DETAILED ACTION

1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
 
 2.	Applicant’s response filed on March 2, 2022 have been considered.  Claims 1, and 10 have been amended.  New claims 19-20 have been added.  Claims 1-20 are pending.  

Claim Rejections - 35 USC § 103

3.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

4.	Claims 1-20  are rejected under 35 U.S.C. 103 as being unpatentable over Roundy et al. (U.S. 2017/0289178 A1), hereinafter “Roundy”, in view of Reybok et al. (U.S. 2015/0207813 A1), hereinafter “Reybok”.
Referring to claim 1:
	 	Roundy teaches:
                      A method comprising: 
           receiving, by a master secure orchestration and automated response (SOAR) node of a managed security service provider (MSSP), a plurality of messages via a secure router coupling a computing environment of the MSSP in communication with respective computing environments of a plurality of customers of the MSSP, wherein the plurality of messages contain information regarding a plurality of alerts relating to network infrastructure of the plurality of customers (see Roundy, [0037] ‘a managed security service provider (“MSSP”)… may aggregate and/or normalize signature reports, or other notifications [i.e., a plurality of alerts from a plurality of customers ],’; [0045] ‘firewall [i.e., a secure router ]’; [0075] ‘multi-tenancy within a cloud-based computing…a server [i.e., a master SOAR node ]…tenants [i.e., the tenant SOAR nodes ]’); and 
            based on an investigation into an alert of the plurality of alerts relating to a network infrastructure of a customer of the plurality of customers, causing, by the master SOAR node, a workflow to be remotely executed by a tenant SOAR node of the plurality of tenant SOAR nodes within the computing environment of the customer of the plurality of customers (see Roundy, [0003] ‘(2) querying an association database with the signature report to deduce another signature report [i.e., investigating ]’; [0037] ‘a managed security service provider (“MSSP”) may function according to a MSSP workflow 402,’; [0042] ‘protective action may include…a remedial action such as …executing one or more cleaning or inoculation scripts or programs [i.e., ‘workflow’ ], enabling…one or more security measures [i.e. ‘workflow’ ]…(e.g., where one or more of these protective actions [i.e., ‘workflow’ ] are specifically prescribed and/or tailed to signature report 210 and/or signature report 212)’).
	Roundy further discloses sharing resources among tenants (see Roundy, [0075] ‘sharing…among multiple customers (i.e., tenants)’).
	However, Roundy does not disclose data sharing policies implemented by a plurality of tenant SOAR nodes within the respective computing environments of the plurality of customers, and wherein the information provided to the master SOAR node is controlled by data sharing policies.
 	Reybok discloses data sharing policies implemented by a plurality of tenant SOAR nodes within the respective computing environments of the plurality of customers and wherein the information provided to the master SOAR node is controlled by data sharing policies (see Reybok, [0055] ‘client-provided rules…sharing policy …sharing of queries and/or response data…’; [0033] ‘each query and/or any provided results are sanitized, to strip some or all information identifying a reporting client, directly or indirectly. ... In another embodiment, these functions [i.e., sanitizing, stripping some identifying information ] can be partially or fully performed on a client portal (e.g., ACP).’).
	In addition, Reybok further discloses a router (see Reybok, ‘routes this information to one or more other clients based on profile information’).
	 	It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Reybok into the system of Roundy to include data sharing policies implemented by a plurality of tenant SOAR nodes within the respective computing environments of the plurality of customers.  Roundy teaches "methods for detecting security threats.” (see Roundy, [0017]).  Therefore, Reybok’s teaching could enhance the system of Roundy,  because Reybok teaches “techniques systems for pooling and filtering security threat data across multiple, diverse networks.” (see Reybok, [0025]).
Referring to claims 2, 11:
		Roundy and Reybok further disclose:
		wherein remote execution of the workflow by the tenant SOAR node causes a network security device within the computing environment of the customer to perform an action (see Roundy, [0042] ‘protective action may include…a remedial action such as …executing one or more cleaning or inoculation scripts or programs [i.e., where executing ‘scripts or programs’ corresponding to ‘workflow’ ], enabling…one or more security measures…(e.g., where one or more of these protective actions are specifically prescribed and/or tailed to signature report 210 and/or signature report 212)’).
Referring to claims 3, 12:
		Roundy and Reybok further disclose:
           wherein the network security device comprises a firewall and wherein the action is blocking of network traffic (see Roundy, [0049] ‘not blocked, blocked,’. Additionally, Reybok, [0030] ‘block a suspicious IP address’; [0037] ‘automatically block traffic associated with a specific IP address’).
Referring to claims 4, 13:
		Roundy and Reybok further disclose:
           wherein the network security device comprises an intrusion detection system and wherein the action is providing additional information regarding the alert (see Roundy, [0079] ‘intrusion detection and prevention systems’. Additionally, Reybok, [0073] ‘intrusion monitoring or detection service (IDS)’).
Referring to claims 5, 14:
		Roundy and Reybok further disclose:
          wherein the network security device comprises a Security Information and Event Management (SIEM) system and wherein the action is providing additional information regarding the alert (see Reybok, [0034] ‘a security incident management system (“SEIMS”)’).
             It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Reybok into the system of Roundy to include a security information and event management system (SIEM).  Roundy teaches "methods for detecting security threats.” (see Roundy, [0017]).  Therefore, Reybok’s teaching could enhance the system of Roundy,  because Reybok teaches “techniques systems for pooling and filtering security threat data across multiple, diverse networks.” (see Reybok, [0025]).
 Referring to claims 6, 15:
		Roundy and Reybok further disclose:
		wherein the master SOAR node need not have inbound network connectivity to the computing environment of the customer (see Roundy, [0070] ‘a communication interface, such as communication interface 522 in FIG. 5, may be used to provide connectivity between each client system 610, 620, and 630 and network 650.’. And, Reybok, [0084] ‘other identifier (e.g., associated with inbound or outbound traffic)’).
             It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Reybok into the system of Roundy to include only outbound network connectivity. Roundy teaches "methods for detecting security threats.” (see Roundy, [0017]).  Therefore, Reybok’s teaching could enhance the system of Roundy,  because Reybok teaches “techniques systems for pooling and filtering security threat data across multiple, diverse networks.” (see Reybok, [0025]).
Referring to claims 7, 16:
		Roundy and Reybok further disclose:
	wherein the workflow is triggered responsive to a workflow on the master SOAR node in support of an analyst of the MSSP performing a generic investigation relating to the alert (see Roundy, [0030] ‘investigate’).
Referring to claims 8, 17:
		Roundy and Reybok further disclose:
          wherein guaranteed delivery of the plurality of messages is facilitated by implementation of a local database by each of the plurality of tenant SOAR nodes into which unsent messages of the plurality of messages are stored during periods of loss of connectivity with the secure router (see Roundy, fig. 5, 120 ‘database’; [0067] ‘client systems 610…such as exemplary computing system 510 in fig. 5.’).
Referring to claims 9, 18:
		Roundy and Reybok further disclose:
          wherein guaranteed delivery of the plurality of messages is facilitated by implementation of a local database within the secure router into which undelivered messages of the plurality of messages are stored during periods of loss of connectivity with the master SOAR node (see Roundy, [0067] ‘servers 640 and 645 generally represent computing devices or systems, such as application servers or database servers, configured to provide various database services and/or run certain software applications.’).
Referring to claim 10:
	 	Roundy teaches:
                      a master secure orchestration and automated response (SOAR) node within a computing environment of a managed security service provider (MSSP) (see Roundy, [0037] ‘a managed security service provider (“MSSP”) may function according to a MSSP workflow 402,’); 
           a plurality of tenant SOAR nodes within respective computing environments of a plurality of customers of the MSSP ([0075] ‘multi-tenancy within a cloud-based computing…a server [i.e., a master SOAR node ]…tenants [i.e., the tenant SOAR nodes ]’); 
            a secure router logically interposed between the master SOAR node and the plurality of tenant SOAR nodes (see Roundy, [0045] ‘firewall [i.e., a secure router ]’;); and wherein the master SOAR node performs a method comprising:           
            receiving, by a master secure orchestration and automated response (SOAR) node of a managed security service provider (MSSP), a plurality of messages via a secure router coupling a computing environment of the MSSP in communication with respective computing environments of a plurality of customers of the MSSP, wherein the plurality of messages contain information regarding a plurality of alerts relating to network infrastructure of the plurality of customers (see Roundy, [0037] ‘a managed security service provider (“MSSP”)… may aggregate and/or normalize signature reports, or other notifications [i.e., a plurality of alerts from a plurality of customers ],’; [0045] ‘firewall [i.e., a secure router ]’; [0075] ‘multi-tenancy within a cloud-based computing…a server [i.e., a master SOAR node ]…tenants [i.e., the tenant SOAR nodes ]’); and 
            based on an investigation into an alert of the plurality of alerts relating to a network infrastructure of a customer of the plurality of customers, causing, by the master SOAR node, a workflow to be remotely executed by a tenant SOAR node of the plurality of tenant SOAR nodes within the computing environment of the customer of the plurality of customers (see Roundy, [0003] ‘(2) querying an association database with the signature report to deduce another signature report [i.e., investigating ]’; [0037] ‘a managed security service provider (“MSSP”) may function according to a MSSP workflow 402,’; [0042] ‘protective action may include…a remedial action such as …executing one or more cleaning or inoculation scripts or programs, enabling…one or more security measures…(e.g., where one or more of these protective actions are specifically prescribed and/or tailed to signature report 210 and/or signature report 212)’).
	Roundy further discloses sharing resources among tenants (see Roundy, [0075] ‘sharing…among multiple customers (i.e., tenants)’).
	However, Roundy does not disclose data sharing policies implemented by a plurality of tenant SOAR nodes within the respective computing environments of the plurality of customers, and wherein the information provided to the master SOAR node is controlled by data sharing policies.
 	Reybok discloses data sharing policies implemented by a plurality of tenant SOAR nodes within the respective computing environments of the plurality of customers and wherein the information provided to the master SOAR node is controlled by data sharing policies (see Reybok, [0055] ‘client-provided rules…sharing policy …sharing of queries and/or response data…’; [0033] ‘each query and/or any provided results are sanitized, to strip some or all information identifying a reporting client, directly or indirectly. ... In another embodiment, these functions [i.e., sanitizing, stripping some identifying information ] can be partially or fully performed on a client portal (e.g., ACP).’).
	In addition, Reybok further discloses a router (see Reybok, ‘routes this information to one or more other clients based on profile information’).
	 	It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Reybok into the system of Roundy to include data sharing policies implemented by a plurality of tenant SOAR nodes within the respective computing environments of the plurality of customers.  Roundy teaches "methods for detecting security threats.” (see Roundy, [0017]).  Therefore, Reybok’s teaching could enhance the system of Roundy, because Reybok teaches “techniques systems for pooling and filtering security threat data across multiple, diverse networks.” (see Reybok, [0025]).
Referring to claims 19, 20:
		Roundy and Reybok further disclose:
		wherein a first information from a first customer of the plurality of customers excludes data from a given field based upon the data sharing policies of the first customer, and wherein a second information from a second customer of the plurality of customers includes data from the given field based upon the data sharing policies of the second customer (see Reybok, [0055] ‘client-provided rules…sharing policy …sharing of queries and/or response data…’; [0033] ‘each query and/or any provided results are sanitized, to strip some or all information identifying a reporting client, directly or indirectly. ... In another embodiment, these functions [i.e., sanitizing, stripping some identifying information ] can be partially or fully performed on a client portal (e.g., ACP).’).
           It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Reybok into the system of Roundy to include data sharing policies implemented by a plurality of tenant SOAR nodes within the respective computing environments of the plurality of customers.  Roundy teaches "methods for detecting security threats.” (see Roundy, [0017]).  Therefore, Reybok’s teaching could enhance the system of Roundy, because Reybok teaches “techniques systems for pooling and filtering security threat data across multiple, diverse networks.” (see Reybok, [0025]).

Response to Arguments
5.	Applicant's arguments filed March 2, 2022 have been fully considered but they are not persuasive.
(a)	Applicant submits:
“In the claim, the messages are provided to the master SOAR node. It is information that is included in those messages that is controlled by respective data sharing policies implemented by the tenant SOAR nodes. This is in stark contrast to Reybok where the message itself is sent or not, and not select information within the message that is sent or not.” (see page 7, 2nd par)
Examiner maintains:
Reybok discloses [0055] ‘client-provided rules…sharing policy …sharing of queries and/or response data…’; [0033] ‘each query and/or any provided results are sanitized, to strip some or all information identifying a reporting client, directly or indirectly. ... information such as Internet Protocol (IP) addresses which identify a target or its domain can be removed and/or converted to a format from which source identity cannot be discovered. …In another embodiment, these functions [i.e., sanitizing, stripping some identifying information from the message ] can be partially or fully performed on a client portal (e.g., ACP).’
Therefore, Rekbok discloses that It is information that is included in those messages that is controlled by respective data sharing policies implemented by the tenant SOAR nodes.
Therefore, the combination of references disclose the claimed limitation. 
(b)	Applicant submits:
“Accordingly, the combination of Roundy and Reybok does not disclose, teach or suggest receiving, by a master SOAR node, a plurality of messages, where the plurality of messages contain information regarding a plurality of alerts relating to network infrastructure of the plurality of customers, and where the information provided to the master SOAR node is controlled by data sharing policies implemented by a plurality of tenant SOAR nodes within the respective computing environments of the plurality of customers.”
Examiner maintains:
The combination of references disclose the claimed limitation (see (a) above). 

Conclusion

6.	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
(a)	Sadeh-Koniecpol; Norman et al. (US 11158207 B1) disclose Context-aware cybersecurity training systems, apparatuses, and methods;
(b)	Fang; Chunsheng et al. (US 11003773 B1) disclose System and method for automatically generating malware detection rule recommendations;
(c)	Petersen; Christopher L. et al. (US 20200125725 A1) disclose generation and maintenance of identity profiles for implementation of security response;
(d)	Lifshitz; Boris et al. (US 20190380037 A1) disclose System, Device, and Method of Detecting, Mitigating and Isolating a Signaling Storm;
(e)	Moore; Sean et al. (US 10333898 B1) disclose Methods and systems for efficient network protection;
(f)	Aher; Derek et al. (US 20190182267 A1) disclose vehicle security manager;
(g)	Rieke; Malcolm (US 20190182267 A1) disclose vehicle security manager.
 

 7.      THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
           A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.  
                    Any inquiry concerning this communication or earlier communications from the examiner should be directed to Peiliang Pan whose telephone number is (571) 272-5987.  The examiner can normally be reached on Monday-Friday 8:00 am - 5:00 pm EST.
           If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
           Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/PEILIANG PAN/Examiner, Art Unit 2492                                                                                                                                                                                                        





/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492