DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


The term “similar or adjacent” in claims 1-27 is a relative term which renders the claim indefinite. The terms “similar” and “adjacent” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. Person or ordinary skill in the art may find various degrees of differences to be similar or adjacent, for example one person may find 90% match is “similar” or “adjacent” and one person would require this to have 95% match. Claim and specification does not provide a standard for ascertaining the requisite degree.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1, 2, 4, 5, 7-14, 18-25 and 27 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Kolingivadi et al. (US 2020/0358820 A1), “Kolingivadi”.
Regarding Claims 1 and 19, Kolingivadi discloses a system and a corresponding method to support autonomous similar and adjacent attack identification, comprising: 
a remediation engine (See, Paragraph 0035, “In some implementations, the cloud-based platform 16 may be a security operations (Sec Ops) platform that may be used to track and/or report incidents in the client network 12 and/or connected devices”) configured to 
accept an incident creation request for a detected attack via a suspicious electronic message at one user account with one tenant on an electronic communication platform (See, Paragraph 0054, “When a message is flagged, a notification may be generated. For instance, the notification may be generated by sending or forwarding the suspect message to a security analyst who may access the message/notification in the phishing attempt search interface. For instance, a scanner node may scan messages (e.g., electronic mail) for potential threat indicators and send such messages to a security management node of the 
create an incident for the detected attack and collect electronic messages related to the incident from a repository (See, Paragraph 0086, “a phishing message may affect many users, and the security analyst may want to link the user incidents together. The message may be deemed an incident or security incident, and the related affected users discovered from a search based on the message from one user may be all associated together with the related affected users deemed as child incidents of the incident for the one user” and Paragraph 0096, “When the pertinent observables (e.g., the phishing sample) indicates a new incident (e.g., one that is not currently active), a new phishing incident may be created (block 1058). For example, if a rule is set up to generate an incident when the sender is phiser@phiser.com and the subject contains “Invoice: Inveesion” and no such incident has yet been generated, a new incident may be generated”); 
automatically generate a plurality of insight events for similar or adjacent attacks based on the detected attack and insert the plurality of insight events to an insights queue (See, Fig. 7 and Paragraph 0086, “The message may be deemed an incident or security incident, and the related affected users discovered from a search based on the message from one user may be all the related affected users deemed as child incidents of the incident for the one user” and Paragraph 0085, “If the web interactions tab 758 is selected, a screen 780, as illustrated in FIG. 12, may be presented in the phishing attempt search interface. As illustrated, the web interactions tab 758 includes a list of interaction entries 781 corresponding to the user's interactions with threat indicators present in the messages used/discovered in the email search. Each interaction entry 781 may include an observable field 782 that may be used to track the interaction. For instance, in the illustrated embodiment, the observable field 782 includes a URL provided in the message. The interaction entries 781 may also include an observable type field 784 indicating a type of observable, such as a URL, domain name, an IP address, a file accessed, and the like. The interaction entries 781 may also include a first visit field 786 indicating when the observable was first visited by the user. In some embodiments, a new entry may be made for each visit to the observable. Alternatively, the interaction entries 781 may have a most recent visit field that is updated based on the most recent visit. Alternatively, the interaction entries 781 may track only a first visit in the first visit field 786. The interaction entries 781 may also include a web traffic search identifier 788 that may be used to index the search (e.g., observables search) that resulted in finding the interaction”)); 
remediate the detected attack and a set of un-remediated attacks against user accounts in the same or different tenants on the electronic communication platform that are similar or adjacent to the detected attack (See, Paragraph 0034, “In response, an indication of the phishing attempt is presented in a phishing 
an insights engine (See, Figs. 12, 13 and 14) configured to 812
retrieve each of the plurality of insight events from the insights queue (See, Paragraph 0085, “As illustrated, the web interactions tab 758 includes a list of interaction entries 781 corresponding to the user's interactions with threat indicators present in the messages used/discovered in the email search. Each interaction entry 781 may include an observable field 782 that may be used to track the interaction. For instance, in the illustrated embodiment, the observable field 782 includes a URL provided in the message. The interaction entries 781 may also include an observable type field 784 indicating a type of observable, such as a URL, domain name, an IP address, a file accessed, and the like”);
search the repository to identify said set of un-remediated attacks against the user accounts of the same or different tenants on the electronic communication platform for each of the plurality of insight events, wherein the set of un-remediated attacks are similar or adjacent to the detected attack (See, Paragraph 0086, “As previously noted, a phishing message may affect many users, and the security analyst may want to link the user incidents together. The message may be deemed an incident or security incident, and the related affected users discovered from a search based on the message from one user 
automatically generate and report insight on the set of un-remediated attacks similar or adjacent to the detected attack (See, Paragraph 0087, “In some embodiments, a show child incidents option may be selected in the screen 800 that causes the display of a table of child incidents including details about each of the child incidents. For instance, the table may include an identifier for each child incident record, a risk score scoring how likely (e.g., degree of correlation to a known attack) or how severe a danger is posed in the incident, a short description, a category of record, an identifier of a parent incident, a last period of update, and/or other information about the child incident records linked to the user entry 730f”).
Regarding Claim 2, the rejection of claim 1 is incorporated and Kolingivadi further discloses the suspicious electronic message is an email, a text message, an online chat, or an instant message (See, Paragraph 0052).  
Regarding Claims 4 and 20, the rejection of claims 1 and 19 is incorporated and Kolingivadi further discloses wherein: the remediation engine is configured to utilize an entire pool of related data stored in a remediation database of incidents of attacks happened in the past or behind the scenes to identify or detect the attack received at the one user account (See, Paragraphs 0052 and 0065).  
Regarding Claim 5, the rejection of claim 1 is incorporated and Kolingivadi further discloses the repository is a cloud-based archiving service that enables secured 
Regarding Claims 7 and 21, the rejection of claims 1 and 19 is incorporated and Kolingivadi further discloses wherein: the remediation engine is configured to create one similar insight event for the incident of the detected attack in order to gain insights on similar attacks happening in the one tenant (See, Paragraph 0105).  
Regarding Claims 8 and 22, the rejection of claims 1 and 19 is incorporated and Kolingivadi further discloses wherein: the remediation engine is configured to retrieve a set of active tenant identifications and related account data from an account database one at a time; create one adjacent insight event for each of the active tenant identifications in order to gain insights on attacks happening in those tenants (See, Fig. 10 and Paragraphs 0081-0084).
Regarding Claims 9 and 23, the rejection of claims 1 and 19 is incorporated and Kolingivadi further discloses the remediation engine is configured to preemptively prevent attacks on the user accounts before the attacks actually happen or cause any damages to the users by taking the one or more remedial measures (See, Paragraph 0089).  
Regarding Claim 10, the rejection of claim 1 is incorporated and Kolingivadi further discloses Page 13105-12900-000-US the automatically-generated insight informs the tenant of attacks that have not been reported or detected by an administrator and/or user of the tenant (See, Paragraph 0071).  
Claims 11 and 24, the rejection of claims 1 and 19 is incorporated and Kolingivadi further discloses the insights engine is configured to automatically generate two types of insight - similar insight on attacks similar to the detected attack (See, Paragraph 0052) and adjacent insight on attacks happening in other tenants on the electronic communication platform (See, Paragraph 0065).  
Regarding Claims 12 and 25, the rejection of claims 11 and 24 is incorporated and Kolingivadi further discloses the insights engine is configured to conduct an expanded search for attacks related to the detected attack inside the tenant for similar insight by adjusting search criteria to include and detect similar attacks happened in the past in the entity that have been missed (See, Paragraphs 0052 and 0067).  
Regarding Claim 13, the rejection of claim 12 is incorporated and Kolingivadi further discloses the similar attacks happen in accounts owned by other users of the tenant based on likelihood that these accounts face similar attacks (See, Paragraphs 0069 and 0078).  
Regarding Claim 14, the rejection of claim 12 is incorporated and Kolingivadi further discloses the similar attacks are originated by different senders from the same domain or a different domain from the detected attack (See, Paragraph 0052).  
Regarding Claims 18 and 27, the rejection of claims 11 and 24 is incorporated and Kolingivadi further discloses the insights engine is configured to conduct an expanded search of the entire repository containing electronic communications at multiple tenants to identify the same or similar attacks like the detected attack that have happened at other tenants on the electronic communication platform for adjacent insight (See, Paragraphs 0052 and 0065).


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Kolingivadi in view of Stolarz et al. (US 2018/0097841 A1), hereinafter, “Stolarz”. 
Regarding Claim 3, the rejection of claim 1 is incorporated and Kolingivadi does not explicitly disclose the suspicious electronic message is a voice message converted to an electronic text format.
Stolarz discloses attack detection system wherein a suspicious electronic message is a voice message converted to an electronic text format (See, Paragraph 0164).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to detect and convert, in the system of .

Claims 15-16 and 26 are rejected under 35 U.S.C. 103 as being unpatentable over Kolingivadi in view of Schlatter et al. (US 10,284587 B1), hereinafter, “Schlatter”.
Regarding Claims 15 and 26, the rejection of claim 12 is incorporated and Kolingivadi does not explicitly disclose the insights engine is configured to loosen or expand the search criteria for identifying the similar attacks to include variance of the detected attack in order to search for attacks in other user accounts that are not identical to the detected attack, wherein the loosened search criteria cover similarity in a set of electronic message characteristics.  
Schlatter discloses an insights engine that is configured to loosen or expand the search criteria for identifying the similar attacks to include variance of the detected attack in order to search for attacks in other user accounts that are not identical to the detected attack, wherein the loosened search criteria cover similarity in a set of electronic message characteristics (See, Column 11, lines 4-15 and Column 12, lines 10-31).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to detect and convert, in the system of 
Regarding Claim 16, the rejection of claim 15 is incorporated and Kolingivadi further discloses wherein: the characteristics include one or more of sender and/or recipient address, content pattern, intent, and type of an emails or text message (See, Kolingivadi, Paragraph 0052 and Schlatter, Column 2, lines 11-30).  

Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Kolingivadi in view of Schlatter and further in view of Stolarz.
Regarding Claim 17, the rejection of claim 15 is incorporated and the combination of Kolingivadi and Schlatter does not explicitly disclose Page 14105-12900-000-US the characteristics include one or more of frequency, tone, and speed of a voice message.  
Stolarz discloses a system of identifying social engineering attack using message characteristics scanning wherein the characteristics include one or more of frequency, tone, and speed of a voice message (See, Paragraphs 0027 and 0187).
 Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use, in the system of Kolingivadi and Schlatter, one or more of frequency, tone, and speed of a voice message as a .

Allowable Subject Matter
Claim 6 would be allowable if rewritten to overcome the rejection(s) under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), 2nd paragraph, set forth in this Office action and to include all of the limitations of the base claim and any intervening claims.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Howes et al. (US 2013/0091574 A1).

Any inquiry concerning this communication or earlier communications from the examiner should be directed to YOGESH PALIWAL whose telephone number is (571)270-1807. The examiner can normally be reached M-F 9:00AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/YOGESH PALIWAL/Primary Examiner, Art Unit 2435