DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to amendment filed on 11/6/2021.  Claims 1, 3-4, 8, 10-11, 15, 17-18, and 21-31 have been amended by the Applicant.  This office action is Final.  

Response to Amendments
Applicant’s arguments, see REM, filed 11/6/2021, with respect to the rejection(s) of claim(s) 1, 3-4, 8, 10-11, 15, 17-18, and 21-31 under Zettel, II et al. (2019/0268354) have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Wright et al (2006/0229846).
On page 9 of the Applicant’s arguments, the previous claim objections to claims 3-4, 10-11, 17-18, 21, and 23-28 have been withdrawn due to the Applicant amending to overcome the objections.
On pages 9-13 of the Applicant’s argument, the Applicant has amended independent claims to include, “select a first playbook…comprising one or more automated tasks and one or more manual tasks; run the first play to execute the chain of tasks defined in the first playbook, wherein execution of the one or more automated tasks is automated…based on a determination that a first of the one or more manual tasks”… new art has been applied in light of the claim amendments, thus the Applicant’s argument is moot.  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-4, 8, 10-11, 15, 17-18, and 21-28 are rejected under 35 U.S.C. 103 as being unpatentable over Zettel, II et al (2019/0268354) in view of Wright et al. (2006/0229846).

As per claim 1, Zettel, II et al. discloses a non-transitory computer-readable medium comprising program code to (Zettel, II et al: para. 0005, discloses a non-transitory computer-readable medium that when executed cause the processor to perform the steps):
based on monitoring of input to a user interface, determine that a potential security incident has occurred in a network based on receipt of first input to the user interface indicating the potential security incident or detection of the potential security incident (Zettel, II et al: para. 0057-0058, 0063, 0065, See Fig. 3, determine that a potential security incident has occurred in a network based on receipt of the monitored input to a user interface indicating the potential security incident, is disclosed in Zettel, II et al, discloses a user of the GUI (graphical user interface) via the selection of the create incident button #308 on dashboard #300 may manually input data related to a particular security incident, the data can be related to a suspicious email/phishing, the suspicious email/phishing is a potential security incident, because the email is “suspicious”, the user/analyst does not know at the time of inputting information to “create the incident” whether it is an actual security incident); 
select a first playbook (Zettel, II: para. 0007, selecting a playbook based on category and the subcategory) associated with the potential security incident based, at least in part, on information about the potential security incident, wherein the first playbook defines a chain to task comprising manual tasks (Zettel, II et al: para. 0006, 0081, 0083, 0085-0086, see Fig(s). 7, and 9, determine one or more actions to perform to address the potential security incident (i.e. suspicious email/phishing) based at least in part on a determination of a first playbook #744, a first playbook #744 has several incident states they are: Analysis, Contain, Eradicate, within each incident state there one or more actions that can be performed to address the potential security incident (i.e. suspicious email/phishing)) which playbook to use is based on the information included in the incident record, and thus based on the information in the incident record, such as a suspicious e-mail/phishing, the tasks can be completed by a security analyst, which the Examiner asserts is a manual task), 
based on a determination that a first of the one or more manual tasks is to be performed by a first security analyst, add the first security analyst to an investigation associated with the potential security incident (Zettel, II et al: para. 0086, See Fig. 11, #1110 shows the first task has a button not assigned that is not highlighted, which means the first task has been assigned, determination that a first task of the chain of tasks is to be performed, the first task can be assigned (i.e. add) the first security analyst to an investigation of associated with the potential security incident (i.e. suspicious email/phishing), discloses the task can be assigned and when the task is assigned) ; 
(Zettel, II et al: See fig. 14, and  para(s) 0100-0101, 0106, display a visualization using a GUI of at least a subset of the one or more actions, by displaying a drop down list of actions, may display a number of actions, and may only display actions that are to be performed, and the Examiner asserts this is at least a subset of one or more actions based on the execution of the chain of tasks defined in the first playbook (i.e. phishing playbook shown in fig. 14).
Zettel II, et al. does not explicitly disclose select a first playbook comprising one or more automated tasks; and run the first playbook to execute the chain to tasks defined in the first playbook wherein execution of the one or more automated tasks is automated.
However, analogous in the art of Wright discloses select a first playbook (Wright: para. 0004, user selects a playbook) comprising one or more automated tasks; and run the first playbook to execute the chain to tasks defined in the first playbook wherein execution of the one or more automated tasks is automated (Wright: para. 0029, 0036, task is automated, and the playbook execute the chain of tasks in the playbook).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Wright with the system/method of Zettel, II to include select a first playbook comprising one or more automated tasks; and run the first playbook to execute the chain to tasks defined in the first playbook wherein execution of the one or more automated tasks is automated.
One would have been motivated to select a first playbook and run the first playbook to execute the automated task, because this is an efficient method of diagnosing, resolving, a problem (Wright: para. 0025).

As per claim 3, Zettel II, et al. and Wright discloses the non-transitory computer-readable medium program product of claim 1.
Zettel, II,  further discloses wherein the program code to display the visualization of at least the subset of the chain of tasks on the user interface comprises program code to, for each task of at least the subset of the chain of tasks (Zettel, II et al: See fig. 14, and  para(s) 0100-0101, 0106, display a visualization using a GUI of at least a subset of the one or more actions, by displaying a drop down list of actions, may display a number of actions), display an indication of completion of the task  (Zettel, II et al: para. 0085-0086, see Figs. 11, display an indication if a corresponding task in a chain of task is completed, the corresponding task in the chain of task #1110, 1112, 1114, 1116 has a button, status indicator of whether the task has been completed).

As per claim 4, Zettel, II et al. and Wright the non-transitory computer-readable medium of claim 1.
Zettel, II et al. further discloses wherein the user interface (Zettel, II: para(s): 0057, 0062-0063, GUI); and wherein the first input is made by a second security analyst (Zettel, II: para(s): para. 0034, 0063, input is made (i.e. manually inputting) information related to the incident, discloses a plurality of security analyst, such as a junior or senior analyst, which the Examiner asserts is the second security analyst).
Zettel, II et al. does not explicitly disclose a security analyst terminal.
However, analogous art of Wright et al. discloses a security analyst terminal (Wright: para. 0035, management console (i.e. security analyst terminal).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Wright with the system/method of Zettel, II to include a security analyst terminal.
(Wright: para. 0053).

	As per claim 8, rejected under similar scope as claim 1.

	As per claim 10, Zettel, II et al. and Wright discloses the method of claim 8.  
	Zettel, II et al. further discloses wherein displaying the visualization of at least the subset of the chain of tasks on the user interface comprises (Zettel, II et al: See fig. 14, and para(s) 0100-0101, 0106, display a visualization using a GUI of at least a subset of the one or more actions, by displaying a drop down list of actions, may display a number of actions), for each task of at least the subset of the chain of tasks, display an indication of completion of the task (Zettel, II et al: para. 0085-0086, see Figs. 11, display an indication if a corresponding task in a chain of task is completed, the corresponding task in the chain of task #1110, 1112, 1114, 1116 has a button that completed if the corresponding task has been completed, status indicator of whether the task has been completed).

	As per claim 11, rejected under similar scope as claim 4 above.   
	As per claim 15, rejected under similar scope as claim 1 above.
	As per claim 17, rejected under similar scope as claim 2 above.
	As per claim 18, rejected under similar scope as claim 4 above.

	As per claim 21, Zettel, II and Wright discloses the non-transitory, computer-readable medium of claim 1.
 	Zettel, II further discloses further comprising program code to generate a data entry for the potential security incident based on the determination that the potential security incident has occurred (Zettel, II: para. 0063, 0065, generate a data entry, can be manually inputted by the user by entering information about the potential security incident (i.e. suspicious email)), based on a determination that the potential security incident has occurred (Zettel, II: para. 0063, 0065, See Fig. 3 , the determination is based on receipt of the monitored input to a user interface indicating the potential security incident, is disclosed in Zettel, II et al, discloses a user of the GUI (graphical user interface) via the selection of the create incident button #308 on dashboard #300), wherein the data entry indicates the information about the potential security incident (Zettel, II: see fig. 3, para. 0063, 0065, 0078, data entry indicates the information; such as, an identification number about the potential security incident (i.e. suspicious email)).
As per claim 22, Zettel, II et al. and Wright discloses the non-transitory, computer-readable medium of claim 21.
 Zettel further discloses wherein the information about the potential security incident comprises at least one of an identifier of the potential security incident (Zettel, II: See Fig. 3, para. 0063, identifier (i.e. identification number)), a name of the potential security incident (Zettel, II: See Fig. 3 #346 short description; and para. 0067, name of the potential security incident (i.e. short description of the security incident), a type of the potential security incident (Zettel, II: See Fig. 3 #348; and para. 0063, type (i.e. category) of potential security incident), a severity rating (Zettel, II: See Fig. 3 #342; and para. 0057, i.e. risk score), an incident status (Zettel: para. 0058, unassigned, open, assigned incidents, closed), an incident owner (Zettel, II: para. 0078, i.e. related users), an indication of the first playbook (Zettel, II: para(s). 0063, 0070, 0082-0083, based on the category an indication of the first playbook), and an occurrence timestamp (Zettel: See Fig. 3 #356, #354 and Fig. 6, has date and time of potential security incident)(The Examiner recognizes that the Applicant claiming “at least one” is a Markush claim, only one needs to be disclosed for the purposes of applying art)).

As per claim 23, Zettel, II et al. and Wright discloses the non-transitory computer-readable medium of claim 1.
 Zettel, II et al. further discloses wherein the program code to display the visualization of at least the subset of the chain of tasks comprises program code to, for each task of at least the subset of the chain of tasks (Zettel, II et al: See fig. 14, and  para(s) 0100-0101, 0106, display a visualization using a GUI of at least a subset of the one or more actions, by displaying a drop down list of actions, may display a number of actions), display an indication that the task has been started (Zettel, II: See Fig. 10, display an indication that a corresponding task (i.e. conditional task of asking question, Did employee submit the email properly? The corresponding command has started by the “Begin” button illustrated in figure 10), wherein the indication that the task has been started comprises at least one of a description of the task, a command to be executed in performance of the task, and a result of execution of the command to be executed in performance of the task (Zettel, II: See Fig. 10, discloses a command to be executed in performance of the task, which is answering the task, which is a question, yes or no)(The Examiner recognizes that the Applicant claiming “at least one” is a Markush claim, only one needs to be disclosed for the purposes of applying art)).

As per claim 24, Zettel, II and Wright discloses the method of claim 8.  
Zettel, II et al. further discloses generating a data entry for the potential security threat based on the determination that the potential security threat has occurred (Zettel, II: para. 0063, 0065, See Fig. 3, generate a data entry, can be manually inputted by the user by entering information about the potential security threat (i.e. phishing), based on a determination that the potential security threat has occurred, input to a user interface indicating the potential security threat, discloses a user of the GUI (graphical user interface) via the selection of the create incident button #308 on dashboard #300), wherein the data entry indicates the information about the potential security threat (Zettel, II: See Fig. 3, para. 0063, 0065, 0078, data entry indicates the information; such as, an identification number about the potential security threat). 

As per claim 25, Zettel, II and Wright discloses the method of claim 8.
Zettel, II further discloses wherein displaying the visualization of at least the subset of the chain of tasks comprises, for each task of at least the subset of the chain of tasks, displaying an indication that the task has been started (Zettel, II: See para. 0100-0101, and Fig. 10, display an action shown in drop down menu; and display an indication that a corresponding task (i.e. conditional task of asking question, Did employee submit the email properly? This task, is in a chain of task illustrated in figure 10. The corresponding command has started by the “Begin” button illustrated in figure 10, and answering the question is an action).

As per claim 26, Zettel, II and Wright discloses the method of claim 25.
Zettel, II further discloses wherein the indication that the task has been started comprises at least one of a description of the task, a command to be executed in performance of the task, and a result of execution of the command to be executed in performance of the task (Zettel, II: See Fig. 10, discloses a command to be executed in performance of the task, which is answering the task, which is a question, yes or no) ).

As per claim 27, Zettel, II and Wright discloses the system of claim 15.  Zettel, II further discloses further comprising instructions executable by the processor to cause the system to generate a data entry for the potential security incident based on the determination that the potential security incident has occurred (Zettel, II: para. 0063, 0065, See Fig. 3, generate a data entry, can be manually inputted by the user by entering information about the potential security incident (i.e. suspicious email), based on a determination that the potential security incident has occurred, input to a user interface indicating the potential security incident, discloses a user of the GUI (graphical user interface) via the selection of the create incident button #308 on dashboard #300), wherein the data entry indicates the information about the potential security incident (Zettel, II: see fig. 3, para(s). 0063, 0065, and 0078, data entry indicates the information such as, (i.e. identification number) about the potential security incident), and wherein the information about the potential security incident comprises an indication of the first playbook (Zettel, II: para(s). 0063, 0070, 0082-0083, the information such as, the short description of the potential security incident and the category includes an indication of the first playbook, the first playbook (i.e. phishing) is associated with the information of the incident, thus there a different playbook for different types of incidents).



As per claim 28, Zettel, II and Wright discloses the system of claim 15.
Zettel, II et al. further discloses wherein the instructions executable by the processor to cause the system to display the visualization of at least the subset of the chain of tasks comprise instructions executable by the processor to cause the system to, for each task of the at least the subset of the chain of tasks (Zettel, II et al: See fig. 14, and  para(s) 0100-0101, 0106, display a visualization using a GUI of at least a subset of the one or more actions, by displaying a drop down list of actions, may display a number of actions, and may only display actions that are to be performed, and the Examiner asserts this is at least a subset of one or more actions), display an indication that the task has been started (Zettel, II, et al: See Fig. 10,  display an indication that a corresponding task (i.e. conditional task of asking a question, Did employee submit the email properly? This task, is in a chain of task illustrated in figure 10. The corresponding command has started by the “Begin” button illustrated in figure 10).

Claims 29-31 are rejected under 35 U.S.C. 103 as being unpatentable over Zettel, II et al (2019/0268354) in view of Wright et al. (2006/0229846) and further in view of Herman-Saffar et al (10,721,266).

As per claim 29, Zettel, II, et al. and Wright discloses the non-transitory computer-readable medium of claim 1.  
Zettel, II et al. and Wright do not explicitly disclose further comprising program code to determine one or more actions to recommend for the potential security incident based on past actions taken for a security incident similar to the potential security incident.
However, in the analogous art of Herman-Saffar further comprising program code to determine one or more actions to recommend for the potential security incident based on past actions taken for a security incident similar to the potential security incident (Herman-Saffar: col. 5, lines 51-67, and col. 6, lines 1-3, col. 7, lines 32-46, See Figs. 3 and 4, determine actions to recommend for the potential security incident (i.e. new incident, remediation recommendations #306, and #406) discloses determining one or more actions to perform to address the potential security incident (i.e. new/current potential security incident, the Examiner asserts that the incident is a potential incident, because the steps have to be performed to determine if the potential security incident is an actual incident; and #306 specific actions regarding the similar incident) based on historical/past actions for a security incident (i.e. #302 historical security incident) similar to the current/new security incident #304).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Herman-Saffar with the system/method of Zettel, II and Wright to include determine one or more actions to recommend for the potential security incident based on past actions taken for a security incident similar to the potential security incident.
One would have been motivated to enable a user to gain information during incident handling that enables a better response to future incidents and thus provides stronger protection for systems and data (Herman-Saffar: col. 3, lines 15-18).

As per claims 30-31, rejected under similar scope as claim 29.

                                                ConclusionApplicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JENISE E JACKSON whose telephone number is (571)272-3791.  The examiner can normally be reached on M-F 8:00am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T Pham can be reached on (571)270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


3/8/2022/J.E.J/Examiner, Art Unit 2439  


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439