DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Allowable Subject Matter

Claim 15 is objected to as being dependent upon a rejected base claim, but
would be allowable if rewritten in independent form including all of the limitations of the
base claim and all intervening claims.
Response to Amendment
This action is in response to the communications and remarks filed on 05/24/2022. Claims 11 and 20 have been amended. Claims 1-20 have been examined and are pending.
Response to Arguments

Applicants’ arguments in the instant Amendment, filed on 05/24/2022, with respect to limitations listed below, have been fully considered but they are not persuasive.
Applicant’s arguments: “Claim 12 
The NFOA states: 
		"... Zimmerman fails to explicitly teach but Baumard teaches an 
autonomous response module configured to execute at least one autonomous response to the cyber threat identified by the cyber threat module. [Baumard, 1 0058: system autonomously detects and learns incongruous behaviors with (modules 10, 3) and assesses potentiality of advanced persistent threat (with module 12)] (NFOA, page 17, section 21) 
Applicant respectfully disagrees. Baumard paragraph [0058] states: 
		"[0058] The task of displaying scores on an external display monitor 
6 can be omitted in some examples. As the system autonomously detects and learns incongruous behaviors (with modules 10, 3), autonomously assesses, without prior teaching or external normative data, the potential malevolence or hazard within these machine behaviors (with module 11), and autonomously assesses the potentiality of an advanced persistentDocket No.: 034306-001 P9 20 Application No.: 16/278,991 threat (with module 12), external communications of scores, or external communication with administrators or users (with communication program 5 or display monitor 6), does not have to be performed for the system to continue its operation. This configuration can be used on systems that can ... Applicant can find no teaching of "an autonomous response module configured to execute at least one autonomous response to the cyber threat identified by the cyber threat module" in this paragraph cited in the NFOA. The reference numbers cited (3, 5, 6, 10, 11, and 12) are all from FIG. 1A, and none of them appear to be an autonomous response module. The topic of the paragraph itself appears to be: "The task of displaying scores on an external display monitor 6 can be omitted in some examples." The motivation seems to be "This configuration can be used on systems that can lose their access and should continue their operation..." and the task of displaying scores is optional in such circumstances. To the extent that the system does anything autonomously, it ceases to perform a function it normally does. 
Applicant can find no other teaching in Baumard to remedy this defect. Applicant respectfully submits that Zimmerman in view of Baumard does not teach "an autonomous response module" and thus claim 12 is in condition for allowance. Applicant respectfully requests that the rejection under 35 USC § 103 be removed.” 
The Examiner disagrees with the Applicant’s arguments. Applicant points to first sentence of para 0058 as being omitted: “The task of displaying scores on an external display monitor 6 can be omitted in some examples” of para 0058. Yet the Examiner cites from the second following sentence of Baumard, where the automated response appears to captured. While the Applicant points to the task of displaying scores as a superfluous task; it does not preclude the teachings of an autonomous response module functionality where Baumard extends the Bayesian learning engines to support Intrusion Detection System (IDS) where the Behavioral Discovery and Learning Module 10 interacts with the Hazardous or Malevolence Assessment Module 11 which transmits results to the Advanced Persistent Threat Detection Module 12. Captured flow is real time where the communication interface and does not require human operator [Baumard, 0047-0049, 0055]. 
More importantly The Examiner respectfully submits that Baumard does disclose "an autonomous response module." The specification states in paras 0055-0056: “that one more autonomous actions to be taken to contain the cyber threat... autonomous response module can interact with the SaaS module and the cyber threat module to automatically respond to any issues with a SaaS application... autonomous module may choose to restrict the user access to one or more other SaaS or Cloud environments. The autonomous response module is configured to compare the threat risk parameter to a benchmark matrix having a set of benchmark scores to determine an autonomous response. the autonomous response module is not limited to actioning just the SaaS environment where the initial threat was discovered. The autonomous module may choose to restrict the user access to one or more other SaaS or Cloud environments on the extended network as a result of the threat parameter. The cyber threat module may analyze the third-party event data from a third-party operator platform administrating and hosting the SaaS application to identify any cyber threats. The cyber threat module may generate a threat risk parameter listing a set of values describing aspects of a potential cyber threat. The autonomous response module is configured to compare the threat risk parameter to a benchmark matrix having a set of benchmark scores to determine an autonomous response”.  
As such, the Examiner interpreted the modules that capturing, generating, and interacting with the Bayesian learning modules of the Bayesian networks cited how the system autonomously detects, learns incongruous behavior of cybernetics, and autonomously assesses for the potentiality of advanced persistent threats continuously triggers responses, intermittently or periodically; where the Bayesian Behavioral Discovery and Learning Module 10 [Baumard, ¶¶0017, 0054- 0058 and 0068].
Therefore, Baumard teaches "an autonomous response module," as such Baumard is maintained in the rejection below.
Applicant’s arguments: “Claim 1Docket No.: 034306-001 P9 21 Application No.: 16/278,991 
The NFOA states: 
		"Regarding claim 2, the combination of Zimmerman and Baumard teach claim 1 as described above. (NFOA, page 17, section 21) 
		Applicant respectfully observes that the Examiner did not go through claim 1 element-by-element and equated the substance of the rejection as the equivalent of the claim 12 rejection. Thus, if claim 12 is in condition for allowance, then claim 1 is also in condition for allowance. Applicant respectfully requests that the rejection under 35 USC § 103 be removed. 
		Claims 2-10 should also be in condition for allowance due to their dependency on claim 1. Applicant respectfully requests that the rejections under 35 USC § 103 also be removed. 
		Applicant respectfully observes that if claim 1 is allowable subject matter, then presently amended claim 11, now in independent form, is also allowable and requests that the rejection under 35 USC § 103 be removed...”
The Examiner disagrees with the Applicants. The Examiner respectfully submits that the arguments presented seem to have misinterpreted the identified allowable subject matter. The rejection of dependent claim 2 noted on p. 17 of the NFOA was not identified as allowable subject matter. Claim 15 remains to be asserted as allowable subject matter.
More importantly, dependent claim 11 was also rejected in kind as independent claims 1 and 12, as noted in NFOA on p. 23. Therefore, the combined independent claims of 1 and 11-12 have been rejected as seen below.
Acknowledgement to applicant’s amendment to claim 20 (inadvertently cited as claim 10) has been noted. The claim has been reviewed, entered and found obviating to previously raised objection for minor informalities. Objection to the claim 10 is hereby withdrawn.
Acknowledgement to applicant’s amendment to the specification has been noted. The claim has been reviewed, entered and found obviating to previously raised objection for minor informalities. Objection to the specification is hereby withdrawn.
Acknowledgement of Applicant's response to obviousness-type double patenting and is further noted as set forth in the Non-Final Office Action mailed 05/24/2022. Examiner recommends addressing the concerns and re-submitting proper terminal disclaimers. The terminal disclaimers have been disapproved. As such the notes from the review department states:
A request under 37 CFR 1.46(c) to change the applicant needs to be filed, which is (1) a request, signed by a 1.33(b) party, (2) a corrected ADS (37 CFR 1.76(c)) that identifies the “new” applicant in the applicant information, and is underlined since it is new, and (3) a 3.73(c) statement showing chain of title to the new applicant. Along with the § 1.46(c) request we need a POA that gives power to the attorney who is signing the TD, along with another copy of the TD, or a TD that is signed by the applicant. 
Examiner maintains the Double Patenting rejection. 
Acknowledgement to applicant's remarks to claims 12-15 and 17-20 have been noted. The claims has been reviewed and remain unchanged to previously raised interpretation under 35 USC 112 6th. Claims 12-15 and 17-20  have been interpreted under 35 U.S.C. 112(f) or pre-AlA 35 U.S.C. 112, sixth paragraph; If applicant does not intend to have the claim limitation(s) treated under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may amend the claim(s) so that it/they will clearly not invoke 35 U.S.C. 112(f) or pre-AlA 35 U.S.C. 112, sixth paragraph. For more information, see MPEP § 2181. The Rejection under 35 USC 112 6th to claims 12-15 and 17-20 is hereby maintained.
Acknowledgement to applicant's remarks to claims 12-15 and 17-20 have been noted. The claims remain unchanged to previously raised rejection under 35 USC 112 2nd. Rejection under 35 USC 112 2nd to claims 12-15 and 17-20 is hereby maintained.
Acknowledgement to applicant's remarks to claim 11 has been noted. The claim has been reviewed, entered and found obviating to previously raised rejection to previously raised rejection under 35 USC 112 4th. Rejection under 35 USC 112 4th to claim 11 is hereby withdrawn.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1, 11-12 and 20 are provisionally rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claim 1 of copending Application No. 17/187,169, 17/323,853, 17/323,860, 16/278,982, 16/399,801, and 15/501,135. Although the claims at issue are not identical, they are not patentably distinct from each other because claims 1, 11-12, and 20 .
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.
	
CLAIM INTERPRETATION
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “...a SaaS module...a third-party operator platform... a probe module... a coordinator module... a comparison module... a cyber threat module... an autonomous response module...” in claims 12-15 and 17-20.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 112
Claims 12-15 and 17-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim limitation “...a SaaS module...a third-party operator platform... a probe module... a coordinator module... a comparison module... a cyber threat module... an autonomous response module...” invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. There is no association between the
structure and the function can be found in the specification. At most, in paras 32 of the specification that describes the contents of the cyber threat defense system 100; and an exemplary embodiment of the invention, computer 1 on the first computer system 10 comprising a processor, para 78. Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.
Claim 16 is rejected under 35 USC 112 2nd for their dependency upon claims 12-15 and 17-20.
Claim Rejections - 35 USC § 103
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1-14 and 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over Zimmerman et al, hereinafter (“Zimmerman”), European Patent Application (EP3262815 B1), was submitted in 05/10/2019 IDS, in view of Baumard, European Patent Application (EP2922268 A1), was submitted in 05/10/2019 IDS.
Regarding amended claims 1 and 11-12, Zimmerman teaches a method for a cyber threat defense system incorporating data from a Software-as- a-Service (SaaS) application hosted by a third-party operator platform to identify cyber threats related to that SaaS application, comprising; and an apparatus for a cyber threat defense system, comprising: [Zimmerman, ¶¶0009, 0011, 0014, 0018, 0026-0027, and 0033: A cloud security fabric (CSF 100) allows an enterprise to discover sensitive data, apply policies and automation actions configurations/users/data, and ensures regulated data compliance. A plurality of connector APIs interface the fabric may discover information about entities relating to the information security of the enterprise computing environment by obtaining information from the interfaces of a plurality of cloud platforms. Other things include discover and manage third party applications on dealing interfaces (including APIs): SaaS-to-SaaS interfaces, etc. Various modules of the CSF 100 can evaluate a given object or event and consider not only the metadata that is discovered by the CSF 100 but also data relevant to the other policies. Connector APIs 108 may connect to CSF through connectors 144. The CSF 100 may host various security relevant services, including content analysis services 110 (referred to in various embodiments as CCS, CaaS, and the like) and content classification services 146 (which analyze documents, files, and objects to find specific information based on patterns, rules, frequency, proximity, weights, fingerprints, dictionaries, etc. (e.g. credit card information, social security numbers) in real time); context analysis services 112 (which analyze documents, files or objects for sensitive information based on metadata criteria such as file ownership, sharing and access patterns, etc.); user behavior monitoring services 114 (which monitor and analyze user activity to detect potential anomalies and significant changes that may suggest malicious behavior); encryption as a service 122 (referred to in some cases as encryption management), behavioral analysis 114 (referred to in some cases as user behavior monitoring, but applicable to behavior of users, of applications, of services and of devices), behavior analytics 150 (referred to in some cases as user behavior analytics (UBA), also applicable to users, applications, services and devices), connectivity services, and policy management 116 (including policy creation and automated policy management, also referred to herein as context allows as a policy automation engine 116); and threat intelligence 121 (including feeds of threat information that can be provided from the CSF 100 and accessed by APIs from various other systems, which include threat information identified within the CSF 100 and other capabilities described throughout this disclosure, as well as threat information obtained from external systems); community trust rating services 160 (including the ability for the community of users of the CSF 100 to tag, rate, and share information about risks, risk management, security configurations, and other topics); incident management services 120 (which centrally manage and investigate incidents across an organization's portfolio of platforms and applications); encryption and key management services 122 (which empower end users to selectively encrypt sensitive information based on individual files or fully automated policy escalations); security analytics services 124 (which deliver insight relating to key cloud security risks and performance indicators) and configuration management services 134 (which allow the CSF 100 to take configuration information from various sources and configure various security related modules and services in the CSF 100 or in various platforms). The CSF 100 may have other services such as an applications firewall service 148 or Application Firewall (AFW) 300.]
one or more input ports to connect to one or more connectors and one or more probes deployed to a network entity representing at least one of a user and a network device that utilizes a third-party software-as-a-service (SaaS) application, [Zimmerman, Fig. 6 and ¶0101-0102: Fig. 6 shows the UBA platform 500 that include various components enabling data processing pipeline: collection components 602, a message bus 610, stream processing components 626 and storage components 650. Collection components include adapters: a Google adapter 604, an SFDC adapter 606, a Microsoft adapter 608 and the like, for collecting event log data through API calls.]
58a SaaS module configured to collect, from the one or more connectors, third- party event data describing an administrative event of the third-party SaaS application hosted by a third-party operator platform; [Zimmerman, ¶¶0039 and 0044: the CSF 100 enable a user to discover what cloud applications and platforms 132 users of an enterprise are using... as well as from third party security vendors, such as over APIs, as well as from an input API that can be used to input events and logs into the CSF 100. The UBA platform 500 may comprise a process, such as a data processing pipeline, to stream, enrich, analyze and store security event information]
a probe module configured to collect, from the one or more probes, probe data describing network-administrated activity, external to the SaaS application, executed by the network entity; [Zimmerman, Fig. 6 and ¶0101 and 0103-0104: a message bus 610; allow multiple readers to read messages without interfering with each other. Also includes message bus sub-components 610 may include raw message bus sub-component 612 and an enriched message bus sub-component 614. ¶0265: Through custom configurations to analyzer 914, updates and notification may be rolled out by a central administrative process/mechanism. See also ¶¶0019-0020: An administrator may use enterprise APIs 104 to take various actions which exchanged events and incident flow that interact with public and private cloud computing platforms 130 (i.e. software as a service (SaaS) services and applications 190)]
a coordinator module configured to contextualize the third-party event data from the SaaS module with the probe data from the probe module to create a combined data set for analysis; [Zimmerman, ¶0027: the API of a cloud platform, the CSF 100 may automatically extract data available via a given API of the cloud platform and be able to invoke and integrate that data into relevant work flows for the various modules of the CSF 100, including relating to policies, dashboards, charting, event processing, user behavior analysis, and the like. **Fig. 6 and ¶0107: a stream processing component 626 includes enrichment flow 630 that reads and transforms raw events from raw messages from bus subcomponent 612.]
a comparison module configured to execute a comparison of the combined data set, created by the coordinator module, to at least one machine-learning model trained on a normal benign behavior of that network entity using a normal behavior benchmark describing parameters corresponding to a normal pattern of activity for that network entity to spot behavior on the network deviating from the normal benign behavior to identify whether the network entity is in a breach state of the normal behavior benchmark; [Zimmerman, ¶¶0044 and 0054: UBA platform 500 manages data breaches by creating alerts when violations identified. ¶0072: As part of abnormally rare activities task may trigger as incident when activity is performed for first time, where the duration of a “normal” or baseline period is determined. Fig. 6 and ¶¶0113-0114: Anomaly detection 640 detects behavioral patterns may be abnormal related to baseline, defined by threshold-based rules or machine learning. A pre-trained model may be applied to machine learning model application activities 642.
a cyber threat module configured to identify whether the breach state identified by the comparison module and a chain of relevant behavioral parameters deviating from the normal benign behavior of that network entity correspond to a cyber threat; [Zimmerman, ¶¶0018 and 0031: Behavior analytics 150 (referred to in some cases as user behavior analytics (UBA); the CSF 100 can use application connection APIs to pull down information from the connector into the CSF 100; ¶0033: detect significant changes; ¶0041: Fig. 5, user behavior analysis, such as performed on or in connection with a platform 500, which in turn may be associated with an overall cyber intelligence platform 6500 and with various other capabilities of the CSF 100 as described throughout this disclosure (including the user behavior monitoring 114 and user behavior analysis (UBA) 150). ¶¶0044 and 0054: UBA platform 500 manages data breaches by creating alerts when violations identified.¶0057: identifying sensitive content of the organization, such as, machine learning, so that an operator of the UBA platform 500 can focus behavior analysis over sensitive data more specifically. See ¶0072: abnormally rare activity task triggers] 
 While Zimmerman teaches cyber threat identified by the cyber threat module [Baumard, ¶¶0006-0007 and 0025 detection from behavior-based detection algorithms that analyze the overall behavior of an entity and look for differences between; deviation or departure from a statistical normal or common order, form, pattern or rule. System performs with integrated forensic analysis to identify categories of dormant threat (i.e. Advanced Persistent Threats (APTs))]; however, Zimmerman fails to explicitly teach but Baumard teaches an autonomous response module configured to execute at least one autonomous response to the cyber threat identified by the cyber threat module. [Baumard, ¶0058: system autonomously detects and learns incongruous behaviors with (modules 10, 3) and assesses potentiality of advanced persistent threat (with module 12)]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of method of a system and method for securing an enterprise computing environment of Zimmerman before him or her by including the teachings of an autonomous detection of incongruous behaviors of Baumard. The motivation/suggestion would have been obvious to try to modify the system of the UBA/ cloud-based platform of Zimmerman by adding the system autonomously learning, executing, and displaying potentiality of APTs by alerting of Baumard [Baumard, ¶¶0057-0058].  
 
Regarding claim 2, the combination of Zimmerman and Baumard teach claim 1 as described above.
Zimmerman teaches further comprising: directing the one or more connectors to send a Hypertext Transfer Protocol Secure event request to the third-party SaaS application to request the administrative event from an audit log of the third-party SaaS application. [Zimmerman, ¶¶0093-0094: ¶¶0242 and 0341: Use of virtual network/NAT/Web server/jump box setup system administrators securely connect to manage the system when deploying CSF 100].
 
Regarding claim 3, the combination of Zimmerman and Baumard teach claim 1  as described above.
Zimmerman teaches further comprising: directing the one or more connectors to access an application programming interface of the third-party operator platform to generate an event report for a data rich description describing a series of administrative events. [Zimmerman, ¶0093: Event log data may be sourced via API calls to various service providers such as Google, SFDC, Microsoft, Box, Dropbox, Okta and the like; ¶0094: ¶0341: http msgs; reports enabled as presented in process 2800]
 
Regarding claim 4, the combination of Zimmerman and Baumard teach claim 3 as described above.
further comprising: 
Zimmerman teaches directing the one or more connectors to send a Hypertext Transfer Protocol Secure event request to the SaaS application to request a current state of objects on the third-party operator platform; [Zimmerman,  ¶¶0242 and 0341: Use of virtual network/NAT/Web server/jump box setup system administrators securely connect to manage the system when deploying CSF 100; ¶0341: enable a unified view of the usage of each application where the CSF 100 track, collect, and format message] and
deriving from metadata of the returned objects whether i) creations, ii) modifications, iii) deletions, or iv) any combination of these three, have occurred whether by 
1) requesting only objects modified within a specified time period, 2) comparing the metadata with a stored list of previous object states, or 3) any combination of these two. [Zimmerman, See Table 1 – classification criteria may be derived per handling of field metadata; ¶0114: context analysis services 112 (which analyze documents, files or objects for sensitive information based on metadata criteria; ¶0169: an enrich function 636, which may enrich the data stream with various additional data and metadata elements, such as by creating additional layers of data on top of the raw data collected]
 
Regarding claim 5, the combination of Zimmerman and Baumard teach claim 3 as described above.
further comprising: 
Zimmerman teaches setting a report period to specify a time frame for the event report; [Zimmerman, ¶0236-0237 0301 0444] and 
where the executing of the autonomous response to take the response to the cyber threat includes one or more of 
executing at least one of alerting an internal system administrator of the cyber threat and a suggested action to counter the cyber threat, alerting the third-party operator platform of the cyber threat and a suggested action to counter the cyber threat, autonomously reducing permissions of the network entity in the breach state of the normal behavior benchmark, and autonomously disabling a user account of the network entity in the breach state of the normal behavior benchmark, based on a threat risk parameter corresponding to aspects of the cyber threat. [Zimmerman, ¶0012:  automated actions taking place in response to the policy engine); central configuration management (for security-related items);]
 Regarding claim 6, the combination of Zimmerman and Baumard teach claim 3 as described above.
further comprising: 
Zimmerman teaches harvesting metadata from the data rich description and then using the metadata in the comparison of the normal behavior benchmark describing parameters corresponding to the normal pattern of activity for that network entity to spot behavior on a network deviating from the normal benign behavior; [Zimmerman, ¶0113: Anomaly detection activities 640 may detect behavioral patterns that may be abnormal related to a baseline. ¶0303: Policy automation engine 116 may have different available criteria. Entities may have metadata and classification criteria (such as explicit tagging independent of metadata); where policies identify specific keywords or patterns with suspicious activities. ¶0137 0180 0284-0285] and
directing the one or more connectors to request the third-party operator platform to delete the event report. [Zimmerman, ¶¶0262-0263: content analysis request processing]
 
Regarding claim 7, the combination of Zimmerman and Baumard teach claim 1  as described above.
Zimmerman teaches further comprising: comparing a threat risk parameter listing a set of values describing aspects of the cyber threat to a benchmark matrix having a set of benchmark scores to determine the autonomous response. [Zimmerman, ¶0345: identify anomalies and patterns in scoring particular attributes of application, level of risk of creating a data breach, and other metrics]
 
Regarding claim 8, the combination of Zimmerman and Baumard teach claim 1  as described above.
Zimmerman teaches further comprising: collecting network traffic in addition to the collected data from the SaaS application used by the network entity in order to analyze both to contextualize and understand the breach state and the chain of relevant behavioral parameters deviating from the normal benign behavior of that network entity in order to accurately correspond to the breach state and the chain of relevant behavioral parameters to the cyber threat. [Zimmerman, ¶0343: collecting and normalization of information; ¶0345. Information collected and organized to identify anomalies, both in context of a single application and across applications, for scoring particular attributes/classes, level of risk of creating a data breach, and other metrics. See also ¶¶0018 and 0031: Behavior analytics 150 (referred to in some cases as user behavior analytics (UBA); the CSF 100 can use application connection APIs to pull down information from the connector into the CSF 100; ¶0072: abnormally rare activity task triggers]
 Regarding claim 9, the combination of Zimmerman and Baumard teach claim 8 as described above.
Zimmerman teaches further comprising: sending an alert of the cyber threat with a suggested response to the cyber threat to at least one of an internal system administrator and the third-party operator platform. [Zimmerman, ¶0036: policy enforcement automated response action]
 
Regarding claim 10, the combination of Zimmerman and Baumard teach claim 8 as described above.
Zimmerman teaches further comprising: collecting, from one or more probes deployed to the network entity, probe data describing network-administrated activity, external to the SaaS application, by the network entity to analyze the probe data and the third-party event data in context to accurately associate the breach state and the chain of relevant behavioral parameters with the cyber threat. [See Zimmerman, ¶¶0039 and 0044: the CSF 100 to discover what cloud applications and platforms 132 users of an enterprise are using... as well as from third party security vendors, such as over APIs; UBA platform 500 may comprise a process, such as a data processing pipeline, to stream, enrich, analyze and store security event information; Fig. 6 and ¶0101-0102: Fig. 6 shows the UBA platform 500 that include various components enabling data processing pipeline: collection components 602, a message bus 610, stream processing components 626 and storage components 650. ¶0057: identifying sensitive content of the organization, such as, machine learning, so that an operator of the UBA platform 500 can focus behavior analysis over sensitive data more specifically.
Regarding claim 11, the combination of Zimmerman and Baumard teach when executed by one or more processing apparatuses in the cyber threat defense system to instruct a computing device to perform the method of claim 1. [See independent claims 1 and 12]
 
Regarding claim 13, the combination of Zimmerman and Baumard teach claim 12 as described above.
Zimmerman teaches wherein the SaaS module is configured to harvest metadata of the administrative event. [Zimmerman, ¶0303: Policy automation engine 116 may have different available criteria. Entities may have metadata and classification criteria (such as explicit tagging independent of metadata);]
 
Regarding claim 14, the combination of Zimmerman and Baumard teach claim 13 as described above.
Zimmerman teaches wherein the SaaS module is configured to anonymize the metadata to remove any personally identifiable information for a third-party operator and the network entity from the metadata. [Zimmerman, ¶0353: The community trust rating (CTR) 2914 may apply to cloud applications and applications accessed on an enterprise network. Because the CSF 100 can be deployed across many enterprises and platforms.  A CTR preferably would have fields relating to a company sector, size and the like, and would provide visibility as to the reasons for a rating. In embodiments, the data may be anonymized.]
 
Regarding claim 16, the combination of Zimmerman and Baumard teach claim 12 as described above.
Zimmerman teaches wherein the SaaS connector is configured to direct the one or more connectors to request that event data describing the administrative event to be sent as a push notification upon the occurrence of the event. [Zimmerman, ¶0342: push data;]
 
Regarding claim 17, the combination of Zimmerman and Baumard teach claim 12 as described above.
Zimmerman teaches wherein the SaaS module is configured to receive the third-party event data describing an administrative event from the one or more connectors as a push notification, and then place the push notification received from the one or more connectors in a quarantine to scan for a deviant characteristic prior to analysis. [Zimmerman, ¶0342: push data; ¶0379: policy automation engine 116 of the CSF 100 might quarantine sensitive content based on content policy or a behavioral anomaly]

Regarding claim 18, the combination of Zimmerman and Baumard teach claim 12 as described above.
Zimmerman teaches wherein the cyber threat module is configured to identify at least one of a login, a failed login, a resource creation, a resource view, a resource modification, a resource deletion, a file upload, a file download, a resource share, and an administrative action in the third-party event data. [Zimmerman, ¶0063: “tailed login” task]
 
Regarding claim 19, the combination of Zimmerman and Baumard teach claim 12 as described above.
Zimmerman teaches wherein the autonomous response module is configured to lower a threshold for the autonomous response upon identifying a tagged user associated with the cyber threat. [Zimmerman, ¶¶0067 and 0098: predetermined threshold and configure thresholds; ¶0068: automatically determined threshold for a user. ¶0164: tagging mechanism]
 
Regarding claim 20, the combination of Zimmerman and Baumard teach claim 12 as described above.
Zimmerman teaches wherein the one or more connectors interact with the SaaS application by at least one of an application programming interface interaction, a logging access tool, a Hypertext Transfer Protocol Secure protocol request, and any combination of these, and then feed information about user behavior back to the SaaS module, the probe module, the coordinator module, the comparison module, the cyber threat module, and the autonomous response module; [Zimmerman, See independent claims 1 and 12] and 
wherein the cyber-threat defense system is configured to leverage containing the cyber threat to minimize an amount of processing unit cycles, memory space, and power consumed by the cyber threat in the network being protected by the cyber threat defense system. [Zimmerman, ¶0123: memory, storage]
 
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH W TAYLOR whose telephone number is (571)270-0682.  The examiner can normally be reached on Monday-Friday, 9:45-5:45.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ELENI SHIFERAW can be reached on 571-272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Sakinah White Taylor/Primary Examiner, Art Unit 2497