DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The text of those sections of Title 35 U.S. Code not included in this section can be found in the prior office action.
The prior office actions are incorporated herein by reference. In particular, the observations with respect to claim language, and response to previously presented arguments.	
Claims 1-5, 7-14 and 16-20, now renumbered as claims 1-18, have been examined. 

EXAMINER’S AMENDMENT
Authorization for this examiner’s amendment was given in an interview with Mr. Ryan Fortin on 07/29/2022.
Claims 1, 10-13, 17, 19 and 20 have been amended as follows:
1. (Currently Amended) A computer-implemented method comprising: 
storing a plurality of use case records in a use case repository, wherein each use case record provides a diagnostic definition of a security threat to a Security Incident and Event Management (SIEM) environment; 
storing, in a metadata store, metadata for a plurality of attributes of subscribers to the SIEM environment; 
storing use cases that the subscribers have deployed from the use case repository; and 
setting up a new subscriber, wherein setting up the new subscriber comprises: receiving a set of attributes of the new subscriber; 
searching [[a]] the metadata store to identify subscribers with attributes that are similar to the set of attributes; and 
selecting an initial set of use cases for the new subscriber based on use cases deployed by the identified subscribers and subscriber containers with a log of use case history, wherein the log of use case history includes which use cases have been offered for deployment and rejected.

10. (Currently Amended) A system having one or more computer processors and a memory, the system configured to: 
store a plurality of use case records in a use case repository, wherein each use case record provides a diagnostic definition of a security threat to a Security Incident and Event Management (SIEM) environment; 
store, in a metadata store, metadata for a plurality of attributes of subscribers to the SIEM environment; 
store use cases that the subscribers have deployed from the use case repository; and 
set up a new subscriber, wherein setting up the new subscriber comprises: receiving a set of attributes of the new subscriber; 
searching [[a]] the metadata store to identify subscribers with attributes that are similar to the set of attributes; and 
selecting an initial set of use cases for the new subscriber based on use cases deployed by the identified subscribers and subscriber containers with a log of use case history, wherein the log of use case history includes which use cases have been offered for deployment and rejected.

11. (Currently Amended) The system of claim 10, wherein [[the]] an initial configuration module is configured to supply the initial set of use cases to a SIEM management user interface for the new subscriber, wherein the SIEM management user interface comprises user controls configured to allow a system administrator to approve and reject the use cases for deployment in the new subscriber's SIEM environment.

12. (Currently Amended) The system of claim 10, wherein [[the]] an initial configuration module is configured to deploy the initial set of use cases in the SIEM environment.

13. (Currently Amended) The system of claim 10, wherein [[the]] an initial configuration module comprises a page ranking algorithm to search the metadata store to identify the subscribers with common attributes.

17. (Currently Amended) The system of claim 16, wherein [[the]] an ongoing configuration module supplies the updated set of use cases to a SIEM management user interface for the particular existing subscriber, the SIEM management user interface comprising user controls configured to allow a system administrator to approve and reject the use cases for deployment in the existing subscriber's SIEM environment.

19. (Currently Amended) The system of claim 16, wherein [[the]] an ongoing configuration module comprises a cosine similarity algorithm for computing the similarity values between pairs of existing subscribers.

20. (Currently Amended) A computer program product comprising a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a server to cause the server to perform a method, the method comprising: 
storing a plurality of use case records in a use case repository, wherein each use case record provides a diagnostic definition of a security threat to a Security Incident and Event Management (SIEM) environment; 
storing, in a metadata store, metadata for a plurality of attributes of subscribers to the SIEM environment; 
storing use cases that the subscribers have deployed from the use case repository; and 
setting up a new subscriber, wherein setting up the new subscriber comprises: 
receiving a set of attributes of the new subscriber; 
searching [[a]] the metadata store to identify subscribers with attributes that are similar to the set of attributes; and 
selecting an initial set of use cases for the new subscriber based on use cases deployed by the identified subscribers and subscriber containers with a log of use case history, wherein the log of use case history includes which use cases have been offered for deployment and rejected.

Allowable Subject Matter
Claims 1-5, 7-14 and 16-20 are allowed over prior art of record.

Response to Arguments
Applicant’s arguments, see Remarks filed on 07/21/2022, have been fully considered.

Examiner's Statement of Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
Independent claims 1, 10 and 20 are allowed in view of the examiner’s amendment and for reasons presented by the applicant in the Remarks. Claims 2-5, 7-9, 11-14 and 16-19 depend on one of the above independent claims and are therefore, allowed by virtue of their dependency.
Prior art of record Reybok teaches: When a network registers with a central service, various metadata related to the subscribing network is stored in a datastore of the central service. Security-related events detected by various networks that are subscribers of the central service are reported to the security event incident management service (SEIMS) of the central service. The central service logs the events in a database. The central service stores one or more remedial measures that have been reported or proven to be successful against a particular threat by subscribers. The central service provides remedial measures to the reporting network to counteract possible threats based on stored data. When a new network reports a threat to the central service, the profile information of the network is acquired. The central service correlates the threat from the new network with information stored in the database. The results that are obtained are further filtered to limit results to threats reported by entities having a profile matching at least one characteristic of the new network. Based on the correlation and filtering, remedial measures that are discovered to be useful in defeating the reported threat are ranked in terms of their efficacy and provided to the new network. Prior art of record Morikawa teaches: A list of clients that are subject to security diagnosis is stored in an asset management database. Further, a table is stored for each client that includes a history of information identifying the various virus definition patterns provided to the client along with antivirus software corresponding to the virus definition ID and version information of the anti-virus software. 
However, Reybok and Morikawa fail to teach: “wherein the log of use case history includes which use cases have been offered for deployment and rejected”, i.e., the prior arts teach a history of use case that have been deployed (offered and accepted) to the clients but fail to teach use cases that have offered for deployment but rejected. 
None of the prior art of record, either taken by itself or in any combination, would have anticipated or made obvious the invention of the present application at or before the time it was filed.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
	
	Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359. The examiner can normally be reached 8:30AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MADHURI R. HERZOG
Primary Examiner
Art Unit 2438



/MADHURI R HERZOG/Primary Examiner, Art Unit 2438