Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Applicant’s submission for RCE has been entered. Applicant has amended claims 1, 8 and 15. Currently claims 1-12, 14-18 and 20-21 are pending in this application.

 Response to Arguments
Applicant's arguments with respect to claims 1, 8 and 15 have been considered but are moot in view of the new ground(s) of rejection. 
Note: Upon further review of the reference relied upon in the last office action, examiner determines that the Chakravarty reference further discloses features for which Loomis 64 was cited. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:



Claims 1-4, 6-9, 12, 15-16 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Loomis et al. (US 2016/0149948 A1), hereinafter, "Loomis” in view of Chakravarty et al. (US 2008/0040191 A1), hereinafter, “Chakravarty”.
Regarding Claims 1, 8 and 15, Loomis discloses a computer-based system and corresponding method and a computer program product, wherein the system comprises: 
a processor and a tangible, non-transitory memory configured to communicate with the processor, the tangible, non-transitory memory having instructions stored thereon that, in response to execution by the processor, cause a security operations system to perform operations (See, Paragraph 0017) comprising: 
generating, by the security operations system, a workflow, wherein the workflow is configured to be automatically executed to address the alarm (See, Paragraph 0020, “After receiving the data in step 100, the coordinator can process the data and determine, based on a predefined workflow, what next tool or sensor to utilize in the handling of the event or incident. This predefined workflow can be created by an end user using a visual interface with predefined API definitions for all configured tools and sensors. The user may select the order in which he or she wishes to run the process and save this in the coordinator database for future automated use” and Paragraph 0027, “Throughout the coordinator process, any data received by any tool or sensor in any step can be populated in an incident display or an event display to enable an end 
automatically executing, by the security operations system, a first action based on the workflow (See, Paragraph 0030, “The method can further include, at 230, performing, at the server, the determined confirmation action. The action can include, at 235, communicating with at least one second sensor or tool. For example, the communicating can include communicating with a threat intelligence feed. The threat intelligence feed may include an email feed, an RSS feed, an API-connected feed or the like. The first sensor or tool can be the same as or different from the second sensor or tool. Other confirmation actions can also be performed”); 
receiving, by the security operations system, a security contextual information data including a type of threat and characteristics of a threat (See, Paragraphs 0030, “For example, the communicating can include communicating with a threat intelligence feed. The threat intelligence feed may include an email feed, an RSS feed, an API-connected feed or the like. The first sensor or tool can be the same as or different from the second sensor or tool. Other confirmation actions can also be performed” and 0031, “at 240, receiving, at the server, a response to the communicating with the at least one second sensor or tool. The server can then process this response similar to the way that the original data was processed”); 
automatically executing, by the security operations system, the workflow to generate a second action based on selected form (See, Paragraph 0033, “updating at 
automatically executing, by the security operations system, the second action (Paragraph 0034, “The method can further include, at 270, executing a mitigation action based on the processing or the response. The mitigation action may include remote locking a terminal, remotely wiping a disk drive, switching to a different firewall or proxy server, requiring a user to re-authenticate, or any other mitigation action desired”).
Loomis does not explicitly disclose wherein the workflow is customizable via a form among a plurality of customizable forms, by at least one of adding, removing or modifying a rule for an action from the form, prior to the security operations system receiving an alarm and receiving, by the security operations system, security contextual data including a type of threat and characteristics of a threat and automatically selecting, by the security operations system, the form from among the plurality of customizable forms based on the type of threat.
Chakravarty discloses system wherein a workflow is customizable via a form among a plurality of customizable forms, by at least one of adding, removing or modifying a rule for an action from the form, prior to the security operations system receiving an alarm (See, Paragraph 0012, “A user may create and edit a workflow process from scratch or by starting with a template. For example, the use may create or edit a workflow instance by using drag and drop features of the graphical user interface to place one or more steps/work-items and transitions there between into a sequence. Various types of work-items may be used, including manual work-items and automatic work-items. Automatic work-items (also called system work-items) may include template work-items, command work-items, notification work-items, decision work-items and/or other types of automatic work-items” and also see, Paragraph 0048, “According to another aspect of the invention, individual steps, work-items, and transitions are customizable to the user's specifications or organization's requirements. Templates can be created to facilitate creation and editing of workflow elements”), and receiving, by the security operations system, security contextual data including a type of threat and characteristics of a threat and automatically selecting, by the security operations system, the form from among the plurality of customizable forms based on the type of threat (See, Paragraph 0008, “An assignment module may be used to select and assign a workflow process instance to a detected incident. The assignment of a workflow process instance to an incident may be made according to workflow assignment rules. For example, a particular workflow process instance may be designed to remediate a particular type of incident, e.g., depending on details of the particular incident” and Paragraph 0028, “Assignment module 18 may be used to select and assign a workflow process instance to the incident. (e.g., a customized workflow process instance designed in the manner described above). One or more reported incidents may be automatically (or manually) assigned a workflow processes instance based on incident details, workflow assignment 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have, in the system of Loomis, workflow that is customizable via a form among a plurality of customizable forms, by at least one of adding, removing or modifying a rule for an action from the form, prior to the security operations system receiving an alarm and receiving, by the security operations system, security contextual data including a type of threat and characteristics of a threat and automatically selecting, by the security operations system, the form from among the plurality of customizable forms based on the type of threat as taught by Chakravarty because predefined workflows often have limited flexibility and are not easily customized by a use and customizable workflow solves this problem by providing additional flexibility to customize the workflow which enables the security experts to create and edit workflow instances which results in a greater flexibility (See, Chakravarty, Paragraph 0003). 
Regarding Claims 2, 9 and 16, the rejection of claims 1, 8 and 15 is incorporated and the combination of Loomis and Chakravarty further discloses receiving, by the security operations system, the alarm in response to the threat detected on a monitored system, wherein the alarm includes the characteristics of the threat (See, Loomis, Paragraph 0028, “a method can include, at 210, receiving, at a server, data from at least one first sensor or tool. The data can be configured to inform the server of an actual or potential threat to at least one computer system or network. The server can 
Regarding Claim 3 the rejection of claim 1 is incorporated and the combination of Loomis and Chakravarty as applied in the rejection of claim 1 does not explicitly disclose automatically populating the selected form with the characteristics of the threat including populating a plurality fields of the selected form with the characteristics of the threat. 
However, Chakravarty in the same reference disclose automatically populating the selected form with the characteristics of the threat including populating a plurality fields of the selected form with the characteristics of the threat (See, Paragraphs 0028-0029). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to automatically, in the system of Loomis, Chakravarty, populating the selected form with the characteristics of the threat including populating a plurality fields of the selected form with the characteristics of the threat as taught by Chakravarty so that “a particular workflow process instance may be designed to remediate a particular type of incident” (See, Chakravarty, Paragraph 0028).
Regarding Claim 4 the rejection of claim 1 is incorporated and the combination of Loomis and Chakravarty further discloses wherein the type of threat includes at least one of data loss, denial of service (DoS), malware, virus, or a violation of a user policy (See, Chakravarty, Paragraph 0027, Note: As the feature of security contextual data including a type of threat has been combined in the rejection of claim 1 and this claim 
Regarding Claim 6 the rejection of claim 1 is incorporated and the combination of Loomis and Chakravarty as applied in the rejection of claim 1 does not explicitly disclose automatically populating, by the security operations system, the selected form with the characteristics of the threat.
However, Chakravarty in the same reference disclose populating, by the security operations system, the selected form with the characteristics of the threat (See, Paragraphs 0028-0029).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to automatically, in the system of Loomis and Chakravarty, populating, by the security operations system, the selected form with the characteristics of the threat as taught by Chakravarty so that “a particular workflow process instance may be designed to remediate a particular type of incident” (See, Chakravarty, Paragraph 0028).
Regarding Claim 7 the rejection of claim 1 is incorporated and the combination of Loomis and Chakravarty further discloses updating, by the security operations system, the selected form to include the security contextual data (See, Loomis, Paragraphs 0023, “After the new data set is sent from the SIEM device in step 103, the coordinator can create a new rule set for a connected firewall, including MD5 hashes, uniform resource locators (URLs), or internet protocol (IP) addresses that returned with positive results from any SIEM tool or threat intelligence feeds involved in the process. These new rule sets can be sent to the API-connected firewall in step 104, thus eliminating the 
Regarding Claim 12, the rejections of claim 8  is incorporated and the combination of Loomis and Chakravarty further discloses updating by the security operations system, the selected form to include the security contextual information data (See, Loomis, Paragraphs 0023, “After the new data set is sent from the SIEM device in step 103, the coordinator can create a new rule set for a connected firewall, including MD5 hashes, uniform resource locators (URLs), or internet protocol (IP) addresses that returned with positive results from any SIEM tool or threat intelligence feeds involved in the process. These new rule sets can be sent to the API-connected firewall in step 104, thus eliminating the need for manual configuration of the new firewall rules” and 0033, “A new threat rule can be generated to watch for similar data in the future. Other updates are also permitted” as combined with form selection feature of Chakravarty as combined in the rejection of claim 8).
Regarding Claim 21, the rejection of claim 1 is incorporated and the combination of Loomis and Chakravarty further discloses wherein the threat has the capability to impact confidentiality of data, availability of services or integrity of data (See, Loomis, Paragraphs 0006 and 0028).
Claims 5, 10, 11, 14, 17, 18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Loomis in view of Chakravarty and further in view of Agbabian (US 7,472,422 B1), hereinafter, “Agbabian”.
Claims 10 and 17, the rejection of claims 9 and 16 is incorporated and the combination of Loomis and Chakravarty does not explicitly disclose generating, by the security operations system, a record in response to the alarm wherein the record includes a severity level assigned to the record, wherein the severity level is automatically generated based on a threat level identified in the alarm.
Agbabian discloses generating, by a security operations system, a record in response to an alarm wherein the record includes a severity level assigned to the record (See, Fig. 4A, Numeral 404 and also Column 13, lines 16-25 and lines 51-57, Note: Please note that examiner is interpreting the event of Fig. 3, Numeral 302, as an alarm since it includes event characterization data including a severity level and the event generated by the security management module in step 404 as the claimed record), wherein the severity level is automatically generated based on a threat level identified in the alarm (See, Fig. 4A, Numeral 404, Column 13, lines 16-25 and lines 51-57, Note: the security management module simply add time stamp data and location data to populate event which is being interpreted as a record and uses the same event characterization data from the event of Fig. 3 which is being interpreted as an alarm).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to generate, in the system of Loomis and Chakravarty, by the security operations system, a record in response to the alarm wherein the record includes a severity level assigned to the record, wherein the severity level is automatically generated based on a threat level identified in the alarm as taught by Agbabian because this allows management console the ability to provide some rudimentary event correlation configuration by assigning particular alert-able records 
Regarding Claims 5, 14 and 20, the rejection of claims 1, 8 and 15 is incorporated and the combination of Loomis, Chakravarty does not explicitly disclose generating, by the security operations system, a record in response to the alarm, wherein the record includes a severity level assigned to the record, wherein the severity level is automatically generated based on a threat level identified in the alarm.
Agbabian discloses generating, by a security operations system, a record in response to an alarm wherein the record includes a severity level assigned to the record (See, Fig. 4A, Numeral 404 and also Column 13, lines 16-25 and lines 51-57, Note: Please note that examiner is interpreting the event of Fig. 3, Numeral 302, as an alarm since it includes event characterization data including a severity level and the event generated by the security management module in step 404 as the claimed record), wherein the severity level is automatically generated based on a threat level identified in the alarm (See, Fig. 4A, Numeral 404, Column 13, lines 16-25 and lines 51-57, Note: the security management module simply add time stamp data and location data to populate event which is being interpreted as a record and uses the same event characterization data from the event of Fig. 3 which is being interpreted as an alarm).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to generate, in the system of Loomis and Chakravarty, by the security operations system, a record in response to the alarm wherein the record includes a severity level assigned to the record, wherein the severity 
Regarding Claims 11 and 18, the rejection of claims 10 and 17 is incorporated and the combination of Loomis, Chakravarty and Agbabian as applied in the rejection of claims 10 and 17 does not explicitly disclose automatically, populating, by the security operations system, the selected form with the characteristics of the threat, wherein the selected form is associated with the record.
However, Chakravarty in the same reference discloses automatically populating, by the security operations system, by the security operations system, the selected form with the characteristics of the threat (See, Paragraphs 0028-0029), wherein the selected form is associated with the record (See, Paragraphs 0034).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to automatically generate, in the system of Loomis, Chakravarty and Agbabian, by the security operations system, the selected form with the characteristics of the threat, wherein the selected form is associated with the record and selected in response to a type of the threat as taught by Chakravarty so that “a particular workflow process instance may be designed to remediate a particular type of incident” (See, Chakravarty, Paragraph 0028).

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 

Claims 1-3, 5-12, 14-18 and 20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. US 10,552,615. Although the claims at issue are not identical, they are not patentably distinct from each other because claims 1-20 of U.S. Patent No. US 10,552,615 anticipates claims 1-3, 5-12, 14-18 and 20.
Claims 4 and 21 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 10,552,615 in view of Chakravarty.
Claim 4 requires additional limitation of wherein the type of threat includes at least one of data loss, denial of service (DoS), malware, virus, or a violation of a user policy.
Chakravarty discloses network protection system wherein the type of threat includes at least one of data loss, denial of service (DoS), malware, virus, or a violation of a user policy (See, Chakravarty, Paragraph 0027).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have in the contextual data including the 
Claim 21 requires additional limitation of wherein the threat has the capability to impact confidentiality of data, availability of services or integrity of data.
Chakravarty discloses network protection system wherein the threat has the capability to impact confidentiality of data, availability of services or integrity of data (See, Paragraphs 0003-0005).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to protect form threat that has the capability to impact confidentiality of data, availability of services or integrity of data as taught by Chakravarty for guiding an incident response team to detect, analyze, contain, eradicate, and recover from a threat such as a data breach through a pre-defined set of tasks (See, Loomis, Paragraph 0005).

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to YOGESH PALIWAL whose telephone number is (571)270-1807. The examiner can normally be reached M-F 9:00AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph P Hirl can be reached on 5712723685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/YOGESH PALIWAL/           Primary Examiner, Art Unit 2435