Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Reopening of Prosecution After Appeal Brief
In view of the Appeal Brief filed on 12/08/2021, PROSECUTION IS HEREBY REOPENED. A new ground of rejection is set forth below.
To avoid abandonment of the application, appellant must exercise one of the following two options:
(1) file a reply under 37 CFR 1.111 (if this Office action is non-final) or a reply under 37 CFR 1.113 (if this Office action is final); or,
(2) initiate a new appeal by filing a notice of appeal under 37 CFR 41.31 followed by an appeal brief under 37 CFR 41.37. The previously paid notice of appeal fee and appeal brief fee can be applied to the new appeal. If, however, the appeal fees set forth in 37 CFR 41.20 have been increased since they were previously paid, then appellant must pay the difference between the increased fees and the amount previously paid.
A Supervisory Patent Examiner (SPE) has approved of reopening prosecution by signing below:
/JEFFREY NICKERSON/
Supervisory Patent Examiner, Art Unit 2432




DETAILED ACTION
This Office Action is in response to Reopening of Prosecution After Appeal Brief filed on 12/08/2021. In the Office Action, claims 1-3, 5, 10-13, and 18-20 have been received for consideration and have been examined. Claims 4, 6-9 and 14-17 remain cancelled. Claims 2-3, 5, 10-13 and 18-20 remain original.

Response to Arguments
Claim Rejections – 35 USC § 103
	Applicant’s arguments presented in the Appeal Brief filed 12/08/2021 have been reviewed by the examiner, and based on careful review, Applicant’s arguments have been summarized as follows:
Group I – Claims 1, 5, 10, 13 and 18-20 (Page # 4-10)
First, Smith’s moving of suspect email addresses from a blacklist to a whitelist does not meet the requirement of "de-associating a given IOC from the incident object by unlinking it from the incident object in an automated manner, and responsive to the unlinking, re-generating the incident response plan upon a determination that the given IOC is unrelated to the given data security incident.” (Page 6-7).
Second, the penultimate clause in each independent claim requires “responsive to re-generating the incident response plan, programmatically initiate execution, in one or more computing entities in the enterprise network, of one or more tasks included in the re-generated incident response plan.’ This element is not found in Carver [0050] or [0004] (Page # 7-8).
Third, the proposed motivation to combine Smith and Carver is insufficient to meet the Office’s burden to show that a skilled person would combine these teachings (Page # 8-9).
Examiner’s Response 
Regarding remark # 1, Applicant’s arguments are found to be persuasive regarding Smith reference and due to that prosecution has been reopened.
Regarding remark # 2, that primary reference of Carver fails to disclose “responsive to re-generating the incident response plan, programmatically initiate execution, in one or more computing entities in the enterprise network, of one or more tasks included in the re-generated incident response plan” in paragraph [0050], examiner respectfully disagree. 
Examiner would like to note that Carver clearly discloses the concept of “responsive to re-generating the incident response plan, programmatically initiate execution, in one or more computing entities in the enterprise network, of one or more tasks included in the re-generated incident response plan” in light of FIG. 5 flow diagram. Carver discloses monitoring for Indicators of compromise (IOC) for a security incident and generating response strategies which include possible actions to mitigate the security incident. In paragraph [0055-0058], Carver teaches that the system identifies IOCs and stores them in a data structure associated with the security incident. Carver further teaches generating a notification that describes the security incident and suggesting actions or looking up a response ontology. Regarding generating and response plans, Carver discloses providing response plan in the form of Actions (e.g., steps 518 & 526) which comprises of automated scripts to implement the response plan. Therefore, the examiner finds that the flow chart of FIG. 5 and its associated disclosure teaches generating a first response plan for the security incident.  Furthermore, however, Carver continuously monitors for IOCs regarding security incidents, and iteratively regenerates response plans based on results of execution of the first response plan and other IOCs, determining if further action is needed to curb the ongoing security incident and, based on that determination, the flow chart regenerates the response plan by generates another script to perform actions to further isolate the security incident. 
Regarding remark # 3, Applicant’s arguments are found to be persuasive regarding the combination of motivation to combine Smith and Carver and therefore the prosecution has been reopened.

Specification
The specification is objected to as failing to provide proper antecedent basis for the terminology used in the claims.  See 37 CFR 1.75(d)(1) and MPEP § 608.01(o).  
Claims 1 and 10 recites in last limitation “responsive to re-generating the incident response plan, programmatically initiate execution, in one or more computing entities in the enterprise network, of one or more tasks remaining in the re-generated incident response plan to respond to the given data security incident”. However, specification is silent with respect to the terminology of remaining tasks.

Claim Interpretation
The claims recite “regenerating” an incident response plan.  At no point in applicant’s specification does applicant describe what constitutes the act of “regenerating” of the incident response plan.  The term “regenerate” has a plain ordinary meaning “generate again”.  However:  At various points throughout applicant’s specification, applicant describes the desired result of the act of “regenerating” by explaining the tasks in the “regenerated” plan are “updated”, or updated tasks are “included” in the “regenerated” plan (applicant’s specification: [0020], [0027], [0035], [0106]).  Furthermore, the claims explicitly state there are “tasks remaining in the regenerated incident response plan.”  Interpreting the act of “regenerating” to require “generating again”, or “again generating the incident response plan afresh” is contrary to what is described in the specification and the claims.  Thus, the examiner will interpret the act of “regenerating” as “updating”.  That is, simply removing a single task from the incident response plan will meet the limitation of “regenerating” the incident response plan, even if such an action may not ordinarily be perceived as “regenerating” a plan.  Such an interpretation is consistent with the applicant’s specification and the claim terminology.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-3, 5, 10-13 and 18-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Carver et al., (US20150365438A1).
Regarding claim 1, Carver teaches:

A method for responding to data security incidents in an enterprise network, comprising: 
creating, in an incident manager (IM) application and in an automated manner, one or more incident objects (any and all data structures related to an identified incident) for respective one or more data security incidents (Carver [0017] discloses security and information analytics component 104 (FIG. 1) detecting known pattern of events (e.g., related to the insights 116, such as the existence of a file, an activity on an IP address, or another indicator or observable action) related to threat and recording the data for further analysis; [0017] further provides for creating data structures representative of a security incident; Carver [0048]-[0050] provides for the existence and creation of a security incident data structure which represents a security incident such as DDoS attack), 
wherein an incident object includes an incident characteristic (Carver [0017]-[0018], [0048]-[0050] provides that the data structure(s) maintaining information related to the security incident include information and characteristics related to the security incident); 
creating, in the IM application, one or more indicators of compromise (IOC) (Carver [0043]-[0047] discloses generating data structures that contain information representing indicators of compromise (or threat indicators), for example indicators of compromise associated with the threat may be the process name and the IP address), and 
linking the one or more indicators of compromise to the incident object (Carver [0036]-[0045] provides for linking data structures containing information representing indicators of compromise with the “incident object”, i.e., any and all data structures representing information related to a particular incident, by identifying which information is an indicator of compromise associated with a particular threat or incident);
determining tasks (i.e., appropriate response strategy) for the incident object, wherein one or more [response] tasks are determined for the incident object based upon the incident characteristic of the incident object and one or more common IOCs or common groupings of IOCs associated with the incident object (Carver [0050] discloses developing appropriate response strategy, such as rerouting network traffic, blocking particular IP address etc., based on “incident characteristics”, i.e., a piece of any information related to the incident stored in any data structure related to the incident, and “common IOCs”, i.e., IOCs that match known IOCs of  known other incidents);
wherein common IOCs or common groupings of IOCs are determined by comparing the IOCs associated with the incident object for a data security incident to IOCs associated with one or more incident objects for other data security incidents stored within the IM application (Carver: FIG. 3 step 308, [0017], [0024]-[0026], [0040], [0048] provides for matching current system events, information, files, etc. (i.e., potential IOCs) against known events, information, files, etc that are indicative of a particular type of or specific attack (i.e., known IOCs)); 
for a given data security incident, generating an incident response plan (Carver discloses in [0050] a response selector based on indicators of compromise associated with a particular security incident (e.g., a DDoS attack), for example, the incident can be identified and an appropriate response strategy can be determined), 
wherein the incident response plan includes the [response] tasks based upon the incident characteristic of the incident object associated with the given data security incident and includes any [response] tasks based upon the one or more common IOCs or common groupings of IOCs associated with the incident object (Carver [0018], [0049]-[0050] discloses devising an appropriate course of action, such as controlling or mitigating damage caused by a security breach for example rerouting some network traffic (e.g., traffic originating from a particular IP block) or all traffic intended for the server under attack to a honeypot or to an IP black hole, based on information known and stored in data structures about an incident, including current or potential IOCs, and known IOCs from known response ontologies), and
[execute at least one task of the response plan] (Carver: [0054]-[0058], Fig5, steps 510-518/520 provides for programmatically executing a task on a first iteration of a response plan, i.e., “removing the malicious process”);
	for a given data security incident, and responsive to a determination that a given IOC is no longer correlated to with the data security incident, de-associating the given IOC from the incident object by unlinking it from the incident object in an automated manner (Carver in [0058], Fig 5, step 520 provides for the system monitoring the ongoing incident before, during, and after execution of the first iteration of response actions;  provides for determining that IOC of the malicious process executing (which was previously used to recommend the action of terminating the malicious process) is de-associated from the incident and its related data structures because the notification of recommended actions in the next iteration lacks the recommendation to remove the malicious process, Fig 5, step 522 [0058]);
               responsive to the unlinking, regenerating the incident response plan (Carver discloses in [0058], Fig 5 step 522 updating response plan by adding additional actions for newly linked IOCs (in this case additional suspicious files), by removing previously completed tasks for IOCs that no longer exist/unlinked from the security incident (in this case, removing action of “remove malicious process”), and keeping actions that are still relevant for the incident (in this case, blocking outgoing traffic));         
	responsive to re-generating the incident response plan, programmatically initiate execution, in one or more computing entities in the enterprise network, of one or more remaining tasks in the re-generated incident response plan to respond to the given data security incident (Carver [0058] provides for programmatically executing a script to execute further actions, in this case blocking outgoing network traffic).
Regarding claim 2, Carver discloses:
The method of claim 1, wherein determining the tasks for the incident object based upon the one or more IOCs associated with the incident object comprises:
	identifying incident objects associated with the common IOCs or common groupings of IOCs as a set of correlated incident objects; determining whether there are any common incident characteristics among the set of correlated incident objects (Carver: [0036] & [0040] discloses identifying indicators of security threats and/or system compromises. Briefly, the process 300 includes identifying a compromise, retrieving data from relevant sources, identifying the status of a compromised environment, identifying indicator matches);
	creating tasks based upon the common incident characteristics among the set of correlated incident objects (Carver: [0049] discloses creating responses according to the identified security incidents).
Regarding claim 3, Carver discloses:
The method of claim 2, wherein determining whether there are any common incident characteristics among the set of correlated incident objects comprises:
loading statistical analysis algorithm for analyzing the incident characteristics of the set of correlated incident objects; and executing the statistical analysis algorithm against the incident characteristics of the incident objects within the set of correlated incident objects (Carver: [0043] discloses a machine learning algorithm to determine and identify indicator matches for the security threat to eventually identify a compromise).
Regarding claim 5, Carver discloses:
The method of claim 1, further comprising:
sending a message to the IM application, the message having been generated by a Security Information and Event Manager (SIEM) of the enterprise network and including the incident characteristic of the incident object and the one or more IOCs associated with the incident object (Carver: [0017] discloses monitoring detecting known pattern of for potential malicious events, recording the event and sending the event to the appropriate entity for appropriate course of action);
creating, by the IM application, the incident object, the incident characteristics of the incident object, and the one or more IOCs associated with the incident object in response to receiving the message (Carver: [0017] discloses monitoring detecting known pattern of for potential malicious events, recording the event and sending the event to the appropriate entity for appropriate course of action).
Regarding claim 10, Carver discloses:
A system for responding to data security incidents, the system comprising: a hardware processor; 
an incident manager (IM) application executed on the hardware processor that creates, in an automated manner, one or more incident objects for one or more respective data security incidents, wherein an incident object includes an incident characteristic, and that creates one or more indicators of compromise (IOC) and links them to the incident object ((See [0048] i.e., denial-of-service (DDoS) attack on one or more network servers) for respective one or more data security incidents (Carver [0017] discloses security and information analytics component 104 (FIG. 1) detecting known pattern of events (e.g., related to the insights 116, such as the existence of a file, an activity on an IP address, or another indicator or observable action) related to threat and recording the data for further analysis; [0017] further provides for creating data structures representative of a security incident; Carver [0048]-[0050] provides for the existence and creation of a security incident data structure which represents a security incident such as DDoS attack); and
a rules engine of the IM application that: creates one or more tasks for the incident object based upon the incident characteristic of the incident object (Carver [0043]-[0047] discloses generating data structures that contain information representing indicators of compromise (or threat indicators), for example indicators of compromise associated with the threat may be the process name and the IP address; Also Carver [0036]-[0045] provides for linking data structures containing information representing indicators of compromise with the “incident object”, i.e., any and all data structures representing information related to a particular incident, by identifying which information is an indicator of compromise associated with a particular threat or incident);
determines one or more tasks (i.e., appropriate response strategy) for the incident object based upon one or more common IOCs or common groupings of IOCs associated with the incident object (Carver [0050] discloses developing appropriate response strategy, such as rerouting network traffic, blocking particular IP address etc., based on “incident characteristics”, i.e., a piece of any information related to the incident stored in any data structure related to the incident, and “common IOCs”, i.e., IOCs that match known IOCs of  known other incidents),
wherein common IOCs or common groupings of IOCs are determined by comparing the IOCs associated with the incident object for a data security incident to IOCs associated with one or more incident objects for other data security incidents stored within the IM application (Carver: FIG. 3 step 308, [0017], [0024]-[0026], [0040], [0048] provides for matching current system events, information, files, etc. (i.e., potential IOCs) against known events, information, files, etc that are indicative of a particular type of or specific attack (i.e., known IOCs)); and
for a given data security incident generates an incident response plan (Carver discloses in [0050] a response selector based on indicators of compromise associated with a particular security incident (e.g., a DDoS attack), for example, the incident can be identified and an appropriate response strategy can be determined), 
wherein the incident response plan includes the [response] tasks based upon the incident characteristic of the incident object associated with the given data security incident and includes any [response] tasks based upon the one or more common IOCs or common groupings of IOCs associated with the incident object (Carver [0018], [0049]-[0050] discloses devising an appropriate course of action, such as controlling or mitigating damage caused by a security breach for example rerouting some network traffic (e.g., traffic originating from a particular IP block) or all traffic intended for the server under attack to a honeypot or to an IP black hole, based on information known and stored in data structures about an incident, including current or potential IOCs, and known IOCs from known response ontologies), and 
[execute at least one task of the response plan] (Carver: [0054]-[0058], Fig5, steps 510-518/520 provides for programmatically executing a task on a first iteration of a response plan, i.e., “removing the malicious process”);
	for a given data security incident, and responsive to a determination that a given IOC is no longer correlated to with the data security incident, de-associating the given IOC from the incident object by unlinking it from the incident object in an automated manner (Carver in [0058], Fig 5, step 520 provides for the system monitoring the ongoing incident before, during, and after execution of the first iteration of response actions;  provides for determining that IOC of the malicious process executing (which was previously used to recommend the action of terminating the malicious process) is de-associated from the incident and its related data structures because the notification of recommended actions in the next iteration lacks the recommendation to remove the malicious process, Fig 5, step 522 [0058]);
               responsive to the unlinking, regenerating the incident response plan (Carver discloses in [0058], Fig 5 step 522 updating response plan by adding additional actions for newly linked IOCs (in this case additional suspicious files), by removing previously completed tasks for IOCs that no longer exist/unlinked from the security incident (in this case, removing action of “remove malicious process”), and keeping actions that are still relevant for the incident (in this case, blocking outgoing traffic));         
	responsive to re-generating the incident response plan, programmatically initiate execution, in one or more computing entities in the enterprise network, of one or more remaining tasks in the re-generated incident response plan to respond to the given data security incident (Carver [0058] provides for programmatically executing a script to execute further actions, in this case blocking outgoing network traffic).
Regarding claim 11, Carver discloses:
The system of claim 10, wherein the IM application further comprises an inference engine that: 
Identifies incident objects associated with the common IOCs or common groupings of IOCs as a set of correlated incident objects; determining whether there are any common incident characteristics among the set of correlated incident objects (Carver: [0036] & [0040] provides for linking data structures containing information representing indicators of compromise with the “incident object”, i.e., any and all data structures representing information related to a particular incident, by identifying which information is an indicator of compromise associated with a particular threat or incident);
	sends the common incident characteristics to the rules engine, wherein the rules engine determines the tasks for each incident object based upon the one or more IOCs associated with each incident object in response to receiving the common incident characteristics from the inference engine (Carver: [0018] discloses generating incident response for the incidents based on ontology regarding actions to be performed in response to particular security events; [0049] discloses creating responses according to the identified security incidents).
Regarding claim 12, Carver discloses:
The system of claim 10, wherein the IM application includes a statistical analysis algorithm, and wherein the inference engine downloads the statistical analysis algorithm from the IM application and applies the statistical analysis algorithm to the set of correlated incident objects to determine whether there are any common incident characteristics among the set of correlated incident objects (Carver: [0043] discloses a machine learning algorithm to determine and identify indicator matches for the security threat to eventually identify a compromise).
Regarding claim 13, Carver discloses:
The system of claim 10, further comprising a Security Information and Event Manager (SIEM) that includes the incident characteristics of the incident object and the one or more IOCs associated with the incident object within a message, and sends the message to the IM application, and wherein the IM application creates the incident object, the incident characteristic of the incident object, and the IOCs associated with the incident object in response to receiving the message (Carver: [0017] discloses monitoring detecting known pattern of for potential malicious events, recording the event and sending the event to the appropriate entity for appropriate course of action).
Regarding claim 18, Carver discloses:
The system of claim 10, wherein types of the IOCs associated with the incident object include Internet Protocol (IP) addresses, hashes associated with malware, domain names, names of files, user accounts, registry keys, email addresses, and or protocol port numbers (Carver: [0004] discloses list of indicators of compromise can include one or more of a process name, a process identifier, a process hash, a file, an object, an application, a service, an Internet Protocol address, a registry key, or a user account).
Regarding claim 19, Carver discloses:
The system of claim 10, wherein the incident characteristic included within the incident object include an incident type, data compromise status information, data exposure status information, and time/date of incident occurrence (Carver: [0036] & [0039] discloses identifying a compromise, retrieving data from relevant sources, identifying the status of a compromised environment and providing snapshot of potential indicators of compromise which include timeframe of the system).
Regarding claim 20, Carver discloses:
The system of claim 10, wherein the IM receives updates to the tasks from a security analyst, and updates the incident response plans for the data security incidents to include the updated tasks from the security analyst (Carver: [0051] discloses A semi-automated process for implementing the incident response, for example, may include various checkpoints for which a human operator may be prompted to make a decision, and further automated processes (e.g., scripts) may be launched in response to receiving an indication of the decision).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5, 10-13 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Carver et al., (US20150365438A1) in view of Tung et al., (US20090259513A1).
Regarding claim 1, Carver discloses:

A method for responding to data security incidents in an enterprise network, comprising: 
creating (see [0017] & [0048]; i.e., identifying and recording the incident in information and analytics component 104), in an incident manager (IM) application and in an automated manner, one or more incident objects (See [0048] i.e., denial-of-service (DDoS) attack on one or more network servers) for respective one or more data security incidents (Carver [0017] discloses security and information analytics component 104 (FIG. 1) detecting known pattern of events (e.g., related to the insights 116, such as the existence of a file, an activity on an IP address, or another indicator or observable action) related to threat and  recording it for further analysis; Carver [0048] discloses identifying a security incident which relates to incident object such as DDoS ), 
wherein an incident object includes an incident characteristic (Carver [0048] discloses that DDoS attack has been identified based on based on detecting a known pattern of events associated with the type of attack); 
creating, in the IM application, one or more indicators of compromise (IOC) (Carver [0044] discloses generating indicators of compromise (or threat indicators), for example indicators of compromise associated with the threat may be the process name and the IP address), and 
linking the one or more indicators of compromise to the incident object (Carver [0050] discloses determining [linking] the indicators of compromise associated with a particular security incident (e.g., a DDoS attack)); 
determining tasks (i.e., appropriate response strategy) for the incident object, wherein one or more [response] tasks are determined for the incident object based upon the incident characteristic of the incident object (Carver [0050] discloses identifying indicators of compromise associated with a particular security incident (e.g., a DDoS attack) and developing appropriate response strategy such as rerouting network traffic, blocking particular IP address etc. construed as one or more response tasks related to the incident object), and 
one or more common IOCs or common groupings of IOCs associated with the incident object (Carver discloses in light of FIG. 3 steps 306, 308, 310, 316, 318 & 320 for determining if indicators of compromise are associated with the security incident), 
wherein common IOCs or common groupings of IOCs are determined by comparing the IOCs associated with the incident object for a data security incident to IOCs associated with one or more incident objects for other data security incidents stored within the IM application (Carver discloses in light of FIG. 3 step 308 security threat information provided by the threat intelligence server 202 can be accessed by the management and process orchestration server 204 and can be used for identifying matches from the list of running and/or recently ended processes and/or modified objects. Processes and/or modified objects that match, for example, may be identified as threat indicators); 
for a given data security incident, generating an incident response plan (Carver discloses in [0050] a response selector based on indicators of compromise associated with a particular security incident (e.g., a DDoS attack), for example, the incident can be identified and an appropriate response strategy can be determined), 
wherein the incident response plan includes the [response] tasks based upon the incident characteristic of the incident object associated with the given data security incident (Carver [0050] discloses observing a pattern within the security incident and devising an appropriate course of action such as controlling or mitigating damage caused by a security breach for example rerouting some network traffic (e.g., traffic originating from a particular IP block) or all traffic intended for the server under attack to a honeypot or to an IP black hole), and
includes any [response] tasks based upon the one or more common IOCs or common groupings of IOCs associated with the incident object (Carver [0018] discloses a security orchestration service which maintain an ontology regarding actions to be performed in response to particular security threats or breaches which is construed as response tasks included based upon common indicators of compromise; Also see Carver [0049] disclosing that the security incident can be compared with a predefined ontology in which the security orchestration services can maintain an incident response ontology).
Carver explicitly teaches:
	for a given data security incident, and responsive to a determination that the information-regarding-the-incident needs updating (Carver in [0058] during state 520 of FIG. 5 discloses identifying there is another IOC in the form of an additional suspicious files even after malicious process is terminated and therefore response plan needs updating), 
	updating the incident object (Carver in [0058] discloses that the system must identify new IOCs and store them in a data structure associated with the security incident in the form of generated notifications that describes the security incident), and
               responsive to updating the incident object, regenerating (i.e., generating another action (script) to isolate the suspicious files after the malicious process was terminated in the first response plan) the incident response plan (Carver discloses in [0058] recommending additional actions or looking up different response ontology during iterative response actions based on changing state of an affected device or network. For example, Fig 5 and its citations where 1st script is original incident response plan; 2nd is the regenerated incident response plan);               
               responsive to re-generating the incident response plan, programmatically initiate execution, in one or more computing entities in the enterprise network, of one or more remaining tasks in the re-generated incident response plan to respond to the given data security incident (Carver discloses in [0058] that after the system operator is known that there is still suspicious files present event after terminating the malicious process, the operator directs an incident response process to programmatically/automatically execute the 2nd script to perform actions such as isolating the suspicious files).
Carver fails to explicitly teach:
wherein determining that information-regarding-the-event needs updating comprises:
determining that information-regarding-the-event is no longer correlated with the event; wherein updating an event object comprises de-associating the information-regarding-the-event from the event object by unlinking the information-regarding-the-event in an automated manner; wherein updating is unlinking.
However, Tung discloses:owfdjkvnfdj
	determining that information-regarding-the-event (i.e., shipment timing information is construed as event information which needs updating) needs updating comprises:
determining that information-regarding-the-event is no longer correlated (i.e., the shipment has been delayed and expected shipping time is no longer correct and therefore new time needs to be updated from original time for the shipment) with the event (See FIG. 12, Step 2; [0040] A particular event or milestone 514 may actually be realized later than expected. The party process 500 may shift the expectations for the upcoming predicted milestones 512 by the amount of delay for the late realized event or milestone 514. Therefore, the system can re-plan and reflect the latest or revised expectations for the events and milestones to the parties (i.e., shifted forward or backward)

    PNG
    media_image1.png
    273
    789
    media_image1.png
    Greyscale
);
wherein updating an event object comprises de-associating the information-regarding-the-event from the event object by unlinking the information-regarding-the-event in an automated manner; wherein updating is unlinking (See FIG. 12, Step 3; [0040] As indicated in step 3, the newly revised party processes 500 accurately reflect the revised predicted milestones 516 and those are then made available for monitoring by the system and the parties

    PNG
    media_image2.png
    225
    811
    media_image2.png
    Greyscale
).
It would have been obvious to ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Carver reference and include an event driven model monitoring system which automatically detects a change in the event and updates the model based on the detection, as disclosed by Tung.
The motivation to have such a system is to be able to have minimal operator input when there is change in the event and a modification needs to be made regarding the event in response to detecting the change in the event.
Regarding claim 2, the combination of Carver and Tung discloses:
The method of claim 1, wherein determining the tasks for the incident object based upon the one or more IOCs associated with the incident object comprises:
	identifying incident objects associated with the common IOCs or common groupings of IOCs as a set of correlated incident objects; determining whether there are any common incident characteristics among the set of correlated incident objects (Carver: [0036] & [0040] discloses identifying indicators of security threats and/or system compromises. Briefly, the process 300 includes identifying a compromise, retrieving data from relevant sources, identifying the status of a compromised environment, identifying indicator matches);
	creating tasks based upon the common incident characteristics among the set of correlated incident objects (Carver: [0049] discloses creating responses according to the identified security incidents).
Regarding claim 3, the combination of Carver and Tung discloses:
The method of claim 2, wherein determining whether there are any common incident characteristics among the set of correlated incident objects comprises:
loading statistical analysis algorithm for analyzing the incident characteristics of the set of correlated incident objects; and executing the statistical analysis algorithm against the incident characteristics of the incident objects within the set of correlated incident objects (Carver: [0043] discloses a machine learning algorithm to determine and identify indicator matches for the security threat to eventually identify a compromise).
Regarding claim 5, the combination of Carver and Tung discloses:
The method of claim 1, further comprising:
sending a message to the IM application, the message having been generated by a Security Information and Event Manager (SIEM) of the enterprise network and including the incident characteristic of the incident object and the one or more IOCs associated with the incident object (Carver: [0017] discloses security and information analytics component 104 (FIG. 1) detecting known pattern of events (e.g., related to the insights 116, such as the existence of a file, an activity on an IP address, or another indicator or observable action) related to threat and  recording it for further analysis;);
creating, by the IM application, the incident object, the incident characteristics of the incident object, and the one or more IOCs associated with the incident object in response to receiving the message (Carver: [0017] discloses security and information analytics component 104 (FIG. 1) detecting known pattern of events (e.g., related to the insights 116, such as the existence of a file, an activity on an IP address, or another indicator or observable action) related to threat and recording the data for further analysis; [0017] further provides for creating data structures representative of a security incident).
Regarding claim 10, Carver discloses:
A system for responding to data security incidents, the system comprising: a hardware processor; 
an incident manager (IM) application executed on the hardware processor that creates, in an automated manner, one or more incident objects for one or more respective data security incidents, wherein an incident object includes an incident characteristic, and that creates one or more indicators of compromise (IOC) and links them to the incident object ((See [0048] i.e., denial-of-service (DDoS) attack on one or more network servers) for respective one or more data security incidents (Carver [0017] discloses security and information analytics component 104 (FIG. 1) detecting known pattern of events (e.g., related to the insights 116, such as the existence of a file, an activity on an IP address, or another indicator or observable action) related to threat and  recording it for further analysis; Carver [0048] discloses identifying a security incident which relates to incident object such as DDoS ));
and a rules engine of the IM application that: creates one or more tasks for the incident object based upon the incident characteristic of the incident object (Carver [0044] discloses generating indicators of compromise (or threat indicators), for example indicators of compromise associated with the threat may be the process name and the IP address);
determines one or more tasks for the incident object based upon one or more common IOCs or common groupings of IOCs associated with the incident object (Carver [0050] discloses identifying indicators of compromise associated with a particular security incident (e.g., a DDoS attack) and developing appropriate response strategy such as rerouting network traffic, blocking particular IP address etc. construed as one or more response tasks related to the incident object; Carver discloses in light of FIG. 3 steps 306, 308, 310, 316, 318 & 320 for determining if indicators of compromise are associated with the security incident),
wherein common IOCs or common groupings of IOCs are determined by comparing the IOCs associated with the incident object for a data security incident to IOCs associated with one or more incident objects for other data security incidents stored within the IM application (Carver discloses in light of FIG. 3 step 308 security threat information provided by the threat intelligence server 202 can be accessed by the management and process orchestration server 204 and can be used for identifying matches from the list of running and/or recently ended processes and/or modified objects. Processes and/or modified objects that match, for example, may be identified as threat indicators);
and for a given data security incident generates an incident response plan (Carver discloses in [0050] a response selector based on indicators of compromise associated with a particular security incident (e.g., a DDoS attack), for example, the incident can be identified and an appropriate response strategy can be determined), 
wherein the incident response plan for the given data security incident includes the tasks based upon the incident characteristic of the incident object associated with the given data security incident (Carver [0050] discloses observing a pattern within the security incident and devising an appropriate course of action such as controlling or mitigating damage caused by a security breach for example rerouting some network traffic (e.g., traffic originating from a particular IP block) or all traffic intended for the server under attack to a honeypot or to an IP black hole), and 
includes the tasks based upon the one or more common IOCs or common groupings of IOCs associated with the incident object (Carver [0018] discloses a security orchestration service which maintain an ontology regarding actions to be performed in response to particular security threats or breaches which is construed as response tasks included based upon common indicators of compromise; Also see Carver [0049] disclosing that the security incident can be compared with a predefined ontology in which the security orchestration services can maintain an incident response ontology).
Carver explicitly teaches:
	for a given data security incident, and responsive to a determination that the information-regarding-the-incident needs updating (Carver in [0058] during state 520 of FIG. 5 discloses identifying there is another IOC in the form of an additional suspicious files even after malicious process is terminated and therefore response plan needs updating), 
	updating the incident object (Carver in [0058] discloses that the system must identify new IOCs and store them in a data structure associated with the security incident in the form of generated notifications that describes the security incident), and
               responsive to updating the incident object, regenerating (i.e., generating another action (script) to isolate the suspicious files after the malicious process was terminated in the first response plan) the incident response plan (Carver discloses in [0058] recommending additional actions or looking up different response ontology during iterative response actions based on changing state of an affected device or network. For example, Fig 5 and its citations where 1st script is original incident response plan; 2nd is the regenerated incident response plan);
               responsive to re-generating the incident response plan, programmatically initiate execution, in one or more computing entities in the enterprise network, of one or more remaining tasks in the re-generated incident response plan to respond to the given data security incident (Carver discloses in [0058] that after the system operator is known that there is still suspicious files present event after terminating the malicious process, the operator directs an incident response process to programmatically/automatically execute the 2nd script to perform actions such as isolating the suspicious files).
Carver fails to teach:
determining that information-regarding-the-event needs updating comprises:
determining that information-regarding-the-event is no longer correlated with the event; wherein updating an event object comprises de-associating the information-regarding-the-event from the event object by unlinking the information-regarding-the-event in an automated manner; wherein updating is unlinking.
However, Tung discloses:owfdjkvnfdj
	determining that information-regarding-the-event (i.e., shipment timing information is construed as event information which needs updating) needs updating comprises:
determining that information-regarding-the-event is no longer correlated (i.e., the shipment has been delayed and expected shipping time is no longer correct and therefore new time needs to be updated from original time for the shipment) with the event (See FIG. 12, Step 2; [0040] A particular event or milestone 514 may actually be realized later than expected. The party process 500 may shift the expectations for the upcoming predicted milestones 512 by the amount of delay for the late realized event or milestone 514. Therefore, the system can re-plan and reflect the latest or revised expectations for the events and milestones to the parties (i.e., shifted forward or backward)

    PNG
    media_image1.png
    273
    789
    media_image1.png
    Greyscale
);
wherein updating an event object comprises de-associating the information-regarding-the-event from the event object by unlinking the information-regarding-the-event in an automated manner; wherein updating is unlinking (See FIG. 12, Step 3; [0040] As indicated in step 3, the newly revised party processes 500 accurately reflect the revised predicted milestones 516 and those are then made available for monitoring by the system and the parties

    PNG
    media_image2.png
    225
    811
    media_image2.png
    Greyscale
).
It would have been obvious to ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Carver reference and include an event driven model monitoring system which automatically detects a change in the event and updates the model based on the detection, as disclosed by Tung.
The motivation to have such a system is to be able to have minimal operator input when there is change in the event and a modification needs to be made regarding the event in response to detecting the change in the event.
Regarding claim 11, the combination of Carver and Tung discloses:
The system of claim 10, wherein the IM application further comprises an inference engine that: 
identifies incident objects associated with the common IOCs or common groupings of IOCs as a set of correlated incident objects; determining whether there are any common incident characteristics among the set of correlated incident objects (Carver: [0036] & [0040]);
	sends the common incident characteristics to the rules engine, wherein the rules engine determines the tasks for each incident object based upon the one or more IOCs associated with each incident object in response to receiving the common incident characteristics from the inference engine (Carver: [0018] discloses a security orchestration service which maintain an ontology regarding actions to be performed in response to particular security threats or breaches which is construed as response tasks included based upon common indicators of compromise; Also see Carver [0049] disclosing that the security incident can be compared with a predefined ontology in which the security orchestration services can maintain an incident response ontology).
Regarding claim 12, the combination of Carver and Tung discloses:
The system of claim 10, wherein the IM application includes a statistical analysis algorithm, and wherein the inference engine downloads the statistical analysis algorithm from the IM application and applies the statistical analysis algorithm to the set of correlated incident objects to determine whether there are any common incident characteristics among the set of correlated incident objects (Carver: [0043]).
Regarding claim 13, the combination of Carver and Tung discloses:
The system of claim 10, further comprising a Security Information and Event Manager (SIEM) that includes the incident characteristics of the incident object and the one or more IOCs associated with the incident object within a message, and sends the message to the IM application, and wherein the IM application creates the incident object, the incident characteristic of the incident object, and the IOCs associated with the incident object in response to receiving the message (Carver: [0017]).
Regarding claim 18, the combination of Carver and Tung discloses:
The system of claim 10, wherein types of the IOCs associated with the incident object include Internet Protocol (IP) addresses, hashes associated with malware, domain names, names of files, user accounts, registry keys, email addresses, and or protocol port numbers (Carver: [0004] discloses list of indicators of compromise can include one or more of a process name, a process identifier, a process hash, a file, an object, an application, a service, an Internet Protocol address, a registry key, or a user account).
Regarding claim 19, the combination of Carver and Tung discloses:
The system of claim 10, wherein the incident characteristic included within the incident object include an incident type, data compromise status information, data exposure status information, and time/date of incident occurrence (Carver: [0036] & [0039] discloses identifying a compromise, retrieving data from relevant sources, identifying the status of a compromised environment and providing snapshot of potential indicators of compromise which include timeframe of the system).
Regarding claim 20, the combination of Carver and Tung discloses:
The system of claim 10, wherein the IM receives updates to the tasks from a security analyst, and updates the incident response plans for the data security incidents to include the updated tasks from the security analyst (Carver: [0051] discloses A semi-automated process for implementing the incident response, for example, may include various checkpoints for which a human operator may be prompted to make a decision, and further automated processes (e.g., scripts) may be launched in response to receiving an indication of the decision).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffery L. Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/S.M.A./             Patent Examiner, Art Unit 2432                                                                                                                                                                                           	06/27/2022

/Jeffrey Nickerson/             Supervisory Patent Examiner, Art Unit 2432