DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The following is a Final Office action in response to communications received on 03/31/2022. 

Response to Amendment
Examiner’s objection of claims 1, 10 and 20 is withdrawn in light of the applicant’s amendments to the claims. 
Applicant’s arguments with respect to claims 1, 10 and 20 regarding the new limitations: “selecting an initial set of use cases for the new subscriber based on use cases deployed by the identified subscribers and subscriber containers with a log of use case history” have been considered but are moot in view of the new ground of rejection presented in the current rejection.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1, 3, 5, 10, 12, 14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over prior art of record US 20170316203 to Reybok et al (hereinafter Reybok) and prior art of record JP2007164465 to Morikawa (hereinafter Morikawa).
As per claims 1, 10 and 20, Reybok teaches:
A computer-implemented method comprising: 
storing a plurality of use case records in a use case repository, wherein each use case record provides a diagnostic definition of a security threat to a SIEM environment (Reybok: [0075]: Security-related events detected by these various components are routed to a security event incident management service (SEIMS) 785, which logs events as necessary in database 788. [0030]: central query routing and/or aggregation service also provides remedial measures to counteract a possible threat which has been determined to be correlated with historical (filtered) data. For example, antimalware (e.g., antivirus) definitions can be updated for the reporting network. Other versions of remedial measures can include (a) providing a template to a security system of the reporting client which then implements the template as an execution operand, i.e., to automatically block a suspicious IP address. [0046]: For example, in one embodiment, a database 335 maintained by a central query routing and/or aggregating service (either the same as database 317 or a different database) can store one or more measures adapted for use in defeating a correlated threat. [0077]); 
storing metadata for a plurality of attributes of subscribers to the SIEM environment (Reybok: [0045]: Alternatively, the administrator can be presented with a set of questions to respond to describing the client network, the answers of which can be used to build profile information, for example, by specifying things like company type, company identity, network type, types of machines, types of traffic, past threats, types of websites offers, security configuration, business segments, whether online payment or online commerce is supported, and many other types of information; 
storing use cases that the subscribers have deployed from the use case repository (Reybok: [0030]. [0046]: For example, in one embodiment, a database 335 maintained by a central query routing and/or aggregating service (either the same as database 317 or a different database) can store one or more measures adapted for use in defeating a correlated threat. If desired, the stored measures can be measures that have been reported to be (or proven to be) successful against the particular threat, for example, measures tried by other clients with success); and 
setting up a new subscriber, wherein setting up the new subscriber comprises: receiving a set of attributes of the new subscriber (Reybok: [0036]: Per numeral 103, the method receives information (e.g., a security event) representing a possible threat to a first network; this network can be for example a third party client network. Per numeral 105, the method also identifies (i.e., somehow receives) profile information associated with the first network. In another embodiment, profile information can be transmitted together with a query or reporting of a security event to a central service. [0039]: this service is seen to be connected to a wide area network (WAN) 205, in this case the Internet, and in turn to have a number of clients represented by networks “NET1,” “NET2”. . . “NETn.” For example, each of these networks can be a public or private enterprise which pays a subscription fee to the central service 203 in order to receive access to pooled resources); 
searching a metadata store to identify subscribers with attributes that are similar to the set of attributes; and selecting an initial set of use cases for the new subscriber based on use cases deployed by the identified subscribers (Reybok: [0036]: Any ensuing searching/querying is represented by numerals 107 and 109, i.e., the central service receives information from a local or distributed database (with individual third party client queries as necessary) associated with threats to diverse entities, and it correlates the threat from the first network with information effectively found from the pooled database. Per numeral 111, either the querying/searching or any returned results are filtered to improve relevancy, to limit results to threats reported by entities having profile information matching at least one characteristic associated with the first network. Once again, profile information can be any type of characterization associated with the first network, including a group membership or a threat indicator associated with activity for that network. [0045]: The answers of which can be used to build profile information (subscriber container), for example, by specifying things like company type, company identity, network type, types of machines, types of traffic, past threats, types of websites offers, security configuration. [0046]: If multiple measures are discovered to be useful in defeating a specific threat, the notification message can include a ranking of different remedial measures in terms of their efficacy. [0047]. [0048]: each client can supply other information regarding the configuration of its network, such as types of network security equipment, network size, and so forth. In one embodiment, a central query service and/or cloud service uses these types of information (or any subset of them) in order to link reported events to any particular client or other source, to send notifications or take remedial measure).
Reybok teaches selecting remedial measures based on remedial measures deployed by other networks and based on stored profile information of other networks that includes security configurations of the networks but does not teach subscriber containers with a log of use case history. However, Morikawa teaches:
subscriber containers with a log of use case history (Morikawa: page 6: [0025]: FIG. 8 is an asset list table in which list information of clients 102 subject to security diagnosis in the asset management database 124 is stored. Column 801 stores an asset ID for uniquely identifying the target client 102. Pages 6-7: [0028]: FIG. 10 represents a table in which information about the virus definition pattern provided to the client 102 is stored. Column 1001 stores a virus definition ID for uniquely identifying the type of virus definition pattern provided. Column 1002 stores the software name of the antivirus software corresponding to the virus definition ID in the same row. Column 1003 stores the version information of the anti-virus software corresponding to the virus definition ID in the same row).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Morikawa in the invention of Reybok to include the above limitations. The motivation to do so would be to provide a client security management system for improving the security level of the entire system by managing and analyzing security measure information acquired from individual client assets as a history (Morikawa: page 2: [0007]).

As per claims 3 and 12, Reybok in view of Morikawa teaches:
The method of claim 1, further comprising deploying the initial set of use cases in the SIEM environment (Reybok: [0075]: Security-related events detected by these various components are routed to a security event incident management service (SEIMS) 785, which logs events as necessary in database 788. [0030]: central query routing and/or aggregation service also provides remedial measures to counteract a possible threat which has been determined to be correlated with historical (filtered) data. For example, antimalware (e.g., antivirus) definitions can be updated for the reporting network. Other versions of remedial measures can include (a) providing a template to a security system of the reporting client which then implements the template as an execution operand, i.e., to automatically block a suspicious IP address. [0046]: If multiple measures are discovered to be useful in defeating a specific threat, the notification message can include a ranking of different remedial measures in terms of their efficacy. [0047]).

As per claims 5 and 14, Reybok in view of Morikawa teaches:
The method of claim 1, wherein a subscriber use case store is used to store respective subscriber containers, each storing at least the use cases deployed by the subscriber corresponding to the use case store (Morikawa: page 6: [0025]: FIG. 8 is an asset list table in which list information of clients 102 subject to security diagnosis in the asset management database 124 is stored. Column 801 stores an asset ID for uniquely identifying the target client 102. Column 802 stores the host name corresponding to the asset ID in the same row. Column 803 stores the IP address corresponding to the asset ID in the same row. Column 804 stores the MAC address corresponding to the asset ID in the same row. Pages 6-7: [0028]: FIG. 10 represents a table in which information about the virus definition pattern provided to the client 102 is stored. Column 1001 stores a virus definition ID for uniquely identifying the type of virus definition pattern provided. Column 1002 stores the software name of the antivirus software corresponding to the virus definition ID in the same row. Column 1003 stores the version information of the anti-virus software corresponding to the virus definition ID in the same row. Column 1004 stores the virus definition version information of the antivirus software corresponding to the virus definition ID in the same row. Column 1005 stores the engine version information of the antivirus software corresponding to the virus definition ID in the same row. Column 1006 stores the provision start date and time of the virus definition pattern corresponding to the virus definition ID in the same row. From the data stored in this table, it is possible to calculate the period from when the virus definition pattern is provided until it is applied).

Claims 2 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Reybok in view of Morikawa as applied to claims 1 and 10 above, and further in view of prior art of record US 11265338 to Murphy et al (hereinafter Murphy).
As per claim 2 and 11, Reybok in view of Morikawa teaches:
The method of claim 1, further comprising supplying the initial set of use cases to a SIEM management user interface for the new subscriber (Reybok: [0046]: If multiple measures are discovered to be useful in defeating a specific threat, the notification message can include a ranking of different remedial measures in terms of their efficacy. [0055]: in one embodiment, query results represent respective, diverse networks (filtered as appropriate) and the first network is informed of the number of “hits,” a ranked threat level provided by the central service, and a comparison with any local search results. Other information can also be provided (e.g., a suggested remedial measure) or this can be provided responsive to separate query. Results can be displayed to an administrator per a dashboard function for the first network. [0075]: As noted earlier, some embodiments can provide for client-elective use of a vulnerability assessment tool (VAT) 793 as a response to a detected threat).
Reybok in view of Morikawa does not explicitly teach: wherein the SIEM management user interface comprises user controls configured to allow a system administrator to approve and reject the use cases for deployment in the new subscriber's SIEM environment. However, Murphy teaches:
wherein the SIEM management user interface comprises user controls configured to allow a system administrator to approve and reject the use cases for deployment in the new subscriber's SIEM environment (Murphy: column 14, lines 30-35: SIEM system 230. Column 32, lines 20-67: Automate Information (a portion of automation): The execution of a single (and possibly simple) action one time, such as the blocking an IP address from accessing computing platform 60 whenever such an attempt is made. Orchestrate Information (a portion of automation): The execution of a more complex batch (or series) of tasks, such as sensing an unauthorized download via an API and a) shutting down the API, adding the requesting IP address to a blacklist, and closing any ports opened for the requestor. For example, the third-party (e.g., the user/owner/operator of computing network 60) may choose to add/initiate the automation information to generate revised security-relevant information 1250′. Accordingly, threat mitigation process 10 may render selectable options (e.g., selectable buttons 1254, 1256) that the third-party (e.g., the user/owner/operator of computing network 60) may select to manipulate initial security-relevant information 1250 with automation information to generate revised security-relevant information 1250′. For this particular example, the third-party (e.g., the user/owner/operator of computing network 60) may choose two different options to manipulate initial security-relevant information 1250, namely: “block ip” or “search”, both of which will result in threat mitigation process 10 generating 1208 revised security-relevant information 1250′).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Murphy in the invention of Reybok in view of Morikawa to include the above limitations. The claim would have been obvious because a particular known technique was recognized as part of the ordinary capabilities of one skilled in the art (see KSR Int’l Co. v. Teleflex Inc. 550 U.S. ___, 82 USPQ2d 1385 (Supreme Court 2007) (KSR)).

Claims 4 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Reybok in view of Morikawa as applied to claims 1 and 10 above, and further in view of prior art of record US 9256761 to Sahu et al (hereinafter Sahu).
As per claim 4 and 13, Reybok in view of Morikawa does not teach the limitations of claim 4. However, Sahu teaches:
further comprising using a page ranking algorithm to search the metadata store to identify the subscribers with common attributes (Sahu: column 40, lines 29-48: Certain embodiments may identify recommendations based at least partially on similarities of characteristics of a first end user and characteristics of other users having associations with entities (e.g., having added the entities to their collections). Any suitable algorithm for assessing similarity may be employed. Some embodiments may identify intersections between multiple sets of characteristics. Having set intersections identified, the intersections may be compared. A greater extent of an intersection may be an indication of a greater degree of similarity between the users. In some embodiments, the sets may be ranked according to the extent of the intersections).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Sahu in the invention of Reybok in view of Morikawa to include the above limitations. The motivation to do so would be to identify a set of one or more recommendations (Sahu: column 40, lines 31-34).

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Reybok in view of Morikawa as applied to claim 1, and further in view of prior art of record US 20210182388 to Myneni et al (hereinafter Myneni).
As per claim 7, Reybok in view of Morikawa teaches:
The method of claim 1, further comprising selecting, by a machine learning algorithm, an updated set of use cases for a particular existing subscriber (Reybok: [0030]: central query routing and/or aggregation service also provides remedial measures to counteract a possible threat which has been determined to be correlated with historical (filtered) data. For example, antimalware (e.g., antivirus) definitions can be updated for the reporting network).
Reybok in view of Morikawa teaches providing updated antimalware definitions but does not teach: selecting, by a machine learning algorithm, an updated set of use cases for a particular existing subscriber. However, Myneni teaches:
selecting, by a machine learning algorithm, an updated set of use cases for a particular existing subscriber (Myneni: [0023]: provide a machine learning component which analyzes real-time data using artificial intelligence and/or pattern recognition to identify a set of options, including at least one response action which the user can take to remediate the intrusion event associated with the alert).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Myneni in the invention of Reybok in view of Morikawa to include the above limitations. The motivation to do so would be to enable reduced network traffic and improvements in human-machine interface where the user spends less time searching for relevant data to determine which options may be appropriate to respond to the alert (Myneni: [0029]).

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Reybok in view of Morikawa and Myneni as applied to claim 7 above, and further in view of prior art of record US 20130124449 to Pinckney et al (hereinafter Pinckney).
As per claim 8, Reybok in view of Morikawa and Myneni teaches:
The method of claim 7, wherein the selecting the updated set of use cases for a particular existing subscriber (Reybok: [0030]: For example, antimalware (e.g., antivirus) definitions can be updated for the reporting network) comprises: computing respective similarity values of a similarity metric between a pair of existing subscribers, including the particular existing subscriber and other existing subscribers, wherein the similarity metric is based on which use cases are common to the pair of subscribers; and selecting an updated set of use cases for the particular existing subscriber based on the use cases deployed by other subscribers with similarity values above a threshold (Reybok: claim 36: determine a set of common characteristics between the first network device and the alternative network device; identify at least one third network device having the set of common characteristics; wherein the remediation action comprises providing a notification to the at least one third network device of possible threats indicated from network devices having the set of common characteristics. [0030]: (b) storing a database of remedial measures for specific threats used by other clients, and then notifying an entity of remedial measures reported to have been successful against the specific threat (e.g., if multiple remedial measures are provided, these can be further ranked in terms of efficacy)).
Reybok in view of Morikawa and Myneni teaches notifying a third device with a set of common characteristic regarding possible threats but does not explicitly teach with similarity values above a threshold. However, Pinckney teaches:
similarity values above a threshold (Pinckney: [0331] According to various exemplary embodiments, the recommendation system 4400 is configured to determine the user-to-user similarity of two or more users (e.g., determine whether a first user is similar to a second user), based on the user parameters in the user matrix U. For example, the prediction module 4404 may determine that a first user is similar to a second user, by determining the cosine similarity between two vectors corresponding to the user parameters of the first and second users, and determining that the cosine similarity is greater than or less than a specific threshold).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Pinckney in the invention of Reybok in view of Morikawa and Myneni to include the above limitations. The motivation to do so would be to assign recommendations or affinity ratings associated with the first user to the second user, and vice versa (Pinckney: [0334]).

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Reybok in view of Morikawa and Myneni as applied to claim 7 above, and further in view of Murphy.
As per claim 9, Reybok in view of Morikawa and Myneni teaches:
The method of claim 7, further comprising supplying the updated set of use cases to a SIEM management user interface for the particular existing subscriber (Reybok: [0075]: Security-related events detected by these various components are routed to a security event incident management service (SEIMS) 785, which logs events as necessary in database 788. [0046]: If multiple measures are discovered to be useful in defeating a specific threat, the notification message can include a ranking of different remedial measures in terms of their efficacy. [0055]: in one embodiment, query results represent respective, diverse networks (filtered as appropriate) and the first network is informed of the number of “hits,” a ranked threat level provided by the central service, and a comparison with any local search results. Other information can also be provided (e.g., a suggested remedial measure) or this can be provided responsive to separate query. Results can be displayed to an administrator per a dashboard function for the first network. [0075]: As noted earlier, some embodiments can provide for client-elective use of a vulnerability assessment tool (VAT) 793 as a response to a detected threat)).
Reybok in view of Morikawa and Myneni does not explicitly teach: the SIEM management user interface comprises user controls configured to allow a system administrator to approve and reject the use cases for deployment in the new subscriber's SIEM environment. However, Murphy teaches:
the SIEM management user interface comprises user controls configured to allow a system administrator to approve and reject the use cases for deployment in the new subscriber's SIEM environment (Murphy: column 14, lines 30-35: SIEM system 230. Column 32, lines 20-67: Automate Information (a portion of automation): The execution of a single (and possibly simple) action one time, such as the blocking an IP address from accessing computing platform 60 whenever such an attempt is made. Orchestrate Information (a portion of automation): The execution of a more complex batch (or series) of tasks, such as sensing an unauthorized download via an API and a) shutting down the API, adding the requesting IP address to a blacklist, and closing any ports opened for the requestor. For example, the third-party (e.g., the user/owner/operator of computing network 60) may choose to add/initiate the automation information to generate revised security-relevant information 1250′. Accordingly, threat mitigation process 10 may render selectable options (e.g., selectable buttons 1254, 1256) that the third-party (e.g., the user/owner/operator of computing network 60) may select to manipulate initial security-relevant information 1250 with automation information to generate revised security-relevant information 1250′. For this particular example, the third-party (e.g., the user/owner/operator of computing network 60) may choose two different options to manipulate initial security-relevant information 1250, namely: “block ip” or “search”, both of which will result in threat mitigation process 10 generating 1208 revised security-relevant information 1250′).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Murphy in the invention of Reybok in view of Morikawa and Myneni to include the above limitations. The claim would have been obvious because a particular known technique was recognized as part of the ordinary capabilities of one skilled in the art (see KSR Int’l Co. v. Teleflex Inc. 550 U.S. ___, 82 USPQ2d 1385 (Supreme Court 2007) (KSR)).

Claims 16, 18 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Reybok in view of Morikawa as applied to claim 10 above, and further in view of Myneni and Pinckney.
As per claim 16, Reybok in view of Morikawa teaches:
The system of claim 10, further configured to: 
select, by a machine learning algorithm, an updated set of use cases for a particular existing subscriber, wherein the selecting the updated set of use cases for a particular existing subscriber (Reybok: [0030]: central query routing and/or aggregation service also provides remedial measures to counteract a possible threat which has been determined to be correlated with historical (filtered) data. For example, antimalware (e.g., antivirus) definitions can be updated for the reporting network) comprises: 
computing respective similarity values of a similarity metric between a pair of existing subscribers, including the particular existing subscriber and other existing subscribers, wherein the similarity metric is based on which use cases are common to the pair of subscribers; and selecting an updated set of use cases for the particular existing subscriber based on the use cases deployed by other subscribers with similarity values above a threshold (Reybok: claim 36: determine a set of common characteristics between the first network device and the alternative network device; identify at least one third network device having the set of common characteristics; wherein the remediation action comprises providing a notification to the at least one third network device of possible threats indicated from network devices having the set of common characteristics. [0030]: (b) storing a database of remedial measures for specific threats used by other clients, and then notifying an entity of remedial measures reported to have been successful against the specific threat (e.g., if multiple remedial measures are provided, these can be further ranked in terms of efficacy)).
Reybok in view of Morikawa teaches providing updated antimalware definitions but does not teach: selecting, by a machine learning algorithm, an updated set of use cases for a particular existing subscriber. Also, Reybok in view of Morikawa teaches notifying a third device with a set of common characteristic regarding possible threats but does not explicitly teach with similarity values above a threshold. However, Myneni teaches:
selecting, by a machine learning algorithm, an updated set of use cases for a particular existing subscriber (Myneni: [0023]: provide a machine learning component which analyzes real-time data using artificial intelligence and/or pattern recognition to identify a set of options, including at least one response action which the user can take to remediate the intrusion event associated with the alert).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Myneni in the invention of Reybok in view of Morikawa to include the above limitations. The motivation to do so would be to enable reduced network traffic and improvements in human-machine interface where the user spends less time searching for relevant data to determine which options may be appropriate to respond to the alert (Myneni: [0029]).
Reybok in view of Morikawa and Myneni does not explicitly teach with similarity values above a threshold. However, Pinckney teaches:
similarity values above a threshold (Pinckney: [0331] According to various exemplary embodiments, the recommendation system 4400 is configured to determine the user-to-user similarity of two or more users (e.g., determine whether a first user is similar to a second user), based on the user parameters in the user matrix U. For example, the prediction module 4404 may determine that a first user is similar to a second user, by determining the cosine similarity between two vectors corresponding to the user parameters of the first and second users, and determining that the cosine similarity is greater than or less than a specific threshold).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Pinckney in the invention of Reybok in view of Morikawa and Myneni to include the above limitations. The motivation to do so would be to assign recommendations or affinity ratings associated with the first user to the second user, and vice versa (Pinckney: [0334]).

As per claim 18, Reybok in view of Morikawa, Myneni and Pinckney teaches:
The system of claim 16, further configured to deploy the updated set of use cases in the subscriber SIEM environment (Reybok: [0030]: central query routing and/or aggregation service also provides remedial measures to counteract a possible threat which has been determined to be correlated with historical (filtered) data. For example, antimalware (e.g., antivirus) definitions can be updated for the reporting network).

As per claim 19, Reybok in view of Morikawa, Myneni and Pinckney teaches:
The system of claim 16, wherein the ongoing configuration module comprises a cosine similarity algorithm for computing the similarity values between pairs of existing subscribers (Pinckney: [0331] According to various exemplary embodiments, the recommendation system 4400 is configured to determine the user-to-user similarity of two or more users (e.g., determine whether a first user is similar to a second user), based on the user parameters in the user matrix U. For example, the prediction module 4404 may determine that a first user is similar to a second user, by determining the cosine similarity between two vectors corresponding to the user parameters of the first and second users, and determining that the cosine similarity is greater than or less than a specific threshold).
The examiner provides the same rationale to combine references Reybok in view of Morikawa and Myneni and Pinckney as in claim 16 above. 

Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Reybok in view of Morikawa, Myneni and Pinckney as applied to claim 16 above, and further in view of Murphy.
As per claim 17, Reybok in view of Morikawa, Myneni and Pinckney teaches:
The system of claim 16, wherein the ongoing configuration module supplies the updated set of use cases to a SIEM management user interface for the particular existing subscriber (Reybok: [0075]: Security-related events detected by these various components are routed to a security event incident management service (SEIMS) 785, which logs events as necessary in database 788. [0046]: If multiple measures are discovered to be useful in defeating a specific threat, the notification message can include a ranking of different remedial measures in terms of their efficacy. [0055]: in one embodiment, query results represent respective, diverse networks (filtered as appropriate) and the first network is informed of the number of “hits,” a ranked threat level provided by the central service, and a comparison with any local search results. Other information can also be provided (e.g., a suggested remedial measure) or this can be provided responsive to separate query. Results can be displayed to an administrator per a dashboard function for the first network. [0075]: As noted earlier, some embodiments can provide for client-elective use of a vulnerability assessment tool (VAT) 793 as a response to a detected threat)). 
Reybok in view of Morikawa, Myneni and Pinckney does not explicitly teach: the SIEM management user interface comprises user controls configured to allow a system administrator to approve and reject the use cases for deployment in the new subscriber's SIEM environment. However, Murphy teaches:
the SIEM management user interface comprises user controls configured to allow a system administrator to approve and reject the use cases for deployment in the new subscriber's SIEM environment (Murphy: column 14, lines 30-35: SIEM system 230. Column 32, lines 20-67: Automate Information (a portion of automation): The execution of a single (and possibly simple) action one time, such as the blocking an IP address from accessing computing platform 60 whenever such an attempt is made. Orchestrate Information (a portion of automation): The execution of a more complex batch (or series) of tasks, such as sensing an unauthorized download via an API and a) shutting down the API, adding the requesting IP address to a blacklist, and closing any ports opened for the requestor. For example, the third-party (e.g., the user/owner/operator of computing network 60) may choose to add/initiate the automation information to generate revised security-relevant information 1250′. Accordingly, threat mitigation process 10 may render selectable options (e.g., selectable buttons 1254, 1256) that the third-party (e.g., the user/owner/operator of computing network 60) may select to manipulate initial security-relevant information 1250 with automation information to generate revised security-relevant information 1250′. For this particular example, the third-party (e.g., the user/owner/operator of computing network 60) may choose two different options to manipulate initial security-relevant information 1250, namely: “block ip” or “search”, both of which will result in threat mitigation process 10 generating 1208 revised security-relevant information 1250′).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Murphy in the invention of Reybok in view of Morikawa, Myneni and Pinckney to include the above limitations. The claim would have been obvious because a particular known technique was recognized as part of the ordinary capabilities of one skilled in the art (see KSR Int’l Co. v. Teleflex Inc. 550 U.S. ___, 82 USPQ2d 1385 (Supreme Court 2007) (KSR)).

Allowable Subject Matter
Claims 6 and 15 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
US 10673891 to Lee et al: The methods and system described herein automatically generate network router access control entities (ACEs) that are used to filter internet traffic and more specifically to block malicious traffic. The rules are generated by an ACE engine that processes incoming internet packets and examines existing ACEs and a statistical profile of the captured packets to produce one or more recommended ACEs with a quantified measure of confidence. Preferably, a recommended ACE is identified in real time of the attack, and preferably selected from a library of pre-authored ACEs. It is then deployed automatically or alternatively sent to system personnel for review and confirmation.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359. The examiner can normally be reached 8:30AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MADHURI R. HERZOG
Primary Examiner
Art Unit 2438



/MADHURI R HERZOG/Primary Examiner, Art Unit 2438