DETAILED ACTION
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 4/22/2022 has been entered. Claims 1-20 are pending with claims 1, 9 and 17 having been amended. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed 10/28/2021 have been fully considered.
Applicant’s arguments, with respect to the rejection(s) of amended claim(s) 1, 9 and 17 under 103 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Burdett et al (2017/0372070) in view of Krishnan et al (US 2018/0115595).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 5-6, 8, 9, 12-14, 16, 17 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Burdett et al (2017/0372070) in view of Krishnan et al (US 2018/0115595).
With respect to claim 1 Burdett teaches a non-transitory computer-readable storage medium having computer-readable code stored thereon for programming one or more processors associated with a Cloud Access Security Broker (CASB) system to perform steps of: 
causing a scan (see Burdett paragraph 0128:  i.e. the file is scanned by the scanning service ...) of a plurality of users associated with a tenant in a Software-as-a-Service, SaaS, application (see Burdett paragraph 0093 i.e. The cloud data store 306 may be used by applications within the cloud infrastructure service 302 to store data; paragraph 0104 i.e. the cloud data store 306 includes three files 308, 316, 312; and paragraph 0121 i.e. idertify the customers cloud account) where the scan includes any of identifying malware in content in the SaaS application (see Burdett paragraph 0130 i.e. determination that the file contains one or more of malware) and identifying confidential data in the content in the SaaS application (see Burdett paragraph 0131 i.e. the file containing confidential information)
during the scan which is covering historical data in the SaaS application, receiving notifications of the content being actively modified by any of the plurality of users (see Burdett paragraph 0100 i.e. The scanning service 304 receives notification of the storage event from the cloud data store 306, and the scanning service 304 scans the file; paragraph 0121 i.e. Based on a notification of a file event, such as a notification of ... change to a file, the scanning service may request a copy of the file to be examined; paragraph 0126 i.e. The notification may be included in a queue that is monitored by the scanning service),
wherein the notification is configured to identify real-time modification of the content and wherein the notification identify any of the user the content and the event type (see Burdett paragraph 0121 i.e. Based on a notification of a file event, such as a notification of an upload, download, or change to a file, the scanning service may request a copy of the file to be examined and paragraph 0126 i.e. In processing block 504, the scanning service receives from the cloud storage service, a notification regarding storage activity related to a file. The activity may be, as a few examples, a related to an upload of a file to a cloud data store, or related to download of a file from a cloud data store, or related to a change to a file in a cloud data store. The notification may be in the form of an event. The notification may be included in a queue that is monitored by the scanning service. The notification may be provided in the cloud data store, for example, as a file in the cloud data store. The notification may be communicated using an applications programming interface (API) of the cloud infrastructure service or the cloud data store); and 
including the content being actively modified in the scan with the historical data (see Burdett paragraph 0121 i.e. Based on a notification of a file event, such as a notification of an upload, download, or change to a file, the scanning service may request a copy of the file to be examined. Once the file is copied to the data store of the scanning service (along with meta-data to identify the customers' cloud account and cloud data store) the file may be added to the scan queue and process all required rules as part of the scan of the file and paragraph 0128 i.e. In processing block 508, the file is scanned by the scanning service).

While Burdett teaches the notification of the content being actively modified by any of the plurality of users. Burdett does not teaches this is done via webhooks from the SaaS application, wherein the webhooks is configured to identify real-time modification of the content.
Krishnan teaches receiving notification via webhooks, wherein the webhooks is configured to identify real-time modification of the content (see Krishnan paragraph 0014-0017 i.e. Webhooks are user-defined HTTP callbacks, for example, an HTTP POST triggered by a specific event, e.g., a simple event-notification via HTTP post. They are usually triggered by some event, such as pushing code to a repository or a comment being posted to a blog. When the relevant event occurs, a source site directs an HTTP request to the URI configured for the webhook. Users can configure a webhook to cause events on one site that invoke behavior on another … webhooks can be used for receiving data in real time…webhooks can be used for receiving data and forwarding it. In this use case, a webhook not only receives real-time data, but goes on to do something new and meaningful with it, for example, trigger actions unrelated to the original event).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Burdett in view of Krishnan to have used webhooks as a way to learn when a file has been modified since it is well know in the art that webhooks provide a way for an app to provide other applications with real-time information (see Krishnan paragraph 0014-0017). Therefore one would have been motivated to have used webhooks as a way to provide notifications.

With respect to claim 5 Burdett teaches the non-transitory computer-readable storage medium of claim 1, wherein the steps further include causing an action in the SaaS application based on the scan and based on policy and the content (see Burdett paragraph 0054 i.e. the remedial action facility may interact with the received information and may perform various actions on a client requesting access to a denied network location. The action may be one or more of continuing to block all requests to a denied network location, a malicious code scan on the application, a malicious code scan on the client facility, quarantine of the application, terminating the application, isolation of the application, isolation of the client facility to a location within the network that restricts network access, blocking a network access port from a client facility, reporting the application to an administration facility 134, or the like and paragraph 0035).

With respect to claim 6 Burdett teaches the non-transitory computer-readable storage medium of claim 5, wherein the action includes any of allowing a file, deleting a file, quarantining a file, and providing a notification (see Burdett paragraph 0054 i.e. the remedial action facility may interact with the received information and may perform various actions on a client requesting access to a denied network location. The action may be one or more of continuing to block all requests to a denied network location, a malicious code scan on the application, a malicious code scan on the client facility, quarantine of the application, terminating the application, isolation of the application, isolation of the client facility to a location within the network that restricts network access, blocking a network access port from a client facility, reporting the application to an administration facility 134, or the like and paragraph 0035).

With respect to claim 8 Burdett teaches the non-transitory computer-readable storage medium of claim 1, wherein the steps further include causing queueing of the content being actively modified and the historical data (see Burdett paragraph 0121 i.e. Based on a notification of a file event, such as a notification of an upload, download, or change to a file, the scanning service may request a copy of the file to be examined. Once the file is copied to the data store of the scanning service (along with meta-data to identify the customers' cloud account and cloud data store) the file may be added to the scan queue and process all required rules as part of the scan of the file. The scanning service may return a scan result (e.g., alert to a security manager) if triggering content is detected).

With respect to claim 9 Burdett teaches a system associated with a Cloud Access Security Broker (CASB) system, comprising: one or more processors and memory storing instructions that, when executed, cause the one or more processors to 
cause a scan (see Burdett paragraph 0128:  i.e. the file is scanned by the scanning service ...) of a plurality of users associated with a tenant in a Software-as-a-Service, SaaS, application (see Burdett paragraph 0093 i.e. The cloud data store 306 may be used by applications within the cloud infrastructure service 302 to store data; paragraph 0104 i.e. the cloud data store 306 includes three files 308, 316, 312; and paragraph 0121 i.e. idertify the customers cloud account) where the scan includes any of identifying malware in content in the SaaS application (see Burdett paragraph 0130 i.e. determination that the file contains one or more of malware) and identifying confidential data in the content in the SaaS application (see Burdett paragraph 0131 i.e. the file containing confidential information)
during the scan which is covering historical data in the SaaS application, receiving notifications of the content being actively modified by any of the plurality of users (see Burdett paragraph 0100 i.e. The scanning service 304 receives notification of the storage event from the cloud data store 306, and the scanning service 304 scans the file; paragraph 0121 i.e. Based on a notification of a file event, such as a notification of ... change to a file, the scanning service may request a copy of the file to be examined; paragraph 0126 i.e. The notification may be included in a queue that is monitored by the scanning service),
wherein the notification is configured to identify real-time modification of the content and wherein the notification identify any of the user the content and the event type (see Burdett paragraph 0121 i.e. Based on a notification of a file event, such as a notification of an upload, download, or change to a file, the scanning service may request a copy of the file to be examined and paragraph 0126 i.e. In processing block 504, the scanning service receives from the cloud storage service, a notification regarding storage activity related to a file. The activity may be, as a few examples, a related to an upload of a file to a cloud data store, or related to download of a file from a cloud data store, or related to a change to a file in a cloud data store. The notification may be in the form of an event. The notification may be included in a queue that is monitored by the scanning service. The notification may be provided in the cloud data store, for example, as a file in the cloud data store. The notification may be communicated using an applications programming interface (API) of the cloud infrastructure service or the cloud data store); and 
including the content being actively modified in the scan with the historical data (see Burdett paragraph 0121 i.e. Based on a notification of a file event, such as a notification of an upload, download, or change to a file, the scanning service may request a copy of the file to be examined. Once the file is copied to the data store of the scanning service (along with meta-data to identify the customers' cloud account and cloud data store) the file may be added to the scan queue and process all required rules as part of the scan of the file and paragraph 0128 i.e. In processing block 508, the file is scanned by the scanning service).

While Burdett teaches the notification of the content being actively modified by any of the plurality of users. Burdett does not teaches this is done via webhooks from the SaaS application, wherein the webhooks is configured to identify real-time modification of the content.
Krishnan teaches receiving notification via webhooks, wherein the webhooks is configured to identify real-time modification of the content (see Krishnan paragraph 0014-0017 i.e. Webhooks are user-defined HTTP callbacks, for example, an HTTP POST triggered by a specific event, e.g., a simple event-notification via HTTP post. They are usually triggered by some event, such as pushing code to a repository or a comment being posted to a blog. When the relevant event occurs, a source site directs an HTTP request to the URI configured for the webhook. Users can configure a webhook to cause events on one site that invoke behavior on another … webhooks can be used for receiving data in real time…webhooks can be used for receiving data and forwarding it. In this use case, a webhook not only receives real-time data, but goes on to do something new and meaningful with it, for example, trigger actions unrelated to the original event).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Burdett in view of Krishnan to have used webhooks as a way to learn when a file has been modified since it is well know in the art that webhooks provide a way for an app to provide other applications with real-time information (see Krishnan paragraph 0014-0017). Therefore one would have been motivated to have used webhooks as a way to provide notifications.

With respect to claim 13 Burdett teaches the system of claim 9, wherein the instructions that, when executed, further cause the one or more processors to cause an action in the SaaS application based on the scan and based on policy and the content (see Burdett paragraph 0054 i.e. the remedial action facility may interact with the received information and may perform various actions on a client requesting access to a denied network location. The action may be one or more of continuing to block all requests to a denied network location, a malicious code scan on the application, a malicious code scan on the client facility, quarantine of the application, terminating the application, isolation of the application, isolation of the client facility to a location within the network that restricts network access, blocking a network access port from a client facility, reporting the application to an administration facility 134, or the like and paragraph 0035).

With respect to claim 14 Burdett teaches the system of claim 13, wherein the action includes any of allowing a file, deleting a file, quarantining a file, and providing a notification (see Burdett paragraph 0054 i.e. the remedial action facility may interact with the received information and may perform various actions on a client requesting access to a denied network location. The action may be one or more of continuing to block all requests to a denied network location, a malicious code scan on the application, a malicious code scan on the client facility, quarantine of the application, terminating the application, isolation of the application, isolation of the client facility to a location within the network that restricts network access, blocking a network access port from a client facility, reporting the application to an administration facility 134, or the like and paragraph 0035).

With respect to claim 16 Burdett teaches the system of claim 9, wherein the instructions that, when executed, further cause the one or more processors to cause queueing of the content being actively modified and the historical data (see Burdett paragraph 0121 i.e. Based on a notification of a file event, such as a notification of an upload, download, or change to a file, the scanning service may request a copy of the file to be examined. Once the file is copied to the data store of the scanning service (along with meta-data to identify the customers' cloud account and cloud data store) the file may be added to the scan queue and process all required rules as part of the scan of the file. The scanning service may return a scan result (e.g., alert to a security manager) if triggering content is detected).

With respect to claim 17 Burdett teaches a method comprising: causing a scan (see Burdett paragraph 0128:  i.e. the file is scanned by the scanning service ...) of a plurality of users associated with a tenant in a Software-as-a-Service, SaaS, application (see Burdett paragraph 0093 i.e. The cloud data store 306 may be used by applications within the cloud infrastructure service 302 to store data; paragraph 0104 i.e. the cloud data store 306 includes three files 308, 316, 312; and paragraph 0121 i.e. idertify the customers cloud account) where the scan includes any of identifying malware in content in the SaaS application (see Burdett paragraph 0130 i.e. determination that the file contains one or more of malware) and identifying confidential data in the content in the SaaS application (see Burdett paragraph 0131 i.e. the file containing confidential information)
during the scan which is covering historical data in the SaaS application, receiving notifications of the content being actively modified by any of the plurality of users (see Burdett paragraph 0100 i.e. The scanning service 304 receives notification of the storage event from the cloud data store 306, and the scanning service 304 scans the file; paragraph 0121 i.e. Based on a notification of a file event, such as a notification of ... change to a file, the scanning service may request a copy of the file to be examined; paragraph 0126 i.e. The notification may be included in a queue that is monitored by the scanning service),
wherein the notification is configured to identify real-time modification of the content and wherein the notification identify any of the user the content and the event type (see Burdett paragraph 0121 i.e. Based on a notification of a file event, such as a notification of an upload, download, or change to a file, the scanning service may request a copy of the file to be examined and paragraph 0126 i.e. In processing block 504, the scanning service receives from the cloud storage service, a notification regarding storage activity related to a file. The activity may be, as a few examples, a related to an upload of a file to a cloud data store, or related to download of a file from a cloud data store, or related to a change to a file in a cloud data store. The notification may be in the form of an event. The notification may be included in a queue that is monitored by the scanning service. The notification may be provided in the cloud data store, for example, as a file in the cloud data store. The notification may be communicated using an applications programming interface (API) of the cloud infrastructure service or the cloud data store); and 
including the content being actively modified in the scan with the historical data (see Burdett paragraph 0121 i.e. Based on a notification of a file event, such as a notification of an upload, download, or change to a file, the scanning service may request a copy of the file to be examined. Once the file is copied to the data store of the scanning service (along with meta-data to identify the customers' cloud account and cloud data store) the file may be added to the scan queue and process all required rules as part of the scan of the file and paragraph 0128 i.e. In processing block 508, the file is scanned by the scanning service).

While Burdett teaches the notification of the content being actively modified by any of the plurality of users. Burdett does not teaches this is done via webhooks from the SaaS application, wherein the webhooks is configured to identify real-time modification of the content.
Krishnan teaches receiving notification via webhooks, wherein the webhooks is configured to identify real-time modification of the content (see Krishnan paragraph 0014-0017 i.e. Webhooks are user-defined HTTP callbacks, for example, an HTTP POST triggered by a specific event, e.g., a simple event-notification via HTTP post. They are usually triggered by some event, such as pushing code to a repository or a comment being posted to a blog. When the relevant event occurs, a source site directs an HTTP request to the URI configured for the webhook. Users can configure a webhook to cause events on one site that invoke behavior on another … webhooks can be used for receiving data in real time…webhooks can be used for receiving data and forwarding it. In this use case, a webhook not only receives real-time data, but goes on to do something new and meaningful with it, for example, trigger actions unrelated to the original event).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Burdett in view of Krishnan to have used webhooks as a way to learn when a file has been modified since it is well know in the art that webhooks provide a way for an app to provide other applications with real-time information (see Krishnan paragraph 0014-0017). Therefore one would have been motivated to have used webhooks as a way to provide notifications.

Claims 2, 10 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Burdett et al (2017/0372070) in view of Krishnan et al (US 2018/0115595) in view of Hockings et al (US 9,998,470).
With respect to claim 2 Burdett teaches the non-transitory computer-readable storage medium of claim 1, but does not disclose wherein the steps further include maintaining geolocation of the any of the plurality of users and causing the content being actively modified in the scan to be processed by the CASB system based on the geolocation.
Hockings teaches wherein the steps further include maintaining geolocation of the any of the plurality of users (see Hockings column 9 lines 45-60 i.e. In various embodiments, the information collected by API scanner 120 during data transactions between mobile device 110 and server computer 150, cloud service 152, and/or storage system 154 is referred to as attribute elements. In this particular embodiment, once the attribute elements are identified and/or collected and can be stored as benchmark data in Benchmark database 144, in which it can be easily accessed and used as a juxtaposition against any incoming and or outgoing data within environment 100. Attribute elements can be, but are not limited to, file name, file size, file time stamp, geographical location, user identification, time zone, user name, Internet Protocol (IP) address, user behavioral patterns, and any other form of data known in the art); and causing the content being actively modified in the scan to be processed by the CASB system based on the geolocation (see Hockings column 16 lines 16-59 i.e. In step 206, data leakage detection component 142 receives the benchmark data information (i.e., benchmark data) from benchmark database 144. In various embodiments, data leakage detection component 142 receives the benchmark data information from benchmark data base 144 and analyzes the benchmark data, via CASB gateway. In various embodiments, analysis of the benchmark data (i.e., benchmark data analysis) comprises comparing the benchmark data with the user data request. In exemplary embodiments, data leakage detection component 142 can use the benchmark data information gathered from benchmark database 144 and/or cloud service 152 and can use the benchmark data information to determine if there are any changes in the user data request (Step 208)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Burdett in view of Hockings to used an API scanner during data transactions between mobile device and server computer, cloud service 152, and/or storage system to collect information as attribute elements such as file name, file size, file time stamp, geographical location, user identification, time zone, user name, Internet Protocol (IP) address, user behavioral patterns, and any other form of data known in the art and analyze the benchmark data by comparing the benchmark data with the user data request to determine if there are any changes in the user data request (see Hockings column 9 lines 45-60 and column 16 lines 16-59). Therefore one would have been motivated to have used an API scanner during data transactions between mobile device and server computer, cloud service 152, and/or storage system to collect information as attribute elements.

	
With respect to claim 10 Burdett teaches the system of claim 9, but does not disclose, wherein the instructions that, when executed, further cause the one or more processors to maintain geolocation of the any of the plurality of users; and cause the content being actively modified in the scan to be processed by the CASB system based on the geolocation.
Hockings teaches wherein the steps further include maintaining geolocation of the any of the plurality of users (see Hockings column 9 lines 45-60 i.e. In various embodiments, the information collected by API scanner 120 during data transactions between mobile device 110 and server computer 150, cloud service 152, and/or storage system 154 is referred to as attribute elements. In this particular embodiment, once the attribute elements are identified and/or collected and can be stored as benchmark data in Benchmark database 144, in which it can be easily accessed and used as a juxtaposition against any incoming and or outgoing data within environment 100. Attribute elements can be, but are not limited to, file name, file size, file time stamp, geographical location, user identification, time zone, user name, Internet Protocol (IP) address, user behavioral patterns, and any other form of data known in the art); and causing the content being actively modified in the scan to be processed by the CASB system based on the geolocation (see Hockings column 16 lines 16-59 i.e. In step 206, data leakage detection component 142 receives the benchmark data information (i.e., benchmark data) from benchmark database 144. In various embodiments, data leakage detection component 142 receives the benchmark data information from benchmark data base 144 and analyzes the benchmark data, via CASB gateway. In various embodiments, analysis of the benchmark data (i.e., benchmark data analysis) comprises comparing the benchmark data with the user data request. In exemplary embodiments, data leakage detection component 142 can use the benchmark data information gathered from benchmark database 144 and/or cloud service 152 and can use the benchmark data information to determine if there are any changes in the user data request (Step 208)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Burdett in view of Hockings to used an API scanner during data transactions between mobile device and server computer, cloud service 152, and/or storage system to collect information as attribute elements such as file name, file size, file time stamp, geographical location, user identification, time zone, user name, Internet Protocol (IP) address, user behavioral patterns, and any other form of data known in the art and analyze the benchmark data by comparing the benchmark data with the user data request to determine if there are any changes in the user data request (see Hockings column 9 lines 45-60 and column 16 lines 16-59). Therefore one would have been motivated to have used an API scanner during data transactions between mobile device and server computer, cloud service 152, and/or storage system to collect information as attribute elements.

With respect to claim 18 Burdett teaches the method of claim 17, but does not disclose further comprising maintaining geolocation of the any of the plurality of users; and causing the content being actively modified in the scan to be processed by the CASB system based on the geolocation.
Hockings teaches wherein the steps further include maintaining geolocation of the any of the plurality of users (see Hockings column 9 lines 45-60 i.e. In various embodiments, the information collected by API scanner 120 during data transactions between mobile device 110 and server computer 150, cloud service 152, and/or storage system 154 is referred to as attribute elements. In this particular embodiment, once the attribute elements are identified and/or collected and can be stored as benchmark data in Benchmark database 144, in which it can be easily accessed and used as a juxtaposition against any incoming and or outgoing data within environment 100. Attribute elements can be, but are not limited to, file name, file size, file time stamp, geographical location, user identification, time zone, user name, Internet Protocol (IP) address, user behavioral patterns, and any other form of data known in the art); and causing the content being actively modified in the scan to be processed by the CASB system based on the geolocation (see Hockings column 16 lines 16-59 i.e. In step 206, data leakage detection component 142 receives the benchmark data information (i.e., benchmark data) from benchmark database 144. In various embodiments, data leakage detection component 142 receives the benchmark data information from benchmark data base 144 and analyzes the benchmark data, via CASB gateway. In various embodiments, analysis of the benchmark data (i.e., benchmark data analysis) comprises comparing the benchmark data with the user data request. In exemplary embodiments, data leakage detection component 142 can use the benchmark data information gathered from benchmark database 144 and/or cloud service 152 and can use the benchmark data information to determine if there are any changes in the user data request (Step 208)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Burdett in view of Hockings to used an API scanner during data transactions between mobile device and server computer, cloud service 152, and/or storage system to collect information as attribute elements such as file name, file size, file time stamp, geographical location, user identification, time zone, user name, Internet Protocol (IP) address, user behavioral patterns, and any other form of data known in the art and analyze the benchmark data by comparing the benchmark data with the user data request to determine if there are any changes in the user data request (see Hockings column 9 lines 45-60 and column 16 lines 16-59). Therefore one would have been motivated to have used an API scanner during data transactions between mobile device and server computer, cloud service 152, and/or storage system to collect information as attribute elements.


Claims 3, 11 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Burdett et al (2017/0372070) in view of Krishnan et al (US 2018/0115595) in view of Gahlot et al (US 2020/0201994).
With respect to claim 3 Burdett teaches the non-transitory computer-readable storage medium of claim 1, but does not disclose wherein the steps further include prioritizing the content being actively modified in the scan higher than the scan of the historical data.
Gahlot teaches wherein the steps further include prioritizing the content being actively modified in the scan higher than the scan of the historical data (see Gahlot paragraph 0028 i.e. As further shown by FIG. 1, system 100 includes a scan priority component 130 that prioritizes malware scanning of files modified and/or otherwise accessed by malicious users over other files stored in the data storage system and paragraph 0035 i.e. Also or alternatively, the scan priority component 130, via the malware scanning component 320, can direct a real-time or substantially real-time malware scan of a file in response to determining that the file has been modified by a malicious user, thereby bypassing the scan queue defined by the scan queue component 310 for that file).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Burdett in view of Gahlot to have included a scan priority component that can direct a real-time or substantially real-time malware scan of a file in response to determining that the file has been modified by a malicious user to bypass the scan queue defined by the scan queue component to move files modified by malicious user ahead of other files in the scan queue that have not been modified by a malicious (see Gahlot paragraph 0028 and 0035). Therefore one would have been motivated to have included a scan priority component that can direct a real-time or substantially real-time malware scan of a file in response to determining that the file has been modified by a malicious user to bypass the scan queue defined by the scan queue component.

	With respect to claim 11 Burdett teaches the system of claim 9, but does not disclose wherein the instructions that, when executed, further cause the one or more processors to prioritize the content being actively modified in the scan higher than the scan of the historical data.
Gahlot teaches wherein the instructions that, when executed, further cause the one or more processors to prioritize the content being actively modified in the scan higher than the scan of the historical data (see Gahlot paragraph 0028 i.e. As further shown by FIG. 1, system 100 includes a scan priority component 130 that prioritizes malware scanning of files modified and/or otherwise accessed by malicious users over other files stored in the data storage system and paragraph 0035 i.e. Also or alternatively, the scan priority component 130, via the malware scanning component 320, can direct a real-time or substantially real-time malware scan of a file in response to determining that the file has been modified by a malicious user, thereby bypassing the scan queue defined by the scan queue component 310 for that file).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Burdett in view of Gahlot to have included a scan priority component that can direct a real-time or substantially real-time malware scan of a file in response to determining that the file has been modified by a malicious user to bypass the scan queue defined by the scan queue component to move files modified by malicious user ahead of other files in the scan queue that have not been modified by a malicious (see Gahlot paragraph 0028 and 0035). Therefore one would have been motivated to have included a scan priority component that can direct a real-time or substantially real-time malware scan of a file in response to determining that the file has been modified by a malicious user to bypass the scan queue defined by the scan queue component.

With respect to claim 19 Burdett teaches the method of claim 17, but does not disclose further comprising prioritizing the content being actively modified in the scan higher than the scan of the historical data.
Gahlot teaches further comprising prioritizing the content being actively modified in the scan higher than the scan of the historical data (see Gahlot paragraph 0028 i.e. As further shown by FIG. 1, system 100 includes a scan priority component 130 that prioritizes malware scanning of files modified and/or otherwise accessed by malicious users over other files stored in the data storage system and paragraph 0035 i.e. Also or alternatively, the scan priority component 130, via the malware scanning component 320, can direct a real-time or substantially real-time malware scan of a file in response to determining that the file has been modified by a malicious user, thereby bypassing the scan queue defined by the scan queue component 310 for that file).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Burdett in view of Gahlot to have included a scan priority component that can direct a real-time or substantially real-time malware scan of a file in response to determining that the file has been modified by a malicious user to bypass the scan queue defined by the scan queue component to move files modified by malicious user ahead of other files in the scan queue that have not been modified by a malicious (see Gahlot paragraph 0028 and 0035). Therefore one would have been motivated to have included a scan priority component that can direct a real-time or substantially real-time malware scan of a file in response to determining that the file has been modified by a malicious user to bypass the scan queue defined by the scan queue component.

Claims 4, 7, 12, 15 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Burdett et al (2017/0372070) in view of Krishnan et al (US 2018/0115595) in view of Singh et al (US 10,621,346).
With respect to claim 4 Burdett teaches the non-transitory computer-readable storage medium of claim 1, but does not disclose wherein the historical data is scanned via Application Programming Interfaces (APIs) associated with the SaaS application, and the notifications of the content being actively modified are via webhooks from the SaaS application, and the notifications of the content being actively modified are via webhooks from the SaaS application.
Singh teaches wherein the historical data is scanned via Application Programming Interfaces (APIs) associated with the SaaS application (see Singh column 6 lines 25-60 i.e. In a polling mode, introspective analyzer 175 calls the cloud-based services using API connectors to crawl data resident in the cloud-based services and check for changes. As an example, Box.TM. storage application provides an admin API called the Box Content API.TM. that provides visibility into an organization's accounts for all users, including audit logs of Box folders, that can be inspected to determine whether any sensitive files were downloaded after a particular date, at which the credentials were compromised. Introspective analyzer 175 polls this API to discover any changes made to any of the accounts. If changes are discovered, the Box Events API.TM. is polled to discover the detailed data changes. In a callback model, introspective analyzer 175 registers with the cloud-based services via API connectors to be informed of any significant events. For example, introspective analyzer 175 can use Microsoft Office365 Webhooks API.TM. to learn when a file has been shared externally. Introspective analyzer 175 also has deep API inspection (DAPII), deep packet inspection (DPI), and log inspection capabilities and includes a DLP engine that applies the different content inspection techniques on files at rest in the cloud-based services, to determine which documents and files are sensitive, based on policies and rules stored in storage 186. The result of the inspection by introspective analyzer 175 is generation of user-by-user data and file-by-file data).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Burdett in view of Singh to have an introspective analyzer call the cloud-based services using API connectors to crawl data resident in the cloud-based services and check for changes that provides visibility into an organization's accounts for all users, including audit logs of Box folders, that can be inspected to determine whether any sensitive files were downloaded after a particular date, at which the credentials were compromised were the introspective analyzer can then polls this API to discover any changes made to any of the accounts and if changes are discovered then use a Box Events API to discover the detailed data changes (see Singh column 6 lines 25-60). Therefore one would have been motivated to have used introspective analyzer call the cloud-based services using API connectors to crawl data resident in the cloud-based services and check for changes that provides visibility into an organization's accounts for all users.

With respect to claim 7 Burdett teaches the non-transitory computer-readable storage medium of claim 1, but does not disclose wherein the steps further include causing execution of a file of the content in a sandbox for the identifying malware.
Singh teaches wherein the steps further include causing execution of a file of the content in a sandbox for the identifying malware (see Singh  figure 1B and column 11 lines 1-50 i.e. Data center 152 includes Netskope cloud access security broker (N -CASB) 155 which includes file receivers 161 for managing file traffic; cache 182--a short term, hash indexed, memory based, fast cache that stores the scan result of any file, indexed by the file's hash value; and threat protection service 156, which includes static and dynamic anti-virus inspection 162….Threat protection service 156 also includes similarity calculator 167 for determining the level of similarity between new and old values for file size, file name, file extension and other properties that represent file features. Also included is determinator 169 which utilizes the results of similarity calculator 167 for deciding which files need threat scanning. Malware scanning engines with sandbox analyzers 185 execute files determined to be suspicious and therefore in need of a full threat scan, to test behavior. In one implementation, as much as five minutes may be used to execute each of the executables in the file after scanning. Also included in threat protection service 156 is alert generator 195 for signaling that a file contains malware and column 12 lines 39-67).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Burdett in view of Singh to have used a sandbox for a full threat scan of a file to analyze the execute files to test behavior were as much as five minutes may be used to execute each of the executables in the file as a way to scan the file in a protected environment (see Singh column 11 lines 1-50). Therefore one would have been motivated to have used a sandbox for scanning the file.

With respect to claim 12 Burdett teaches the system of claim 9, but does not disclose wherein the historical data is scanned via Application Programming Interfaces (APIs) associated with the SaaS application, and the notifications of the content being actively modified are via webhooks from the SaaS application.
Singh teaches wherein the historical data is scanned via Application Programming Interfaces (APIs) associated with the SaaS application, and the notifications of the content being actively modified are via webhooks from the SaaS application, and the notifications of the content being actively modified are via webhooks from the SaaS application (see Singh column 6 lines 25-60 i.e. In a polling mode, introspective analyzer 175 calls the cloud-based services using API connectors to crawl data resident in the cloud-based services and check for changes. As an example, Box.TM. storage application provides an admin API called the Box Content API.TM. that provides visibility into an organization's accounts for all users, including audit logs of Box folders, that can be inspected to determine whether any sensitive files were downloaded after a particular date, at which the credentials were compromised. Introspective analyzer 175 polls this API to discover any changes made to any of the accounts. If changes are discovered, the Box Events API.TM. is polled to discover the detailed data changes. In a callback model, introspective analyzer 175 registers with the cloud-based services via API connectors to be informed of any significant events. For example, introspective analyzer 175 can use Microsoft Office365 Webhooks API.TM. to learn when a file has been shared externally. Introspective analyzer 175 also has deep API inspection (DAPII), deep packet inspection (DPI), and log inspection capabilities and includes a DLP engine that applies the different content inspection techniques on files at rest in the cloud-based services, to determine which documents and files are sensitive, based on policies and rules stored in storage 186. The result of the inspection by introspective analyzer 175 is generation of user-by-user data and file-by-file data).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Burdett in view of Singh to have an introspective analyzer call the cloud-based services using API connectors to crawl data resident in the cloud-based services and check for changes that provides visibility into an organization's accounts for all users, including audit logs of Box folders, that can be inspected to determine whether any sensitive files were downloaded after a particular date, at which the credentials were compromised were the introspective analyzer can then polls this API to discover any changes made to any of the accounts and if changes are discovered then use a Box Events API to discover the detailed data changes (see Singh column 6 lines 25-60). Therefore one would have been motivated to have used introspective analyzer call the cloud-based services using API connectors to crawl data resident in the cloud-based services and check for changes that provides visibility into an organization's accounts for all users.

With respect to claim 15 Burdett teaches the system of claim 9, but does not disclose wherein the instructions that, when executed, further cause the one or more processors to cause execution of a file of the content in a sandbox for the malware identification.
Singh teaches wherein the steps further include causing execution of a file of the content in a sandbox for the identifying malware (see Singh  figure 1B and column 11 lines 1-50 i.e. Data center 152 includes Netskope cloud access security broker (N -CASB) 155 which includes file receivers 161 for managing file traffic; cache 182--a short term, hash indexed, memory based, fast cache that stores the scan result of any file, indexed by the file's hash value; and threat protection service 156, which includes static and dynamic anti-virus inspection 162….Threat protection service 156 also includes similarity calculator 167 for determining the level of similarity between new and old values for file size, file name, file extension and other properties that represent file features. Also included is determinator 169 which utilizes the results of similarity calculator 167 for deciding which files need threat scanning. Malware scanning engines with sandbox analyzers 185 execute files determined to be suspicious and therefore in need of a full threat scan, to test behavior. In one implementation, as much as five minutes may be used to execute each of the executables in the file after scanning. Also included in threat protection service 156 is alert generator 195 for signaling that a file contains malware and column 12 lines 39-67).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Burdett in view of Singh to have used a sandbox for a full threat scan of a file to analyze the execute files to test behavior were as much as five minutes may be used to execute each of the executables in the file as a way to scan the file in a protected environment (see Singh column 11 lines 1-50). Therefore one would have been motivated to have used a sandbox for scanning the file.

With respect to claim 20 Burdett teaches the method of claim 17, but does not disclose wherein the historical data is scanned via Application Programming Interfaces (APIs) associated with the SaaS application, and the notifications of the content being actively modified are via webhooks from the SaaS application. 
Singh teaches wherein the historical data is scanned via Application Programming Interfaces (APIs) associated with the SaaS application, and the notifications of the content being actively modified are via webhooks from the SaaS application (see Singh column 6 lines 25-60 i.e. In a polling mode, introspective analyzer 175 calls the cloud-based services using API connectors to crawl data resident in the cloud-based services and check for changes. As an example, Box.TM. storage application provides an admin API called the Box Content API.TM. that provides visibility into an organization's accounts for all users, including audit logs of Box folders, that can be inspected to determine whether any sensitive files were downloaded after a particular date, at which the credentials were compromised. Introspective analyzer 175 polls this API to discover any changes made to any of the accounts. If changes are discovered, the Box Events API.TM. is polled to discover the detailed data changes. In a callback model, introspective analyzer 175 registers with the cloud-based services via API connectors to be informed of any significant events. For example, introspective analyzer 175 can use Microsoft Office365 Webhooks API.TM. to learn when a file has been shared externally. Introspective analyzer 175 also has deep API inspection (DAPII), deep packet inspection (DPI), and log inspection capabilities and includes a DLP engine that applies the different content inspection techniques on files at rest in the cloud-based services, to determine which documents and files are sensitive, based on policies and rules stored in storage 186. The result of the inspection by introspective analyzer 175 is generation of user-by-user data and file-by-file data).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Burdett in view of Singh to have an introspective analyzer call the cloud-based services using API connectors to crawl data resident in the cloud-based services and check for changes that provides visibility into an organization's accounts for all users, including audit logs of Box folders, that can be inspected to determine whether any sensitive files were downloaded after a particular date, at which the credentials were compromised were the introspective analyzer can then polls this API to discover any changes made to any of the accounts and if changes are discovered then use a Box Events API to discover the detailed data changes (see Singh column 6 lines 25-60). Therefore one would have been motivated to have used introspective analyzer call the cloud-based services using API connectors to crawl data resident in the cloud-based services and check for changes that provides visibility into an organization's accounts for all users.

Prior art of record
	Zimmermann et al (US 2018/0027006) teaches a cloud security fabric that has enterprise APIs for connecting to the information technology infrastructure of an enterprise, developer APIs 102 for enabling developers to access capabilities of the fabric and connector APIs by which the fabric may discover information about entities relevant to the information security of the enterprise (such as events involving users, applications, and data of the enterprise occurring on a plurality of cloud-enabled platforms, including PaaS/IaaS platforms), with various modules that comprise services deployed in the cloud security fabric, such as a selective encryption module, a policy creation and automation module, a content classification as a service module, and user and entity behavior analytics modules.
	Narayanaswamy (US 2020/0242269) teaches an incident-driven and user-targeted data loss prevention that includes a CASB controlling exfiltration of sensitive content in documents stored on cloud-based services in use by organization users, by monitoring manipulation of the documents. CASB identifies the cloud-based services that the particular user has access to and at least one document location on the cloud-based services to inspect for sensitive documents, in response to receiving an indication that user credentials have been compromised. The CASB performs deep inspection of documents identified as stored at the location and detects at least some sensitive documents. Based on the detected sensitive documents, the CASB determines data exposure for the organization due to the compromised credentials of the particular user.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEVIN E ALMEIDA whose telephone number is (571)270-1018.  The examiner can normally be reached on Monday-Thursday from 7:30 A.M. to 5:00 P.M.  The examiner can also be reached on alternate Fridays from 7:30 A.M. to 4:00 P.M. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Saleh Najjar, can be reached on 571-272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/DEVIN E ALMEIDA/Examiner, Art Unit 2492                                                                                                                                                                                                        

/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492