DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claim 21 is rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 10,771,479. Although the claims at issue are not identical, they are not patentably distinct from each other because claim 21 is generic to all that is recited in claim 1 of U.S. Patent No. 10,771,479. That is, claim 1 of U.S. Patent No. 10,771,479 falls entirely within the scope of claim 21 or, in other words, claim 21 is anticipated by claim 1 of U.S. Patent No. 10,771,479. 

Claim 21 of the Instant Application
claim 1 of U.S. Patent No. 10,771,479
A computer-implemented method performed by a security application of a data intake and query system, the method comprising: 
A computer-implemented method performed by a security application of a data intake and query system, the method comprising:
receiving input defining a modular alert, wherein the modular alert includes: 
receiving, through a graphical interface for creating modular alerts, input defining a modular alert comprising:
a correlation search used to identify notable events from events stored by the data intake and query system, wherein each of the events includes a time stamp and a portion of raw machine data produced by a component of an information technology or security environment, and
a correlation search used to identify notable events from events stored by the data intake and query system in a field-searchable data store, wherein each of the events includes a time stamp and a portion of raw machine data produced by a component of an information technology or security environment …; a triggering condition reflected in criteria in the correlation search, the triggering condition representing detection of a potential security threat;
an action to be executed responsive to the correlation search identifying a notable event, wherein the action causes a security application that is external to the data intake and query system to return results information; 
a plurality of actions to be executed based on the triggering condition being satisfied during execution of the correlation search, the plurality of actions including: …a second action to be executed by a security application that is external to the data intake and query system, wherein execution of the second action by the security application returns second results information;
executing the correlation search to identify a notable event;
executing the correlation search included in the modular alert according to the recurring schedule; detecting the triggering condition in the modular alert;
executing the action based on the notable event; 
based on detecting the triggering condition, executing the plurality of actions in the modular alert including the first action and the second action;
obtaining, from the security application, supplemental information related to the notable event; and 
the plurality of actions including: a first action involving execution of a query against time stamped event data stored by the data intake and query system in the field-searchable data store, wherein the query is used to obtain additional information related to a notable event identified based on execution of the correlation search, and wherein execution of the query returns first results information, … obtaining information associated with execution of the plurality of actions; and
causing display of a graphical user interface (GUI) including information representing the notable event and the supplemental information obtained based on the security application executing the action.
causing display of a graphical user interface (GUI) including information representing a notable event identified based on execution of the correlation search, the first results information obtained by executing the first action involving execution of a query against time stamped event data stored by the data intake and query system, ...


Similarly, the following claims are rejected on the ground of nonstatutory double patenting as being unpatentable over the following corresponding claims of U.S. Patent No. 10,771,479.
Claims of the Instant Application
Claims of U.S. Patent No. 10,771,479
Claims of the Instant Application
Claims of U.S. Patent No. 10,771,479
21
1
32
9
22
1
33
10
23
1
34
11
24
2
35
13
25
3
36
13
27
4
37
13
28
5
38
16
29
6
39
20
30
7
40
20
31
8




	

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 21, 24-29, 35, 38 and 39 are rejected under 35 U.S.C. 103 as being unpatentable over Chakravarty (US 2008/0040191), and further in view of Block (US 2016/0034361).

Regarding claims 21, 35 and 39,  Chakravarty teaches A computer-implemented method performed by a security application of a data intake and query system, the method comprising (see abstract: “One aspect of the invention relates to providing tools to enable creation of customized workflow processes for event driven incident remediation, monitoring and analyzing system activity to identify occurrence of incidents, assigning a workflow process to an incident, applying the assigned workflow process to remediate the incident, and tracking and graphically displaying the status of the workflow process”. And see [0024] and Fig. 1: “a system may include a correlation analysis engine 14, an incident tracking module 16, an assignment module 18, a workflow module 20, a graphical user interface 30”. The Examiner interprets the system comprising “a correlation analysis engine 14, an incident tracking module 16, an assignment module 18, a workflow module 20, a graphical user interface 30” as a security application of a data intake and query system):
receiving input defining a modular alert (see [0059] and Fig. 1: “Correlated events may be published based on user defined correlation rules before the events get stored to a database 15 associated with correlation engine 14”. And see [0008]: “a particular workflow process instance may be designed to remediate a particular type of incident, e.g., depending on details of the particular incident”. And see [0012]: “A user may create and edit a workflow process from scratch or by starting with a template. For example, the use may create or edit a workflow instance by using drag and drop features of the graphical user interface to place one or more steps/work-items and transitions there between into a sequence”. And see [0026]: “Workflow module 20 may be used in edit mode 22 to create or modify a set of customizable workflow process instances”. And see [0042] and Fig. 3: “The panel for workflow process instance 202 enables the user to create/edit a workflow process instance using drag and drop elements from the work-item palette 206 in order to build a graph 201 that represents a desired workflow process”. The Examiner interprets receiving “user defined correlation rules” and a user input, through the graphical user interface shown in Fig. 3, defining a desired workflow process designed to remediate an incident, as receiving input defining a modular alert), wherein the modular alert includes: 
a correlation search used to identify notable events from events stored by the data intake and query system (see [0059] and Fig. 1: “The network may include external and internal event sources. The collection of filtered events from the various sources may be passed to correlation engine 14 which analyzes event data. One or more events of interest passed to correlation engine 14 may undergo a correlation algorithm that computes correlation events by analyzing the data stream in real-time and determining whether an incoming event or series of events should be made into a correlation event. Correlated events may be published based on user defined correlation rules before the events get stored to a database 15 associated with correlation engine 14. Rules in correlation engine 14 can detect a pattern in a single event of interest or a running window of events. When a match to an existing correlation rule is detected, the correlations engine generates a correlated event describing the found pattern and may create an incident to trigger a remediation workflow”. The Examiner interprets “user defined correlation rules” as a correlation search used to identify notable events from events stored by the data intake and query system included in the modular alert defined in the received input. And see [0016] and [0027]), wherein each of the events includes (see [0027]: “Referring to FIG. 1, the system may include an activity monitor 12. Activity monitor 12 may collect events in real-time from security devices, network devices, security software and other devices and applications running on a network”), and 
an action to be executed responsive to the correlation search identifying a notable event (see [0032]: “Another type of work-item relates to automatic work-items, also referred to as a system work-item. A system work-item may be automatically executed without user intervention via one or more computer applications. The workflow module (or other module) may initiate one or more actions associated with the system work-item. Various types of actions may be taken and certain actions may be implemented on a network device in an attempt to resolve at least a portion of the incident”. And see [0059] and Fig. 1: “Rules in correlation engine 14 can detect a pattern in a single event of interest or a running window of events. When a match to an existing correlation rule is detected, the correlations engine generates a correlated event describing the found pattern and may create an incident to trigger a remediation workflow”. And see [0042] and Fig. 3: “The panel for workflow process instance 202 enables the user to create/edit a workflow process instance using drag and drop elements from the work-item palette 206 in order to build a graph 201 that represents a desired workflow process”. And see [0011], [0012], [0016], [0040] and [0041]), 
wherein the action causes a security application that is external to the data intake and query system to return results information (see [0032]: “Various types of actions may be taken and certain actions may be implemented on a network device in an attempt to resolve at least a portion of the incident. For example, the action may attempt to reach back to an external source (or a downstream device) of the event(s) which caused the incident. Completion of a system work-item may depend on the results of the action(s) taken. For example, the system work-item may wait until the action is successfully completed (e.g., problem server is turned off) in order to move on to the next work-item”. The Examiner interprets “an external source (or a downstream device) of the event(s) which caused the incident” as a security application that is external to the data intake and query system. The Examiner further interprets “the results of the action(s) taken” as results information. And see [0052] and Fig. 6: “The command may be used to execute an action in an attempt to resolve at least a portion of the incident. For example, the command may be executed on a network device that may be causing the incident. The output of the command may be stored in a workflow process variable specified in a pull down menu 503. The output may indicate success or failure with respect to the executed command. In the possible event of failure, the workflow process may be designed to create another incident (sub-incident) in order to resolve the failed outcome before moving on to the next work-item”); 
executing the correlation search to identify a notable event (see [0060] and FIG. 7: “correlation analysis may be performed to determine the details with respect to an event or series of events (operation 103). A correlation algorithm and/or correlation rules may determine whether an incident has occurred (operation 104)”. And see [0027]: “Activity monitor 12 may collect events in real-time from security devices, network devices, security software and other devices and applications running on a network. If an event of interest occurs, for example, policy event, compliance event and/or other event, it may be passed along to the correlation engine 14, which may receive the event and proceed to determine whether to create an incident (e.g., based on correlation rules). An incident may be a predefined occurrence of a series of one or more events having one or more characteristics. For example, a series of events may show the characteristics of an intrusion attempting to access a secure asset which may be a violation of a predetermined policy (e.g., based on corporate governance)”. The Examiner interprets an incident as a notable event);
executing the action based on the notable event (see [0030] and Fig. 1: “In remediation mode 24, workflow module 20 executes one or more workflow process instances in an attempt to remediate a designated incident”. And see [0028]: “An incident identified by the correlation engine 14 (and/or other mechanism(s)) may be sent to the incident tracking module 16. Incident tracking module 16 may be used to create incident objects and track the status of remediation for the incident objects. Assignment module 18 may be used to select and assign a workflow process instance to the incident. (e.g., a customized workflow process instance designed in the manner described above). One or more reported incidents may be automatically (or manually) assigned a workflow processes instance based on incident details, workflow assignment rules and/or other information. For example, a particular workflow process instance may be designed to remediate a particular type of incident. By way of example, an incident based on a compliance event may be assigned a compliance workflow. The assigned workflow process instance enables incident remediation to begin”.); 
obtaining, from the security application, supplemental information related to the notable event (see [0033]: “As the remediation mode processes the incident according to the assigned workflow process instance the workflow module and the incident tracking module may receive updates based on completed workflow activities (e.g., work-items). The updated information enables remediation to be monitored, tracked and recorded for use with the workflow process instance and the incident object. Updates may be used to track and display progress of one or more workflow process instances executing on the system”. And see [0035] and Fig. 2: “For a selected incident object the incident tracking module 16 may provide a visual representation of the workflow progress in real-time using the assigned workflow process instance created in the workflow module edit mode. Incident object status information may be displayed via user interface 30. By way of example,  user interface 30 may display a status indicator 602 on or in association with the graphical display (see, e.g., FIG. 2) of the workflow process instance. The status indicator may be updated to reflect changes in progress as updates are received for completion of work-items”. And see [0032]: “The workflow module (or other module) may initiate one or more actions associated with the system work-item. Various types of actions may be taken and certain actions may be implemented on a network device in an attempt to resolve at least a portion of the incident. For example, the action may attempt to reach back to an external source (or a downstream device) of the event(s) which caused the incident. Completion of a system work-item may depend on the results of the action(s) taken”. The Examiner interprets receiving “Incident object status information” ([0035]) based on received “updates based on completed workflow activities (e.g., work-items)” ([0033]) from the “external source (or a downstream device) of the event(s) which caused the incident” (the security application, see [0032]), wherein the “updated information enables remediation to be monitored, tracked and recorded for use with the workflow process instance and the incident object” (see [0033], the incident corresponding to the notable event), as obtaining, from the security application, supplemental information related to the notable event); and 
causing display of a graphical user interface (GUI) including information representing the notable event and the supplemental information obtained based on the security application executing the action (see [0010]: “The user interface may be used to display a graphical representation associated with the incident tracking module and/or workflow module. …Regarding the incident tracking module, the user interface may display an organized list of pending and/or resolved incident objects and information associated therewith. For a selected incident object, the user interface may graphically display the selected workflow process instance (e.g., including the steps, with their associated work-item(s), and transitions in the selected workflow process instance between steps) and the execution status of the process (e.g., with respect to the graphically displayed steps and/or work-items). For example, a status indicator may be graphically displayed on or in association with one or more steps to graphically show its status”. Also see [0035] and Fig. 2: “For a selected incident object the incident tracking module 16 may provide a visual representation of the workflow progress in real-time using the assigned workflow process instance created in the workflow module edit mode. Incident object status information may be displayed via user interface 30. By way of example, user interface 30 may display a status indicator 602 on or in association with the graphical display (see, e.g., FIG. 2) of the workflow process instance. The status indicator may be updated to reflect changes in progress as updates are received for completion of work-items”. And see [0038]: “Incident tracking module 16 may provide a high-level status of the completion. For example, a percentage (or other kind of measurement) may be displayed next to a pending incident object in a list of pending incident objects”. And see [0034]: “A user interface may be used to display a graphical representation associated with the remediation status, among other things. The workflow module, in conjunction with incident tracking module 16, enables status of individual incident objects to be tracked, including the status of individual steps/work-items within a workflow process instance. For example, incident tracking module 16 may display an organized record of all pending and past incident objects including information on human resources assigned to each incident object, incident resolution status, and/or other information”. And see [0016]: “The progress/status of the assigned workflow process instance may be tracked and status information displayed via the user interface. The status information may be overlaid on and/or otherwise displayed as a graphical depiction in association with the workflow process instance itself”. Also see [0033], [0036], [0037]).

Chakravarty fails to teach wherein each of the events comprising a portion of raw machine data produced by a component of an information technology or security environment also includes a time stamp.
In the same field of endeavor, Block teaches wherein each of the events includes a time stamp (see [0027]: “Other event fields in the event data may include when the event was received from the event source ("receipt time"). The receipt time is a date/time stamp”) and a portion of raw machine data produced by a component of an information technology or security environment (see [0026]: “Data sources 201 generate event data for events, which are collected by the SIEM 210 and stored in the data storage 111. The data sources 201 may include network devices, applications or other types of data sources operable to provide event data that may be analyzed. Event data may be captured in logs or messages generated by the data sources 201”).
Both Chakravarty and Block teach events comprising a portion of raw machine data produced by a component of an information technology or security environment. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Chakravarty by letting each of the events comprising a portion of raw machine data produced by a component of an information technology or security environment include a time stamp, as taught by Block. It would have been obvious because Block teaches that the time stamp included in each of the events enables the detection of a brute-force attack (see Block [0052]: “At 509, if the condition or multiple conditions, e.g., when multiple conditions are specified for the rule, are met based on partial matches, an action for the rule is triggered. For example, the rule is a partitioned rule, such as if 5 failed login attempts from a user within a 5 minute period for one or more computers on the subnet for the partition are detected, then trigger an alert and disable the user ID”).

Regarding claims 24 and 38, Chakravarty further teaches wherein the notable event is associated with a potential security threat to a computing environment (see [0003]: “Systems that detect network incidents (e.g. for threats and vulnerabilities), in general, are known”).
Chakravarty fails to teach wherein the potential security threat includes at least one of: a malware infection, a brute-force login attack, a denial-of-service attack, or a phishing attack.
In the same field of endeavor, Block teaches wherein the potential security threat includes at least one of: a malware infection, a brute-force login attack, a denial-of-service attack, or a phishing attack (see [0052]: “At 509, if the condition or multiple conditions, e.g., when multiple conditions are specified for the rule, are met based on partial matches, an action for the rule is triggered. For example, the rule is a partitioned rule, such as if 5 failed login attempts from a user within a 5 minute period for one or more computers on the subnet for the partition are detected, then trigger an alert and disable the user ID”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Chakravarty by letting the potential security threat include a brute-force login attack as taught by Block. It would have been obvious because a brute-force login attack is one of a finite number of common security threats and a person with ordinary skill has good reason to pursue the known options within his or her technical grasp.

Regarding claim 25, Chakravarty further teaches storing the notable event in a notable event index (see [0035] and Fig. 1: “incident objects may be stored in a database 17 associated with incident tracking module 16”).

Regarding claim 26, Chakravarty further teaches wherein executing the action based on the notable event includes using an attribute of the notable event as input to the action (see [0034]: “information about an incident and/or its characteristics may be routed from activity monitor 12 and/or the correlation engine 14 to incident tracking module 16 to begin remediation”. And see [0026]: “Different workflow process instances may be created to be selectively used to remediate different types of incidents. The kinds of workflow processes may include, but are not limited to, compliance workflow, policy workflow, corporate governance workflow, and/or other types of workflows”. The Examiner interprets “information about an incident and/or its characteristics” and “types of incidents” as an attribute of the notable event. And see [0008]: “a particular workflow process instance may be designed to remediate a particular type of incident, e.g., depending on details of the particular incident”).

Regarding claim 27, Chakravarty further teaches wherein executing the action based on the notable event includes causing an external security application to perform an action (see [0032]: “Various types of actions may be taken and certain actions may be implemented on a network device in an attempt to resolve at least a portion of the incident. For example, the action may attempt to reach back to an external source (or a downstream device) of the event(s) which caused the incident”)
 Chakravarty fails to teach wherein the external security application includes at least one of: a firewall application, a user identity management application, or an antivirus and malware protection application.
In the same field of endeavor, Block teaches wherein the external security application includes at least one of: a firewall application, a user identity management application (see [0052]: “At 509, if the condition or multiple conditions, e.g., when multiple conditions are specified for the rule, are met based on partial matches, an action for the rule is triggered. For example, the rule is a partitioned rule, such as if 5 failed login attempts from a user within a 5 minute period for one or more computers on the subnet for the partition are detected, then trigger an alert and disable the user ID”. The Examiner interprets the application that is able to “disable the user ID” as a user identity management application), or an antivirus and malware protection application.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Chakravarty by letting the external security application include a user identity management application as taught by Block. It would have been obvious because a user identity management application is one of a finite number of common security applications and a person with ordinary skill has good reason to pursue the known options within his or her technical grasp.

Regarding claim 28, Chakravarty fails to teach wherein the action includes causing a security application to perform at least one of: blocking a user, blacklisting a network address or range of network addresses, configuring multi-factor authentication for a user, executing a malware scan, or executing a virus scan.
In the same field of endeavor, Block teaches wherein the action includes causing a security application to perform at least one of: blocking a user (see [0052]: “At 509, if the condition or multiple conditions, e.g., when multiple conditions are specified for the rule, are met based on partial matches, an action for the rule is triggered. For example, the rule is a partitioned rule, such as if 5 failed login attempts from a user within a 5 minute period for one or more computers on the subnet for the partition are detected, then trigger an alert and disable the user ID”. The Examiner interprets disabling the user ID as blocking a user), blacklisting a network address or range of network addresses, configuring multi-factor authentication for a user, executing a malware scan, or executing a virus scan.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Chakravarty by letting the action include causing a security application to perform blocking a user as taught by Block. It would have been obvious because blocking a user is one of a finite number of common threat mitigation techniques and a person with ordinary skill has good reason to pursue the known options within his or her technical grasp.

Regarding claim 29, Chakravarty further teaches storing data indicating an association between the correlation search and the action to be executed responsive to identification of notable events by the correlation search (see [0004]: “One aspect of the invention relates to customizing and storing workflow processes for use in remediating incidents such as security events”. And see [0026]: “a database 19 may be associated with workflow module 20 to facilitate storage of the workflow process instances”. And see [0052]: “FIG. 5 depicts a dialog for a template work-item which may be a predefined work-item stored within the system. A user may select from a plurality of predefined work-items displayed in a window. The work-item may be named using a text box 402. The system work-items can be provided by a third party. Aspects of the template work-item may be configured. FIG. 6 illustrates a dialog for a command work-item. A command work-item may be added to execute a configured command that allows parameters to be passed into the command to be executed. The user may specify the command in a text box 502. The command name may be specified in a separate text box 501. The command may be used to execute an action in an attempt to resolve at least a portion of the incident”. And see [0059]: “Rules in correlation engine 14 can detect a pattern in a single event of interest or a running window of events. When a match to an existing correlation rule is detected, the correlations engine generates a correlated event describing the found pattern and may create an incident to trigger a remediation workflow”. Chakravarty inherently teaches “storing data indicating an association between the correlation search and the action to be executed responsive to identification of notable events by the correlation search” because otherwise the remediation action/workflow to be executed when the correlation search detects an incident by matching the existing correlation rule would be unknown).


Claims 22 and 36 are rejected under 35 U.S.C. 103 as being unpatentable over Chakravarty (US 2008/0040191), further in view of Block (US 2016/0034361), and further in view of Zimmermann (US 2018/0027006).

Regarding claims 22 and 36, Chakravarty modified in view of Block fails to teach periodically executing the correlation search based on a defined schedule.
In the same field of endeavor, Zimmermann teaches periodically executing the correlation search (see [0193]: “Rules-based activities 638 may apply explicit rules and flag violations. An example of a violation may be a user logged in from two distant locations within short timeframe. Rules-based activities 638 may connect to alerts 624”) based on a defined schedule (see [0197]: “Offline processing function 624 may include a set of offline processing activities that may be performed on larger collections of events and may performed periodically or based on other triggers, rather than for each incoming event. Larger collections of events may include, for example, all data from a period of time. A period of time may be an hour, a day, a week, a month, three months, a year and the like”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Chakravarty modified in view of Block by executing the correlation search periodically based on a defined schedule, as taught by Zimmermann. It would have been obvious because doing so achieves the commonly understood benefit of regularly checking for notable events that are security threats.

Claims 23, 37 and 40 are rejected under 35 U.S.C. 103 as being unpatentable over Chakravarty (US 2008/0040191), further in view of Block (US 2016/0034361), and further in view of Nantel (US 2016/0173446).

Regarding claims 23, 37 and 40, Chakravarty modified in view of Block fails to teach wherein the input defining the modular alert further includes a defined schedule for executing the correlation search, and wherein the method further comprises executing the correlation search based on the defined schedule.
In the same field of endeavor, Nantel teaches wherein the input defining the modular alert further includes a defined schedule for executing the correlation search(see claim 21: “The system of claim 10, wherein the threat history processing module and the threat reporting module are configured to conduct processing and reporting automatically at pre-defined intervals”), and 
wherein the method further comprises executing the correlation search based on the defined schedule (see claim 10: “A system comprising: one or more processors; a communication interface device; one or more internal data storage devices operatively coupled to the one or more processors and storing; a threat history identification module configured to extract threat information from a database comprising one or more of firewall logs and historical threat logs; a threat history processing module configured to process the extracted threat information based on one or more of threats to be detected, parameters of threats to be presented, network level details of the threats, time interval for which threats are to be presented, and source-destination details of the threats; and a threat reporting module configured to report a plurality of threats selected from the one or more threats based on one or a combination of presentation parameters, timing parameters, and threat content parameters”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Chakravarty modified in view of Block by further including in the input defining the modular alert a defined schedule for executing the correlation search, and executing the correlation search based on the defined schedule, as taught by Nantel. It would have been obvious because doing so achieves the commonly understood benefit of letting a user define how often the correlation search for detecting security threats is automatically executed.

Claim 30 is rejected under 35 U.S.C. 103 as being unpatentable over Chakravarty (US 2008/0040191), further in view of Block (US 2016/0034361), and further in view of Official Notice 1.

Regarding claim 30, Chakravarty teaches linking the correlation search and results information obtained based on executing the action (see [0010]: “For a selected incident object, the user interface may graphically display the selected workflow process instance (e.g., including the steps, with their associated work-item(s), and transitions in the selected workflow process instance between steps) and the execution status of the process (e.g., with respect to the graphically displayed steps and/or work-items)”). However, Chakravarty modified in view of Block fails to teach wherein the correlation search is associated with an identifier, and wherein results information obtained based on executing the action is associated with the identifier, and wherein causing display of the GUI includes obtaining the results information based on the identifier.
The Examiner takes Official Notice 1 that it is a well-known technique to link two related items by associating with each of them a same identifier.
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Chakravarty modified in view of Block by linking the correlation search and results information obtained based on executing the action by associating with each of them a same identifier, as taught by Official Notice 1. It would have been obvious because doing so predictably achieves the commonly understood benefit of linking the correlation search and results information obtained based on executing the action. When such a modification is made, Chakravarty modified in view of Block and Official Notice 1 would teach wherein the correlation search is associated with an identifier, and wherein results information obtained based on executing the action is associated with the identifier, and wherein causing display of the GUI includes obtaining the results information based on the identifier.

Claim 31 is rejected under 35 U.S.C. 103 as being unpatentable over Chakravarty (US 2008/0040191), further in view of Block (US 2016/0034361), and further in view of Mont (US 2017/0223039).

Regarding claim 31, Chakravarty modified in view of Block fails to teach displaying an interactive electronic runbook, wherein the interactive electronic runbook includes instructions for remediating a security threat associated with the notable event.
In the same field of endeavor, Mont teaches displaying an interactive electronic runbook, wherein the interactive electronic runbook includes instructions for remediating a security threat associated with the notable event (see [0112]: “The SDN flow rule template determiner (712) represents programmed instructions that, when executed, cause the processing resources (702) to determine, from a playbook library, at least one SDN flow rule template to remediate the security threat. The workflow template determiner (712) represents programmed instructions that, when executed, cause the processing resources (702) to determine, from a workflow library, a workflow template to remediate the security threat”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Chakravarty modified in view of Block by adding the step of displaying an interactive electronic runbook, wherein the interactive electronic runbook includes instructions for remediating a security threat associated with the notable event, as taught by Mont. It would have been obvious because doing so achieves the commonly understood benefit of guiding a user to remediate the security threat associated with the notable event.

Claim 32 is rejected under 35 U.S.C. 103 as being unpatentable over Chakravarty (US 2008/0040191), further in view of Block (US 2016/0034361), and further in view of Seward (US 2015/0180891).

Regarding claim 32, Chakravarty modified in view of Block fails to teach wherein executing the correlation search comprises searching a field-searchable data store using a late-binding schema.
In the same field of endeavor, Seward teaches wherein executing the correlation search comprises searching a field-searchable data store using a late-binding schema (see [0069]: “The term "late-binding schema" as used herein may refer to a system in which the schema need not be defined or applied at the time of indexing or storing the collected data, as typically occurs with conventional database technology. Rather, in a system using a late-binding schema, the schema can be developed on an ongoing basis up until the time it needs to be applied, e.g., at query or search time”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Chakravarty modified in view of Block by letting executing the correlation search comprise searching a field-searchable data store using a late-binding schema, as taught by Seward. It would have been obvious because Seward explicitly teaches: “An advantage of such a late-binding schema may include enabling a user, e.g., a data analyst, to perform data analysis in order to learn more about data included within events indexed from collected machine data, while also allowing the user to continue developing the schema until, for example, it is needed again for executing a subsequent query to locate data within events” (see [0069]).

Claim 33 is rejected under 35 U.S.C. 103 as being unpatentable over Chakravarty (US 2008/0040191), further in view of Block (US 2016/0034361), and further in view of Seed (US 2016/0275190).

Regarding claim 33, Chakravarty modified in view of Block fails to teach	wherein the GUI further includes an indication of whether execution of the action was successful.
However, Seed teaches wherein the GUI further includes an indication of whether execution of the action was successful (see [0126]: “The processor 32 may be configured to control lighting patterns, images, or colors on the display or indicators 42 in response to whether the M2M crawling service 400 (e.g., crawling, publishing, collaborating) in some of the embodiments described herein are successful or unsuccessful, or otherwise indicate the status of M2M crawling service 400 performance. In another example, the display may show information with regard to crawling events, which are described herein. A graphical user interface, which may be shown on the display, may be layered on top of an API to allow a user to interactively establish and manage a Web search of M2M devices via the underlying M2M crawling service 400 described herein”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Chakravarty modified in view of Block by letting the GUI further include an indication of whether execution of the action was successful, as taught by Seed. It would have been obvious because doing so achieves the commonly understood benefit of informing a user the result of executing an action.

Claim 34 is rejected under 35 U.S.C. 103 as being unpatentable over Chakravarty (US 2008/0040191), further in view of Block (US 2016/0034361), and further in view of Marr (US 8,364,509).

Regarding claim 34, Chakravarty modified in view of Block fails to teach wherein the GUI further includes a hyperlink to a separate GUI including detailed information about the execution of the action.
However, Marr teaches wherein the GUI further includes a hyperlink to a separate GUI including detailed information about (see col. 8, lines 45-55: “Identifier column 508 indicates a unique identifier or other number associated with each agent. Agent name column 510 lists the name of each agent in training. Various reports shown herein can include certain areas that are highlighted or otherwise made links or "hot" as understood in the GUI art to indicate their status as hyperlinks that are responsive to user input (for example "clicks" or other input signals, or keyboard actions) to enable the user to jump or drill-down to more detailed information”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Chakravarty modified in view of Block by letting the GUI further include a hyperlink to a separate GUI including detailed information, as taught by Marr. It would have been obvious because doing so achieves the commonly understood benefit of keeping information displayed in a main GUI concise while providing additional information through a hyperlink that links to a separate GUI including detailed information. Because the GUI in Chakravarty modified in view of Block displays information about the execution of the action, Chakravarty modified in view of Block and Marr would teach wherein the GUI further includes a hyperlink to a separate GUI including detailed information about the execution of the action.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHIMEI ZHU whose telephone number is (571)270-7990. The examiner can normally be reached 10am-6pm Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ZHIMEI ZHU/Examiner, Art Unit 2495