DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
The instant application, filed 05/07/2018, does not claim priority.
EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee. Authorization for this examiner’s amendment was given in an interview with JOHN DAMRON on 08/02/21. The application has been amended as follows: 
1.	(Currently Amended)	A method comprising:
accessing data representing a state of an investigation, wherein: 
the investigation is associated with a security analyst and a potential security threat to a computer system, 
the data representing the state of the investigation comprises a result of an investigative step performed during the investigation, and
the result of the investigative step performed during the investigation comprises one or more of a host internet protocol associated with the investigation, a step taken by the security analyst, a query submitted in the investigation, a comparative analysis performed by the security analyst, data gathered during the investigation, a time line considered by the security analyst, a filtering parameter used by the security analyst, and a field set considered by the security analyst;
applying the result of the investigative step performed during the investigation as an input to a machine learning engine trained on observed investigations;
processing, with the machine learning engine, the result of the investigative step performed during the investigation;
generating, with the machine learning engine, a recommendation based on the result of the investigative step performed during the investigation, wherein the recommendation comprises a next investigative step of the investigation; 
displaying the recommendation comprising the next investigative step of the investigation on a graphical user interface (GUI) associated with the security analyst; and
training the machine learning engine based on an action taken by the security analyst in response to the recommendation, wherein training the machine learning engine based on the action taken by the security analyst comprises training the machine learning engine based on whether the recommendation was accepted or rejected.  
		
2.	(Previously Presented) The method of claim 1, wherein processing the result of the investigative step performed during the investigation using the machine learning engine comprises determining a next action to be taken by the security analyst in the investigation.

3.	(Previously Presented) The method of claim 1, wherein processing the result of the investigative step performed during the investigation using the machine learning engine comprises determining a timeline for a chart displayed on the GUI.

4.	(Previously Presented) The method of claim 1, wherein processing the result of the investigative step performed during the investigation using the machine learning engine comprises determining a type of chart to be displayed on the GUI.

5.	(Previously Presented) The method of claim 1, wherein processing the result of the investigative step performed during the investigation using the machine learning engine comprises determining a layout parameter of a chart to be displayed on the GUI.

6.	(Previously Presented) The method of claim 1, wherein processing the result of the investigative step performed during the investigation using the machine learning engine comprises determining, for a query to be submitted in the investigation, one or more of:  an internet protocol (IP) address associated with the query to be submitted in the investigation, a time line associated with the query to be submitted in the investigation, filter criteria associated with the query to be submitted in the investigation, a host name associated with the query to be submitted in the investigation, and a user name associated with the query to be submitted in the investigation.

7.	(Previously Presented) The method of claim 1, further comprising:
	displaying an option to accept or reject the recommendation on the GUI; and
	automatically configuring the GUI based on the recommendation in response to a response received from the security analyst indicating acceptance of the recommendation.

8.	(Canceled)

9.	(Canceled)

10.	(Currently Amended) The method of claim [[8]]1, wherein training the machine learning engine based on the action taken by the security analyst comprises training the machine learning engine based on the security analyst modifying the recommendation. 

11.	(Currently Amended)	A non-transitory machine-readable storage medium storing instructions that, when executed by a machine, cause the machine to:
access data representing a state of an investigation, wherein: 
the investigation is associated with a security analyst and a potential security threat to a computer system, 
the data representing the state of the investigation comprises a result of an investigative step performed during the investigation, and
the result of the investigative step performed during the investigation comprises one or more of a host internet protocol associated with the investigation, a step taken by the security analyst, a query submitted in the investigation, a comparative analysis performed by the security analyst, data gathered during the investigation, a time line considered by the security analyst, a filtering parameter used by the security analyst, and a field set considered by the security analyst; 
apply the result of the investigative step performed during the investigation as an input to a machine learning engine trained on observed investigations;
process, with the machine learning engine, the result of the investigative step performed during the investigation;	
generate, with the machine learning engine, a recommendation based on the result of the investigative step performed during the investigation, wherein the recommendation comprises a next investigative step for the investigation; 
display the recommendation comprising the next investigative step of the investigation on a graphical user interface (GUI) associated with the security analyst; and
train the machine learning engine based on an action taken by the security analyst in response to the recommendation, wherein train the machine learning engine based on the action taken by the security analyst comprises training the machine learning engine based on whether the recommendation was accepted or rejected.

12-14.	(Cancelled)	
	
15.	(Previously Presented)	The storage medium of claim 11, wherein the instructions, when executed by the machine, further cause the machine to train the machine learning engine to recommend a query for the next investigative step of the investigation.

16.	(Currently Amended)	A first computer system comprising:
at least one processor; and
a storage medium storing instructions that, when executed by the at least one processor, cause the at least one processor to:
access data representing a state of an investigation, wherein: 
the investigation is associated with a security analyst and a potential security threat to a second computer system, 
the data representing the state of the investigation comprises a result of an investigative step performed during the investigation, and
the result of the investigative step comprises one or more of a host internet protocol associated with the investigation, a step taken by the security analyst, a query submitted in the investigation, a comparative analysis performed by the security analyst, data gathered during the investigation, a time line considered by the security analyst, a filtering parameter used by the security analyst, and a field set considered by the security analyst;
apply the result of the investigative step performed during the investigation as an input to a machine learning engine trained on observed investigations;
process, with the machine learning engine, the result of the investigative step performed during the investigation;
generate, with the machine learning engine, a recommendation based on the result of the investigative step performed during the investigation, wherein the recommendation comprises a next investigative step of the investigation; 
display the recommendation comprising the next investigative step of the investigation on a graphical user interface (GUI) associated with the security analyst; and
train the machine learning engine based on an action taken by the security analyst in response to the recommendation, wherein train the machine learning engine based on the action taken by the security analyst comprises training the machine learning engine based on whether the recommendation was accepted or rejected.

17.	(Cancelled)	

18.	(Previously Presented) The first computer system of claim 16, wherein the instructions, when executed by the at least one processor, further cause the at least one processor to train the machine learning engine based on modification of the recommendation by the security analyst.

19.	(Previously Presented) The first computer system of claim 16, wherein the instructions, when executed by the at least one processor, further cause the at least one processor to train the machine learning engine based on an observed analyst response to the recommendation.

20.	(Previously Presented) The first computer system of claim 16, wherein displaying the recommendation comprises displaying a chart visualization. 

21.	(Previously Presented) The storage medium of claim 11, wherein processing the result of the investigative step performed during the investigation using the machine learning engine comprises determining a next action to be taken by the security analyst in the investigation.

22.	(Previously Presented) The storage medium of claim 11, wherein processing the result of the investigative step performed during the investigation using the machine learning engine comprises determining a timeline for a chart displayed on the GUI.

23.	(Previously Presented) The storage medium of claim 11, wherein processing the result of the investigative step performed during the investigation using the machine learning engine comprises determining a type of chart to be displayed on the GUI.

24.	(Previously Presented) The first computer system of claim 16, wherein processing the result of the investigative step performed during the investigation using the machine learning engine comprises determining a next action to be taken by the security analyst in the investigation.

Allowable Subject Matter
The following is an examiner’s statement of reasons for allowance:
The prior art of record does not teach or fairly suggest in combination of steps as recited in the Applicant’s independent claims as amended, accessing data representing a state of an investigation, wherein: the investigation is associated with a security analyst and a potential security threat to a computer system, the data representing the state of the investigation comprises a result of an investigative step performed during the investigation, and the result of the investigative step performed during the investigation comprises one or more of a host internet protocol associated with the investigation, a step taken by the security analyst, a query submitted in the investigation, a comparative analysis performed by the security analyst, data gathered during the investigation, a time line considered by the security analyst, a filtering parameter used by the security analyst, and a field set considered by the security analyst; applying the result of the investigative step performed during the investigation as an input to a machine learning engine trained on observed investigations; processing, with the machine learning engine, the result of the investigative step performed during the investigation; generating, with the machine learning engine, a recommendation based on the result of the investigative step performed during the investigation, wherein the recommendation comprises a next investigative step of the investigation; displaying the recommendation comprising the next investigative step of the investigation on a graphical user interface (GUI) associated with the security analyst; and training the machine learning engine based on an action taken by the security analyst in response to the recommendation, wherein training the machine learning engine based on the action taken by the security analyst comprises training the machine learning engine based on whether the recommendation was accepted or rejected.
The dependent claims, being definite, further limiting, and fully enabled by the specification are also allowed.


Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMED WALIULLAH whose telephone number is (571)270-7987.  The examiner can normally be reached on 8.30 to 430 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 1-571-272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MOHAMMED WALIULLAH/Primary Examiner, Art Unit 2498