DETAILED ACTION
This action is in response to amendments received 6/23/2022.  Claims 1, 3, 10, 12-21 and 23 were amended.  No new claims were added and no claims were cancelled.  Claims 1-23 are pending and are examined.  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s amendments, filed 6/23/2022, to claims 1, 12 and 23 amending “rule which processing has triggered an offense” to “wherein the triggered rule comprises a respective one of the rules that triggered an offense during the processing” is sufficient to correct grammatical informalities and clarify the meaning of the claim phrase.  Accordingly, the objection to claims 1, 12 and 23, as filed in the Non-Final Rejection on 3/23/2022, is withdrawn.
Applicant’s amendments, filed 6/23/2022, to claim 23 amending “computer readable tangible storage medium” to “computer readable storage medium” is sufficient to overcome the rejection of claim 23 under 101 for being directed to a signal per se.  In addition, the Examiner notes that Applicant’s Specification explicitly discloses that a “computer readable storage medium, as used herein, is not to be construed as being transitory signals per se” (para. [00136]), therefore independent claims 12 and 23 are interpreted as having hardware.  
Applicant’s amendments, filed 6/23/2022, to claims 1, 12 and 23 amending “sort within each rule” to “sort for each rule . . . according to an indicator compromise likelihood of triggering an offense”, clarifying that indicators of compromise are in the “respective indicator of compromise index” and providing antecedent basis for “indicators of compromise” are sufficient to overcome the rejection of the aforementioned claims under 112, second paragraph, for indefinite claim language and lack of antecedent basis.  Accordingly, the rejection of claims 1, 12 and 23 as filed in (10) of the Non-Final Rejection is withdrawn.
Applicant’s amendments, filed 6/23/2022, to claims 10 and 21 defining the algorithm terms “past rule counter”, “observed events” and “pseudo security events” are sufficient to overcome the rejection of the aforementioned claims under 112, second paragraph, for indefinite claim language.  Accordingly, the rejection of claims 10 and 21 under 112, second paragraph, is withdrawn.
Applicant’s amendments, filed 6/23/2022, to claims 12-21 removing the claim terms “a first generation unit”, “ a second generation unit” and “the generation unit” in addition to the other units and modules are sufficient to remove the indefinite claim language causing the aforementioned claims to be rejected under 112, second paragraph, and causing the claim to no longer be interpreted under 112, sixth paragraph.  Accordingly, the rejection of claims 12-21 under 112, second paragraph, is withdrawn.
Applicant’s arguments in pages 12-20 of their Remarks, filed 6/23/2022, with respect to claims 1-2, 4-5, 12-13, 15-16 and 23 as being rejected under 35 U.S.C. 103 as being unpatentable over Desch (US 2017/0187741 A1) in view of Leonard Renners et al., Modeling and Learning Incident Prioritization, in The 9th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems (Sept 2017) (hereafter Renners) and Pernicha (US 2016/0191466); Claims 3 and 14 as being rejected under 35 U.S.C. 103 as being unpatentable over Desch (US 2017/0187741 A1) in view of Leonard Renners et al., Modeling and Learning Incident Prioritization, in The 9th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems (Sept 2017) (hereafter Renners) and Pernicha (US 2016/0191466), as applied to claims 1 and 12, further in view of Okubo (US 10,728,273); Claims 6 and 17 as being rejected under 35 U.S.C. 103 as being unpatentable over Desch (US 2017/0187741 A1) in view of Leonard Renners et al., Modeling and Learning Incident Prioritization, in The 9th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems (Sept 2017) (hereafter Renners) and Pernicha (US 2016/0191466), as applied to claims 1 and 12, further in view of Shelton (US 2015/0213358); Claims 7-8 and 18-19 as being rejected under 35 U.S.C. 103 as being unpatentable over Desch (US 2017/0187741 A1) in view of Leonard Renners et al., Modeling and Learning Incident Prioritization, in The 9th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems (Sept 2017) (hereafter Renners) and Pernicha (US 2016/0191466), as applied to claims 1 and 12, further in view of Singh (US 2017/0223037); Claims 9 and 20 as being rejected under 35 U.S.C. 103 as being unpatentable over Desch (US 2017/0187741 A1) in view of Leonard Renners et al., Modeling and Learning Incident Prioritization, in The 9th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems (Sept 2017) (hereafter Renners) and Pernicha (US 2016/0191466), as applied to claims 1 and 12, further in view of Wool (US 2009/0172800); and Claims 11 and 22 as being rejected under 35 U.S.C. 103 as being unpatentable over Desch (US 2017/0187741 A1) in view of Leonard Renners et al., Modeling and Learning Incident Prioritization, in The 9th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems (Sept 2017) (hereafter Renners) and Pernicha (US 2016/0191466), as applied to claims 1 and 12, further in view of Pal (US 2020/0364223), have been fully considered and are found persuasive.  These rejections have been withdrawn.

Allowable Subject Matter
Claims 1-23 are allowed in light of Applicant’s arguments and in light of the prior art made of record.

Reasons for Allowance
The following is an examiner’s statement for reasons for allowance:
Newly amended independent claims 1, 12 and 23 are allowed for reasons explained by Applicant in pages 12-20 of their Remarks, filed 6/23/2022, and for reasons explained below: 
Newly amended independent claims 1, 12 and 23 are allowed because the closest identified prior comprising Desch (US 2017/0187741 A1), Leonard Renners et al., Modeling and Learning Incident Prioritization, in The 9th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems (Sept 2017) (hereafter Renners) and Pernicha (US 2016/0191466), alone or in combination, fails to anticipate or render obvious the claimed invention.  In addition, the Examiner notes that Applicant’s Specification explicitly discloses that a “computer readable storage medium, as used herein, is not to be construed as being transitory signals per se” (para. [00136]), therefore independent claims 12 and 23 satisfy the requirements of 35 USC 101.  
Desch (prior art on the record) teaches a method for categorizing and prioritizing indicators of compromise.  A set of rules and alert are generated based on a normalized severity for an indicator of compromise in order to ensure that rules are only generated for indicators of compromise that are deemed a threat according to their severity score.  An incremental counter is maintained indicating an active status of an indicator of compromise based on its lifecycle and time period.  The lifecycle of an indicator of compromise is increased or set higher based on an increased or critically high normalized severity for the indicator of compromise.  A threshold is specified identifying when rule sets are disseminated to computer resources and a level of severity required to be reached before rules are transmitted.   
Renners (prior art on the record) teaches a method for applying machine learning to generate training data comprising incidents from data received identifying what targets have been identified as vulnerable against attacks by known hostile hosts, processing the training data by applying rules, increasing the number of leaves and rules based on the number of incidents of training data and increasing a severity indicators for incidents based on the training data.
Pernicha (prior art on the record) teaches a method for dynamically optimizing rule-based security policy management by grouping, reordering and deleting policy rules based on weights assigned to types of traffic, preference settings, priority settings, network traffic characteristics and usage statistics for each policy rule.  The set of rules is reordered based upon the rules with the highest hits/counter.  The rules are processed sequentially.  
None of the prior art of record cited above teaches all the combination of non-obvious features of claims 1, 12 and 23 of the present invention: 
“generating a rule index of rules, the rules to be applied when receiving an incoming security event;” “generating a respective indicator of compromise index comprising indicator values of indicators of compromise to be used for a comparison against an attribute of a security event;” “processing the incoming security event by sequentially applying the rules, wherein processing the incoming security event by sequentially applying the rules comprises: increasing, in a rule incrementation step, a current rule counter relating to a triggered rule, wherein the triggered rule comprises a respective one of the rules that triggered an office during the processing, and increasing a current indicator of compromise counter pertaining to the triggered rule;” “generating a pseudo security event from received data about known attacks and related indicators of compromise; and processing the pseudo security events by sequentially applying the rules, wherein processing the pseudo security event comprises: increasing a current rule counter of pseudo security events relating to the triggered rule which processing has triggered the offense, and increasing a current indicator of compromise counter for pseudo security events pertaining to the triggered rule,” “sorting the rules in the rule index according to a rule likelihood of triggering an offense, wherein the sorting the rules is based on respective weighted rule counter values, and sorting for each rule, the indicators of compromise in the respective indicator of compromise index according to an indicator of compromise likelihood of triggering an offense, wherein sorting the indicators of compromise is based on weighted current indicator of compromise counter values.” 
None of the prior art of record, either taken by itself or in any combination, would have anticipated or made obvious the invention of the present application at or before the time it was filed.

Conclusion
Therefore, claims 1-23 are hereby allowed in view of applicant’s persuasive arguments and in light of amendment to the claims.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should be preferably accompany the issue fee.  Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance".
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHARON S LYNCH whose telephone number is (571)272-4583.  The examiner can normally be reached on 10AM-6PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T Arani can be reached on 571-272-3787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SHARON S LYNCH/Primary Examiner, Art Unit 2438