DETAILED ACTION

1.	Claims 1, 2, 5-9, 12-15, and 18-22 are presented for consideration

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

2.	Claims 1, 2, 5-9, 12-15, and 18-21 are rejected under 35 U.S.C. 103 as being unpatentable over Vashisht et al. [ US Patent Application No 2019/0207966 ], in view of McClintock et al. [ US Patent No 10,135,862 ].

3.	As per claim 1, Vashisht discloses the invention as claimed including a system for the generation and analysis of event data related to the operation of a data network, the system comprising:
a plurality of network sensors comprising at least one processor and computer memory, the plurality of network sensors [ i.e. cybersecurity sensors ] [ paragraph 0025 ] configured to: 

responsive to sensing the operations of the data network, generate event data objects that record the operations of the data network [ i.e. generating the distinctive metadata from the artifact, distinctive metadata may include an identifier (e.g. object ID) ] [ paragraphs 0027 ]; and
one or more decorator pipelines comprising at least one processor and computer memory, the one or more decorator pipelines configured to:
examine an undecorated event data object; identify a key-value from the undecorated event data object [ i.e. comparing of object IDs such as hash values, checksum or any collection of data to specifically identify the object ] [ paragraphs 0042, and 0073 ]; 
identify, in an Indicator of Compromise (IoC) datastore, an IoC based on a matching of a key-field of the IoC with the key-value [ i.e. DMAE to compare the artifact ID, which may be represented as a hash value or checksum of the distinctive metadata to stored metadata of prior evaluated artifacts ] [ paragraph 0074, 0105, and 0106 ].
Vashisht does not specifically disclose
decorate the undecorated event data with the identified IoC to generate a decorated event data object that comprises both the undecorated event data and a copy of the identified IoC; and
store the decorated event data object in an event datastore.
McClintock discloses

store the decorated event data object in an event datastore which a plurality of similarly-decorated event data objects that have each been decorated with a same IoC such that the same IoC is stored redundantly by the event datastore in memory locations [ i.e. the fabricated indicator of compromise log may document the injection of fabricated events into the event data 236 ] [ 239, Figure 2; and col 6, lines 2-10 ].
It would have been obvious to a person skill in the art before the effective filing date of the claimed invention to combine the teaching of Vashisht and McClintock because the teaching of McClintock would enable to provide testing the security incident response of an organization in an automated manner [ McClintock, col 2, lines 9-22 ].

4.	As per claim 2, Vashisht discloses the event datastore, the event datastore configured to: receive a query; and responsive to receiving the query [ i.e. query for stored, consolidated meta-information ] [ paragraphs 0053, and 0104 ], returning the decorated event data object [ i.e. report is generated ] [ paragraphs 0105, and 0125 ].



6.	As per claim 6, Vashisht disclose wherein the key-field is one of the group consisting of Internet Protocol (IP) address, domain name, and file hash [ i.e. hash value, IP address ] [ paragraphs 0073, 0153, and 0154 ].

7.	As per claim 7, Vashisht discloses wherein the undecorated data object enters the decorator pipeline with a hash-value generated by hashing a file of an operation of the data network [ i.e. hash of the object, filename ] [ paragraphs 0027, and 0049 ], and wherein the decorator pipeline is configured to identify the identified IoC based on a matching of a hash-field of the IoC with the hash-value [ i.e. meta-information compare and match ] [ paragraphs 0028, and 0029 ].

8.	As per claims 8, 9, and 12-14, they are rejected for similar reasons as stated above in claims 1, 2, and 5-7.



10.	As per claim 21, McClintock discloses wherein the IoC datastore maintains, separate from the event datastore, a copy of each IoC such that each IoC stored redundantly by the event datastore is also stored in the IoC datastore [ i.e. IoCs and data data of data store 215 ] [ 106, and 236, Figure 2; and col 6, lines 2-10 ].

11.	Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over Vashisht et al. [ US Patent Application No 2019/0207966 ], in view of McClintock et al. [ US Patent No 10,135,862 ], and further in view of Iliofotou et al. [ US Patent Application No 2019/0095599 ].

12.	As per claim 22, Vashisht in view of McClintock does not specifically disclose wherein the event datastore is configured to arrange the memory locations in contiguously and next to each other on disk.  Iliofotou discloses wherein the event datastore is configured to arrange the memory locations in contiguously and next to each other on disk [ i.e. datastore may be indexed ] [ Figure 24; and paragraph 0419 ].  It would have been obvious to a person skill in the art before the effective filing date of the claimed invention to combine the teaching of Vashisht, McClintock and Iliofotou because the teaching of Iliofotou would enable to deploy the User .

Response to Arguments

13.	Applicant’s arguments with respect to claim(s) 1, 2, 5-9, 12-15, and 18-22 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

14.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any 

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to DUSTIN NGUYEN whose telephone number is (571)272-3971.  The examiner can normally be reached on Monday-Friday 9-6 PST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Brian Gillis can be reached on 571-2727952.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. 





/DUSTIN NGUYEN/Primary Examiner, Art Unit 2446