Management system, wherein the plurality of sources includes at least one of one or more log files defined for the computing platform and two or more security-relevant subsystems from the plurality of security-relevant subsystems deployed within the computing platform; 
obtaining artifact information concerning the one or more artifacts from the plurality of sources associated with the computing platform; 
assigning a threat level to the detected security event based, at least in part, upon the one or more artifacts; 
generating a conclusion concerning the detected security event based, at least in part, upon the detected security event, the one or more artifacts, and the artifact information; [[and]]
executing a remedial action plan based upon, at least in part, the assigned threat level, wherein executing the remedial action plan includes:
determining that the assigned threat level is low, including permitting a suspect activity corresponding to the security event to continue;
determining that the assigned threat level is moderate, including generating a security event report based, at least in part, upon the one or more artifacts respective to the security event, and providing the security event report to a third party for review; and
determining that the assigned threat level is high, including executing a threat mitigation plan, the threat mitigation plan including shutting down a stream of content corresponding to the security event and closing a port respective to the computing device; and
allowing the third party to manually search through the one or more artifacts within the computing platform.

13. (Currently Amended)	A computing system including a processor and memory configured to perform operations comprising:
generating, via a Security Information and Event Management system, system-defined consolidated platform information from a plurality of security-relevant subsystems within a computing platform, the plurality of security-relevant subsystems including one or more of Content Delivery Network systems, Database Activity Monitoring systems, User Behavior Analytic systems, Mobile Device Management systems, Identity and Access Management systems, and Domain Name Server systems;
obtaining one or more artifacts concerning a detected security event from a plurality of sources, wherein the plurality of sources are associated with the computing platform and maintained by the Security Information and Event Management system, wherein the plurality of sources includes at least one of one or more log files defined for the computing platform and two or more security-relevant subsystems from the plurality of security-relevant subsystems deployed within the computing platform; 
obtaining artifact information concerning the one or more artifacts from the plurality of sources associated with the computing platform; 
assigning a threat level to the detected security event based, at least in part, upon the one or more artifacts;
generating a conclusion concerning the detected security event based, at least in part, upon the detected security event, the one or more artifacts, and the artifact information;
executing a remedial action plan based upon, at least in part, the assigned threat level, wherein executing the remedial action plan includes:
determining that the assigned threat level is low, including permitting a suspect activity corresponding to the security event to continue;
determining that the assigned threat level is moderate, including generating a security event report based, at least in part, upon the one or more artifacts respective to the security event, and providing the security event report to a third party for review; and
determining that the assigned threat level is high, including executing a threat mitigation plan, the threat mitigation plan including shutting down a stream of content corresponding to the security event and closing a port respective to the computing device; and 
allowing the third party to manually search through the one or more artifacts within the computing platform.

19. (Currently Amended)	A computer-implemented method, executed on a computing device, comprising:
generating, via a Security Information and Event Management system, system-defined consolidated platform information from a plurality of security-relevant subsystems within a computing platform, the plurality of security-relevant subsystems including one or more of Content Delivery Network systems, Database Activity Monitoring systems, User Behavior Analytic systems, Mobile Device Management systems, Identity and Access Management systems, and Domain Name Server systems;
obtaining one or more artifacts concerning a detected security event from a plurality of sources, the plurality of sources being associated with the computing platform and maintained by the Security Information and Event Management system, wherein the plurality of sources includes at least one of one or more log files defined for the computing platform and two or more security-relevant subsystems from the plurality of security-relevant subsystems deployed within the computing platform; 
obtaining artifact information concerning the one or more artifacts from the plurality of sources associated with the computing platform; 
assigning a threat level to the detected security event based, at least in part, upon the one or more artifacts; 
generating a conclusion concerning the detected security event based, at least in part, upon the detected security event, the one or more artifacts, and the artifact information; [[and]]
executing a remedial action plan based upon, at least in part, the assigned threat level, wherein executing the remedial action plan includes:
determining that the assigned threat level is low, including permitting a suspect activity corresponding to the security event to continue;
determining that the assigned threat level is moderate, including generating a security event report based, at least in part, upon the one or more artifacts respective to the security event, and providing the security event report to a third party for review; and
determining that the assigned threat level is high, including executing a threat mitigation plan, the threat mitigation plan including shutting down a stream of content corresponding to the security event and closing a port respective to the computing device; and
allowing the third party to manually search through the one or more artifacts within the computing platform.


Response to Argument
Applicant’s amendments, filed 2/23/2021, to claims 1, 7, 13 and 19 clarifying that it is the plurality of sources that are maintained is sufficient to overcome the objection to the aforementioned claims for grammatical informalities.  Accordingly, the objection to claims 1, 7, 13 and 19 is withdrawn.
The Examiner’s amendments herein and Applicant’s arguments in pages 9-17 of the Remarks, filed 2/23/2021, and, with respect to 1-24 as being rejected under 35 U.S.C. 103(a) over rejected under 35 U.S.C. 103 as being unpatentable over Vashishit (US 2019/0207967) as applied to claim 1 above, and further in view of Navarro (US 2019/0230098), have been fully considered and, together with the newly amended claim limitations, are found persuasive.  These rejections have been withdrawn.

Allowable Subject Matter
Claims 1-24 are allowed in light of the Examiner’s amendments herein, the IDS newly considered, Applicant’s arguments and in light of the prior art made of record.

Reasons for Allowance
The following is an examiner’s statement for reasons for allowance:
Newly amended independent claims 1, 7, 13 and 19 are allowed for reasons argued by applicant in pages 5-9 of the Remarks, filed 9/3/2019, and for reasons explained below: 
Newly amended independent claims 1, 7, 13 and 19 are allowed because the closest identified prior art Vashishit (US 2019/0207967), Navarro (US 2019/0230098), Martin (US 2018/0004942) and Chenette (US 2016/0044057), alone or in combination, fails to anticipate or render obvious the claimed invention.
Vashishit (prior art on the record) teaches a cybersecurity platform for collecting, analyzing and distributing cybersecurity intelligence including meta-information associated with an artifact, which is an indicator of compromise received from a plurality of different network devices operating as cybersecurity intelligence sources.  The plurality of cybersecurity sources comprise cybersecurity sensors and network devices, a global data store and a data management and analytics engine (DMAE) and management subsystem, all of which are located within a cybersecurity intelligence hub/platform.  The plurality of cybersecurity sources obtain artifact metadata information from the global data store and DMAE and management subsystem by analyzing information received from network devices and sensors.  The artifact metadata information is analyzed to generate a report and verdict concluding whether or not an artifact is malware.
Navarro (prior art on the record) teaches a system for quantifying the severity of malicious activity by calculating threat-severity scores associated with indicators of compromise.  This enables an administrator to prioritize use of limited security resources for protecting a computing device or underlying network from the most severe malicious activity.  Artifacts are obtained from system log entries and data files.  The system identifies a malicious threat and categorizes the level of risk for the malicious threat based in part upon metadata from Indicators of Compromise.  The system also generates a threat-severity score and classifies the score as low, medium or high.  A report is generated which includes the score for transmission to an administrator or third party.  The system can mitigate or protect against an identified malicious threat by blocking client access to an IP address or domain that is associated with a high threat-severity score.
Martin (prior art on the record) teaches a system for scanning new network events for threat elements (e.g., IOCs) defined in new threat intelligence substantially in real-time and generating alerts for possible exposure to newly-identified security threats in response to detected similarities between these new network events and these new threat elements.  Once a possible security threat to the network is identified from a compressed log, the system scans the network log for matches to network traffic defined in the indicators of compromise representative of the newly-identified security threats.  The system can be match network level port connections, IP addresses, MAC addresses, domain names and hostnames.  The system can then aggregate matches between network elements and threats based on determining a confidence score representing the similarity between the network elements and threats.  If the confidence score is greater than a threshold value, the system can send an alert to human security personnel, take a compromised computer off the network or quarantine an asset.
Chenette (prior art on the record) teaches a system for testing an organization’s cyber security posture including compliance with network and security requirements.  The system compromises a threat intelligence information repository that utilizes an Open Indicators for Compromise (artifact) framework.  The system can create one or more attack intelligence elements using manual means such as receiving one or more individual elements and/or details about an attack (e.g., based on external knowledge by an analyst or operator, entered using a simple tool interface used to create manual attack intelligence); processing an output of the research and individual specific intelligence will be recovered and created; and storing each created element in attack intelligence collection system, and making them available for later scenario creation.  The system determines whether to validate an asset of the system based upon determining whether a port of the asset, which is required to be always be closed, is not closed.  If the asset is determined to not be valid because the port is closed and represents a security vulnerability, then the system can mitigate the vulnerability by closing the port.
None of the prior art of record cited above, or in the newly filed information disclosure statements, teaches all the combination of non-obvious features of claims 1, 7, 13 and 19 of the present invention: 
“generating, via a Security Information and Event Management system, system-defined consolidated platform information from a plurality of security-relevant subsystems within a computing platform, the plurality of security-relevant subsystems including one or more of Content Delivery Network systems, Database Activity Monitoring systems, User Behavior Analytic systems, Mobile Device Management systems, Identity and Access Management systems, and Domain Name Server systems;” “obtaining one or more artifacts concerning a detected security event from a plurality of sources, wherein the plurality of sources are associated with the computing platform and maintained by the Security Information and Event Management system, wherein the plurality of sources includes at least one of one or more log files defined for the computing platform and two or more security-relevant subsystems from the plurality of security-relevant subsystems deployed within the computing platform;” “obtaining artifact information concerning the one or more artifacts from the plurality of sources associated with the computing platform;” “assigning a threat level to the detected security event based, at least in part, upon the one or more artifacts;” “generating a conclusion concerning the detected security event based, at least in part, upon the detected security event, the one or more artifacts, and the artifact information;” “executing a remedial action plan based upon, at least in part, the assigned threat level, wherein executing the remedial action plan includes: determining that the assigned threat level is low, including permitting a suspect activity corresponding to the security event to continue; determining that the assigned threat level is moderate, including generating a security event report based, at least in part, upon the one or more artifacts respective to the security event, and providing the security event report to a third party for review; and determining that the assigned threat level is high, including executing a threat mitigation plan, the threat mitigation plan including shutting down a stream of content corresponding to the security event and closing a port respective to the computing device;” and
“allowing the third party to manually search through the one or more artifacts within the computing platform.”

None of the prior art of record, either taken by itself or in any combination, would have anticipated or made obvious the invention of the present application at or before the time it was filed.

Conclusion
Therefore, claims 1-24 are hereby allowed in view of applicant’s persuasive arguments and in light of amendment to the claims.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should be preferably accompany the issue fee.  Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance".
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHARON S LYNCH whose telephone number is (571)272-4583.  The examiner can normally be reached on 10AM-6PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T Arani can be reached on 571-272-3787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SHARON S LYNCH/Primary Examiner, Art Unit 2438