Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Detailed action
Claims 1-20 are pending and are being considered.
Claims 1, 10, 18 and 20 have been amended.
Examiner's Amendments
An examiner's amendment to the record appears below. Should the changes and/or additions
be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee. Authorization for this examiner's amendment was given in a telephone interview from Tom Bassolino Reg. No. 65946 on 06/27/2022.
AMEND THE CLAIMS AS FOLLOWS:
1.	(Currently Amended) A computer program product comprising computer executable code embodied in a non-transitory computer-readable medium that, when executing on a threat management facility for an enterprise network, performs the steps of:
	providing a first interface of the threat management facility for monitoring activity on a plurality of compute instances of the enterprise network;
	providing a second interface of the threat management facility for communications with local security agents on the plurality of compute instances that provide local security to the plurality of compute instances against malicious network activity;
	providing a third interface of the threat management facility for providing programmatic access to the threat management facility by one or more resources outside the enterprise network;
	providing a security system for managing use of third party security resources within the enterprise network, the security system configured to:
controllably expose security data for the enterprise network available through the first interface to the third party security resources accessing the threat management facility through the third interface based at least in part on an authentication to verify an identity of each of the third party security resources and a determination of privileges and permissions provided by the enterprise network to the identity of each of the third party security resources,
controllably expose a programmatic interface for configuration of the local security agents by the third party security resources using the programmatic interface, and 
configure one or more of the plurality of compute instances of the enterprise network to use the third party security resources for enforcement of security policies for the enterprise network based on the security data available through the first interface;
receiving an event stream including a plurality of event vectors from the plurality of compute instances at the threat management facility through the first interface;
storing the plurality of event vectors in an event store for the threat management facility, wherein the security data controllably exposed to the third party security resources includes at least a portion of the stored event vectors of the plurality of event vectors;
calculating a risk score for the plurality of compute instances based on a comparison of one or more event vectors of the plurality of event vectors in the event stream with an entity model, wherein the entity model is a vector representation of different events associated with an entity; 
adjusting privilege levels of the plurality of compute instances based on the risk score;
providing metered access to the event store by the third party security resources to facilitate security services from the third party security resources for the enterprise network through the third interface, the metered access facilitating payment for access by the third party security resources to the event store; and 
providing metered access to the third party security resources by the plurality of compute instances of the enterprise network to support configuring the one or more of the plurality of compute instances, the metered access facilitating payment for use of the security services from the third party security resources by the plurality of compute instances.

10.	(Currently Amended) A method comprising:
	monitoring activity on a plurality of compute instances of an enterprise network through a first interface of a threat management facility;
	communicating with local security agents on the plurality of compute instances through a second interface of the threat management facility;
	providing programmatic access to the threat management facility by one or more resources outside the enterprise network through a third interface of the threat management facility;
	operating a security system on the threat management facility, the security system configured to:
controllably expose security data for the enterprise network available through the first interface to the one or more resources outside the enterprise network accessing the threat management facility through the third interface based at least in part on an authentication to verify an identity of each of the one or more resources outside the enterprise network and a determination of privileges and permissions provided by the enterprise network to the identity of each of the one or more resources outside the enterprise network,
controllably expose a programmatic interface for configuration of the local security agents by the one or more resources outside the enterprise network using the programmatic interface, and
configure one or more of the plurality of compute instances of the enterprise network to use the one or more resources outside the enterprise network for enforcement of security policies of the enterprise network, wherein to configure is based on the security data available through the first interface that is controllably exposed to the one or more resources outside the enterprise network;
receiving an event stream including a plurality of event vectors from the plurality of compute instances at the threat management facility through the first interface;
storing the plurality of event vectors in an event store for the threat management facility, wherein the security data controllably exposed to the one or more resources outside the enterprise network through the third interface comprises at least a portion of the stored event vectors of the plurality of event vectors;
calculating a risk score for the plurality of compute instances based on a comparison of one or more event vectors of the plurality of event vectors in the event stream with an entity model, wherein the entity model is a vector representation of different events associated with an entity;
adjusting privilege levels of the plurality of compute instances based on the risk score;
providing metered access to the event store by the one or more resources outside the enterprise network to facilitate security services from the one or more resources outside the enterprise network for the enterprise network through the third interface, the metered access facilitating payment for access by the one or more resources outside the enterprise network to the event store; and
providing metered access to the one or more resources outside the enterprise network by the plurality of compute instances of the enterprise network to support configuring the one or more of the plurality of compute instances, the metered access facilitating payment for use of the security services from the one or more resources outside the enterprise network by the plurality of compute instances.

18.	(Currently Amended) The method of claim 10 further comprising storing [[an]]the event stream for the enterprise network by an event collection facility of the threat management facility.

20.	(Currently Amended) A system comprising:
	a threat management facility for a plurality of compute instances in an enterprise network;
	a first interface of the threat management facility for monitoring activity on the plurality of compute instances;
	a second interface of the threat management facility for communications with local security agents on the plurality of compute instances that provide local security to the plurality of compute instances against malicious network activity;
	a third interface of the threat management facility providing programmatic access to the threat management facility by one or more resources outside the enterprise network; and
	a security system within the threat management facility, the security system configured to:
controllably expose data for the enterprise network available through the first interface to a remote user accessing the threat management facility through the third interface based at least in part on an authentication to verify an identity of the remote user and a determination of privileges and permissions provided by the enterprise network to the identity of the remote user,
controllably expose a programmatic interface for configuration of the local security agents by the one or more resources outside the enterprise network using the programmatic interface, and
configure one or more of the plurality of compute instances of the enterprise network to use the one or more resources outside the enterprise network for enforcement of security policies of the enterprise network, wherein to configure is based on the data available through the first interface that is controllably exposed to the remote user;
an event collection facility of the threat management facility, the event collection facility configured to receive an event stream including a plurality of event vectors from the plurality of compute instances at the threat management facility through the first interface and store the plurality of event vectors in an event store for the threat management facility, wherein the data controllably exposed to the remote user through the third interface comprises at least a portion of the stored event vectors of the plurality of event vectors; [[and]]
an analysis module of the threat management facility, the analysis module configured to calculate a risk score for the plurality of compute instances based on a comparison of one or more event vectors of the plurality of event vectors in the event stream with an entity model, wherein the entity model is a vector representation of different events associated with an entity, the threat management facility configured to adjust privilege levels of the plurality of compute instances based on the risk score; and
a metering facility of the threat management facility, the metering facility configured to:
provide metered access to the event store by the remote user to facilitate security services from the remote user for the enterprise network through the third interface, the metered access facilitating payment for access by the remote user to the event store; and
provide metered access to the remote user by the plurality of compute instances of the enterprise network to support configuring the one or more of the plurality of compute instances, the metered access facilitating payment for use of the security services from the remote user by the plurality of compute instances.
Response to arguments
Applicants arguments filled on 06/15/2022 have been fully considered and are persuasive.
Allowable Subject matter
Claims 1-20 are allowed.
Examiner’s Statement of Reason for Allowance
According to 37 C.F.R. 1.104(e), it is the examiner's discretion to evaluate at the time of allowance whether the record of the prosecution as a whole does not make clear his or her reasons for allowing a claim or claims and set forth such a reasoning. At this time, the examiner believes that the claims allowed above require a separate reasoning to make the record clearer. The applicant or patent owner may file a statement commenting on the reasons for allowance within such time as may be specified by the examiner.
The following is an examiner’s statement of reasons for allowance:
In interpreting the currently amended claims in light of the specification, the Examiner finds the
 claimed invention to be patentably distinct from the prior art of record.
The present invention is directed towards An interface for a threat management facility of an enterprise network supports the use of third-party security products within the enterprise network by providing access to relevant internal instrumentation and/or a programmatic interface for direct or indirect access to local security agents on compute instances within the enterprise network.
Claims 1, 10 and 20 identifies a unique and distinct feature of “….receiving an event stream including a plurality of event vectors from the plurality of compute instances at the threat management facility through the first interface; calculating a risk score for the plurality of compute instances based on a comparison of one or more event vectors of the plurality of event vectors in the event stream with an entity model, wherein the entity model is a vector representation of different events associated with an entity; adjusting privilege levels of the plurality of compute instances based on the risk score; providing metered access to the third party security resources by the plurality of compute instances of the enterprise network to support configuring the one or more of the plurality of compute instances” including other limitations in the claims.
The closest prior art Ray et al (US 20160173509) is directed towards improving threat detection by monitoring variations in observable events and correlating these variations to malicious activity. The disclosed techniques can be usefully employed with any attribute or other metric that can be instrumented on an endpoint and tracked over time including observable events such as changes to files, data, software configurations, operating systems. 
Ray teaches interface for threat management facility for monitoring activity on plurality of compute instance to provide local security to the compute instance and managing security resource within enterprise network. Ray fails to explicitly teach receiving an event stream including a plurality of event vectors from the plurality of compute instances at the threat management facility through the first interface; calculating a risk score for the plurality of compute instances based on a comparison of one or more event vectors of the plurality of event vectors in the event stream with an entity model, wherein the entity model is a vector representation of different events associated with an entity; adjusting privilege levels of the plurality of compute instances based on the risk score; providing metered access to the third party security resources by the plurality of compute instances of the enterprise network to support configuring the one or more of the plurality of compute instances.
The closest prior art Mahaffey et al (US 20160099963) is directed towards determining an enterprise risk level, for sharing security risk information between enterprises by identifying a security response by a first enterprise and then sharing the security response to a second enterprise when a relationship database profile for the first collection indicates the security response may be shared. Methods are also provided for determining whether to allow a request from an originating device where the request may have been initiated by a remote device.
Mahaffey teaches configuring one or more of plurality of compute instance to use third part security resource for enforcement of security policies, however just like Ray, Mahaffey fails to explicitly teach receiving an event stream including a plurality of event vectors from the plurality of compute instances at the threat management facility through the first interface; calculating a risk score for the plurality of compute instances based on a comparison of one or more event vectors of the plurality of event vectors in the event stream with an entity model, wherein the entity model is a vector representation of different events associated with an entity; adjusting privilege levels of the plurality of compute instances based on the risk score; providing metered access to the third party security resources by the plurality of compute instances of the enterprise network to support configuring the one or more of the plurality of compute instances.
Therefore, the prior art of record does not teach or suggest individually or in combination the particular limitation listed below as recited in the claims.
“….receiving an event stream including a plurality of event vectors from the plurality of compute instances at the threat management facility through the first interface; calculating a risk score for the plurality of compute instances based on a comparison of one or more event vectors of the plurality of event vectors in the event stream with an entity model, wherein the entity model is a vector representation of different events associated with an entity; adjusting privilege levels of the plurality of compute instances based on the risk score; providing metered access to the third party security resources by the plurality of compute instances of the enterprise network to support configuring the one or more of the plurality of compute instances”
None of the prior art of record, either taken individually or in any combination, would have anticipated or made obvious the invention of the instant application at or before the time it was filled.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOEEN KHAN whose telephone number is (571)272-3522. The examiner can normally be reached 7AM-5PM EST M-TH Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571)272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MOHAMMAD W REZA/Primary Examiner, Art Unit 2436                                                                                                                                                                                                        

/MOEEN KHAN/               Examiner, Art Unit 2436