Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Introduction
This office action is in response to Applicant’s communication filed on 11/17/2020. Claims 1-20 have been examined. 

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/17/2020 has been considered by the examiner.

Drawing Objections
The drawing of the disclosure is objected to because of the following informalities:
Figures 18-39 are blurry.
Appropriate correction is required.

Claim Objections
The disclosure is objected to because of the following informalities:
Claim 8 is objected to because abbreviations are not defined. The claim is directed to abbreviation "the CASB”. The abbreviation should be defined where it is first used in the claim.
Claim 8 is also objected to because there is insufficient antecedent basis for the limitation "the CASB” in the claim.
Appropriate correction is required. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-3, 5, 7-10, 12, 14-17 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Zorlular et al. Publication No. US 2018/0183827 A1 (Zorlular hereinafter) in view of Sharma et al. Publication No. US 2017/0223029 A1 (Sharma hereinafter).

Regarding claim 1,
Zorlular teaches a non-transitory computer-readable storage medium having computer-readable code stored thereon for programming one or more processors associated with a […] system to perform steps of:
responsive to a scan by the […] system (Para 0067 - the warning system comprises a monitor device 150 that can use the enterprise network to acquire various indicators such as DLP logs from the data loss prevention server 192, application firewall logs 162 from the application firewall 160 protecting a web server 164, intranet logs 171 from the intranet server 170, email logs 172 from the email server 173, proxy logs 182 from the proxy server 152, intrusion detection system logs 198 from an intrusion detection system server 196, etc) of a plurality of users associated with a tenant in a Software-as-a-Service (SaaS) application (Para 0105 - FIG. 7 illustrates an user interface 1100 of the warning system in which a view of a list of users associated with the applications; and Para 0132 - user interface data necessary for generating the user interface may be provided by the server computing system to the browser, where the user interface may be generated (e.g., the user interface data may be executed by a browser accessing a web service and may be configured to render the user interfaces based on the user interface data). The user may then interact with the user interface through the web-browser. User interfaces of certain implementations may be accessible through one or more dedicated software applications) where the scan includes identifying malware in content in the SaaS application (Para 0071 - The intrusion detection system may make available intrusion detection system logs 198, which may comprise indicators related to potential attempts to exploit software or hardware vulnerabilities, network traffic originating from malware) and performing Data Loss Prevention (DLP) in the content in the SaaS application (Para 0067 - The user devices 178, 179 may be running Data Loss Prevention (DLP) software that stores and sends to the DLP server information about certain acts potentially in violation of a company's DLP (data loss prevention) policy, such as copying of data onto a removable storage medium), maintaining records associated with a plurality of incidents for the malware and the DLP (Para 0084 - If the risk estimate exceeds the threshold, an alert is generated to indicate to an analyst information regarding a probably cyber-attack against the resource. For example, the alert may comprise information about the time and date that the suspicious activity occurred, what resource is being put at risk, what users, what servers and what type of services are involved in the suspicious activity, and what the estimated risk is. In block 216 the one or more alerts as generated in block 214 are submitted into an alert queue 158 from where they can be presented to an analyst).
providing a User Interface (UI) for the tenant including an analytics view with a plurality of summary tiles including visualizations of the plurality of incidents (Para 0084 - Alert queue 158 may be implemented as a list within an application from which alerts can be retrieved and displayed; and Para 0096 - Referring to FIG. 5, example user interface 900 includes a historical risk graph 902, a risk trend indicator 908, a system risk graph 916, a resource list 914, an event counter 912, a highest risk system indicator 906, an alert counter 917, a last refresh field 903, and a total risk score indicator 904) for the malware and the DLP for the tenant (Para 0099 - The alerts and events filter field 1018 accepts text input from the analyst and allows him to filter the alerts and events being displayed. For example, the analyst may enter the type of a specific suspicious activity to filter the alerts displayed. Advantageously, this allows the analyst to investigate certain types of activity related to a cyber-attack against a resource in greater detail, so information associated to the malware and the DLP may also be displayed and viewed when entered information in the filter field 1018 is to be related to the malware and DLP).
providing the UI for the tenant including a table listing any of the plurality of incidents for the malware and the DLP for the tenant, including any of unique data objects, unique users internal to the tenant, and unique external entities, associated with the plurality of incidents (Para 0096 - Referring to FIG. 5, example user interface 900 a table listing any the plurality of incidents 914. The resource list 914 comprises a resource name column 922, a risk score column 924, an alert life column 926, an alert count column 928, an event count column 930, a top risk indicator column 932, and a cyber risk quantifier column 934; and Para 0099 - The alerts and events filter field 1018 accepts text input from the analyst and allows him to filter the alerts and events being displayed. For example, the analyst may enter the type of a specific suspicious activity to filter the alerts displayed. Advantageously, this allows the analyst to investigate certain types of activity related to a cyber-attack against a resource in greater detail, so information associated to the malware and the DLP may also be displayed and viewed when entered information in the filter field 1018 is to be related to the malware and DLP).
While Zorlular teaches a monitor device 150 for identifying malware and Data Loss Prevention (DLP) in the content in the SaaS application, Zorlular does not explicitly disclose that the identifying is performed by
a Cloud Access Security Broker (CASB) system. 
However, Sharma teaches:
a Cloud Access Security Broker (CASB) system (Para 0070-0072 - distributed security system 710 is a multi-tenant system servicing multiple customers, such as in a public cloud. The distributed security system 710 is configured as an inline proxy system monitoring all traffic between the CDN network and the origin server. As such, the distributed security system 710 can employ various monitoring techniques such as for malware, spyware, viruses, email spam, Data Leakage Prevention (DLP), content filtering, etc.). 
Zorlular and Sharma are analogous art because they are from a similar field of endeavor in the malware and data loss prevention monitoring techniques. Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Zorlular to include the teachings of Sharma. The motivation for doing so is to perform by a cloud node in a cloud distributed security system to detect one or more of malware and data leakage in the traffic based on the policy (Sharma, Abstract).
- 29 -DOCS 123144-014UT1/2670836.1
Regarding claim 2, the non-transitory computer-readable storage medium of claim 1,
Zorlular teaches
wherein the steps further include providing the UI for the tenant to onboard a plurality of SaaS applications including the SaaS application (Para 0105 - FIG. 7 illustrates an example user interface 1100 of the warning system in which a view of the applications as well as a list of users associated with a given application are presented).


Regarding claim 3, the non-transitory computer-readable storage medium of claim 1,
Zorlular does not explicitly disclose
wherein the steps further include providing the UI for the tenant to configure policies for the DLP and for the malware for the SaaS application. 
However, Sharma teaches:
wherein the steps further include providing the UI for the tenant to configure policies for the DLP and for the malware for the SaaS application (Para 0026 - The user interface front-end 130 may provide a user interface through which users of the external systems may provide and define security policies). 
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Zorlular to include the teachings of Sharma. The motivation for doing so is to perform by a cloud node in a cloud distributed security system to detect one or more of malware and data leakage in the traffic based on the policy.
- 29 -DOCS 123144-014UT1/2670836.1
Regarding claim 5, the non-transitory computer-readable storage medium of claim 1,
Zorlular teaches
wherein the SaaS application is one of a plurality of SaaS applications for the tenant, and wherein the visualizations include a table listing the plurality of incidents associated with the plurality of SaaS applications (Para 0105 - FIG. 7 illustrates an example user interface 1100 of the warning system in which a view of the applications as well as a list of users associated with a given application are presented. Specifically, in the related servers table 1112, information is being displayed about what computer resources are associated with a given application, in the type column 1114, the type of the computer resource such as an application is identified, in the host column 1116, the name of the host on which the application is located is identified and in the IP column 1118, the internet protocol (IP) address of the host associated with the given application is identified).


Regarding claim 7, the non-transitory computer-readable storage medium of claim 1,
Zorlular teaches
wherein the visualizations include a line chart illustrating the plurality of incidents over time (Para 0084 - Alert queue 158 may be implemented as a list within an application from which alerts can be retrieved and displayed; and Para 0096 - Referring to FIG. 5, example user interface 900 includes a historical risk which shows a graphical representation of the overall risk across all resources monitored by the warning system over time).


Regarding claim 8,
Zorlular teaches a method comprising:
responsive to a scan by the […] system (Para 0067 - the warning system comprises a monitor device 150 that can use the enterprise network to acquire various indicators such as DLP logs from the data loss prevention server 192, application firewall logs 162 from the application firewall 160 protecting a web server 164, intranet logs 171 from the intranet server 170, email logs 172 from the email server 173, proxy logs 182 from the proxy server 152, intrusion detection system logs 198 from an intrusion detection system server 196, etc) of a plurality of users associated with a tenant in a Software-as-a-Service (SaaS) application (Para 0105 - FIG. 7 illustrates an user interface 1100 of the warning system in which a view of a list of users associated with the applications; and Para 0132 - user interface data necessary for generating the user interface may be provided by the server computing system to the browser, where the user interface may be generated (e.g., the user interface data may be executed by a browser accessing a web service and may be configured to render the user interfaces based on the user interface data). The user may then interact with the user interface through the web-browser. User interfaces of certain implementations may be accessible through one or more dedicated software applications) where the scan includes identifying malware in content in the SaaS application (Para 0071 - The intrusion detection system may make available intrusion detection system logs 198, which may comprise indicators related to potential attempts to exploit software or hardware vulnerabilities, network traffic originating from malware) and performing Data Loss Prevention (DLP) in the content in the SaaS application, maintaining records associated with a plurality of incidents for the malware and the DLP (Para 0084 - If the risk estimate exceeds the threshold, an alert is generated to indicate to an analyst information regarding a probably cyber-attack against the resource. For example, the alert may comprise information about the time and date that the suspicious activity occurred, what resource is being put at risk, what users, what servers and what type of services are involved in the suspicious activity, and what the estimated risk is. In block 216 the one or more alerts as generated in block 214 are submitted into an alert queue 158 from where they can be presented to an analyst).
providing a User Interface (UI) for the tenant including an analytics view with a plurality of summary tiles including visualizations of the plurality of incidents (Para 0084 - Alert queue 158 may be implemented as a list within an application from which alerts can be retrieved and displayed; and Para 0096 - Referring to FIG. 5, example user interface 900 includes a historical risk graph 902, a risk trend indicator 908, a system risk graph 916, a resource list 914, an event counter 912, a highest risk system indicator 906, an alert counter 917, a last refresh field 903, and a total risk score indicator 904) for the malware and the DLP for the tenant (Para 0099 - The alerts and events filter field 1018 accepts text input from the analyst and allows him to filter the alerts and events being displayed. For example, the analyst may enter the type of a specific suspicious activity to filter the alerts displayed. Advantageously, this allows the analyst to investigate certain types of activity related to a cyber-attack against a resource in greater detail, so information associated to the malware and the DLP may also be displayed and viewed when entered information in the filter field 1018 is to be related to the malware and DLP).
providing the UI for the tenant including a table listing any of the plurality of incidents for the malware and the DLP for the tenant, including any of unique data objects, unique users internal to the tenant, and unique external entities, associated with the plurality of incidents (Para 0096 - Referring to FIG. 5, example user interface 900 a table listing any the plurality of incidents 914. The resource list 914 comprises a resource name column 922, a risk score column 924, an alert life column 926, an alert count column 928, an event count column 930, a top risk indicator column 932, and a cyber risk quantifier column 934; and Para 0099 - The alerts and events filter field 1018 accepts text input from the analyst and allows him to filter the alerts and events being displayed. For example, the analyst may enter the type of a specific suspicious activity to filter the alerts displayed. Advantageously, this allows the analyst to investigate certain types of activity related to a cyber-attack against a resource in greater detail, so information associated to the malware and the DLP may also be displayed and viewed when entered information in the filter field 1018 is to be related to the malware and DLP).
While Zorlular teaches a monitor device 150 for identifying malware and Data Loss Prevention (DLP) in the content in the SaaS application, Zorlular does not explicitly disclose that the monitoring and detecting are performed by
the CASB system. 
However, Sharma teaches:
the CASB system (Para 0070-0072 - distributed security system 710 is a multi-tenant system servicing multiple customers, such as in a public cloud. The distributed security system 710 is configured as an inline proxy system monitoring all traffic between the CDN network and the origin server. As such, the distributed security system 710 can employ various monitoring techniques such as for malware, spyware, viruses, email spam, Data Leakage Prevention (DLP), content filtering, etc.). 
Zorlular and Sharma are analogous art because they are from a similar field of endeavor in the malware and data loss prevention monitoring techniques. Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Zorlular to include the teachings of Sharma. The motivation for doing so is to perform by a cloud node in a cloud distributed security system to detect one or more of malware and data leakage in the traffic based on the policy (Sharma, Abstract).
- 29 -DOCS 123144-014UT1/2670836.1
Regarding claims 9-10,
Claims 9-10 are analyzed and interpreted as a method of claims 2-3.

Regarding claim 12,
Claim 12 is analyzed and interpreted as a method of claim 5.

Regarding claim 14,
Claim 14 is analyzed and interpreted as a method of claim 7.



Regarding claim 15,
Zorlular teaches a system associated with a […] system, comprising: one or more processors and memory storing instructions that, when executed, cause the one or more processors to:
responsive to a scan by the […] system (Para 0067 - the warning system comprises a monitor device 150 that can use the enterprise network to acquire various indicators such as DLP logs from the data loss prevention server 192, application firewall logs 162 from the application firewall 160 protecting a web server 164, intranet logs 171 from the intranet server 170, email logs 172 from the email server 173, proxy logs 182 from the proxy server 152, intrusion detection system logs 198 from an intrusion detection system server 196, etc) of a plurality of users associated with a tenant in a Software-as-a-Service (SaaS) application (Para 0105 - FIG. 7 illustrates an user interface 1100 of the warning system in which a view of a list of users associated with the applications; and Para 0132 - user interface data necessary for generating the user interface may be provided by the server computing system to the browser, where the user interface may be generated (e.g., the user interface data may be executed by a browser accessing a web service and may be configured to render the user interfaces based on the user interface data). The user may then interact with the user interface through the web-browser. User interfaces of certain implementations may be accessible through one or more dedicated software applications) where the scan includes identifying malware in content in the SaaS application (Para 0071 - The intrusion detection system may make available intrusion detection system logs 198, which may comprise indicators related to potential attempts to exploit software or hardware vulnerabilities, network traffic originating from malware) and performing Data Loss Prevention (DLP) in the content in the SaaS application, maintain records associated with a plurality of incidents for the malware and the DLP (Para 0084 - If the risk estimate exceeds the threshold, an alert is generated to indicate to an analyst information regarding a probably cyber-attack against the resource. For example, the alert may comprise information about the time and date that the suspicious activity occurred, what resource is being put at risk, what users, what servers and what type of services are involved in the suspicious activity, and what the estimated risk is. In block 216 the one or more alerts as generated in block 214 are submitted into an alert queue 158 from where they can be presented to an analyst).
provide a User Interface (UI) for the tenant including an analytics view with a plurality of summary tiles including visualizations of the plurality of incidents (Para 0084 - Alert queue 158 may be implemented as a list within an application from which alerts can be retrieved and displayed; and Para 0096 - Referring to FIG. 5, example user interface 900 includes a historical risk graph 902, a risk trend indicator 908, a system risk graph 916, a resource list 914, an event counter 912, a highest risk system indicator 906, an alert counter 917, a last refresh field 903, and a total risk score indicator 904) for the malware and the DLP for the tenant (Para 0099 - The alerts and events filter field 1018 accepts text input from the analyst and allows him to filter the alerts and events being displayed. For example, the analyst may enter the type of a specific suspicious activity to filter the alerts displayed. Advantageously, this allows the analyst to investigate certain types of activity related to a cyber-attack against a resource in greater detail, so information associated to the malware and the DLP may also be displayed and viewed when entered information in the filter field 1018 is to be related to the malware and DLP).
provide the UI for the tenant including a table listing any of the plurality of incidents for the malware and the DLP for the tenant, including any of unique data objects, unique users internal to the tenant, and unique external entities, associated with the plurality of incidents (Para 0096 - Referring to FIG. 5, example user interface 900 a table listing any the plurality of incidents 914. The resource list 914 comprises a resource name column 922, a risk score column 924, an alert life column 926, an alert count column 928, an event count column 930, a top risk indicator column 932, and a cyber risk quantifier column 934; and Para 0099 - The alerts and events filter field 1018 accepts text input from the analyst and allows him to filter the alerts and events being displayed. For example, the analyst may enter the type of a specific suspicious activity to filter the alerts displayed. Advantageously, this allows the analyst to investigate certain types of activity related to a cyber-attack against a resource in greater detail, so information associated to the malware and the DLP may also be displayed and viewed when entered information in the filter field 1018 is to be related to the malware and DLP).
While Zorlular teaches a monitor device 150 for identifying malware and Data Loss Prevention (DLP) in the content in the SaaS application, Zorlular does not explicitly disclose that the monitoring and detecting are performed by
a Cloud Access Security Broker (CASB) system. 
However, Sharma teaches:
a Cloud Access Security Broker (CASB) system (Para 0070-0072 - distributed security system 710 is a multi-tenant system servicing multiple customers, such as in a public cloud. The distributed security system 710 is configured as an inline proxy system monitoring all traffic between the CDN network and the origin server. As such, the distributed security system 710 can employ various monitoring techniques such as for malware, spyware, viruses, email spam, Data Leakage Prevention (DLP), content filtering, etc.). 
Zorlular and Sharma are analogous art because they are from a similar field of endeavor in the malware and data loss prevention monitoring techniques. Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Zorlular to include the teachings of Sharma. The motivation for doing so is to perform by a cloud node in a cloud distributed security system to detect one or more of malware and data leakage in the traffic based on the policy (Sharma, Abstract).
- 29 -DOCS 123144-014UT1/2670836.1
Regarding claims 16-17,
Claims 16-17 are analyzed and interpreted as a system of claims 2-3.

Regarding claim 19,
Claim 19 is analyzed and interpreted as a system of claim 5.

Regarding claim 20,
Claim 20 is analyzed and interpreted as a system of claims 7.



Claims 4, 11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Zorlular in view of Sharma, and further in view of Miller et al. Publication No. US 2018/0267947 A1 (Miller hereinafter).

Regarding claim 4, the non-transitory computer-readable storage medium of claim 1,
Zorlular does not explicitly disclose
wherein the steps further include responsive to a selection of any entry in the table, providing a popup listing details associated with the corresponding incident. 
However, Miller teaches:
wherein the steps further include responsive to a selection of any entry in the table, providing a popup listing details associated with the corresponding incident (Para 0308 - By selecting section 3210 on record 3220, GUI 3200B may display more information associated with that portion of event record 3220. By employing embodiments described above, box 3212 may pop-up and/or open to display more information that are associated with section 3210 of event record 3220). 
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Zorlular to include the teachings of Miller. The motivation for doing so is to increase website's traffic.
- 29 -DOCS 123144-014UT1/2670836.1
Regarding claim 11,
Claim 11 is analyzed and interpreted as a method of claim 4.

Regarding claim 18,
Claim 18 is analyzed and interpreted as a system of claims 4.



Claims 6 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Zorlular in view of Sharma, and further in view of Newman et al. Publication No. US 2018/0191771 A1 (Newman hereinafter).

Regarding claim 6, the non-transitory computer-readable storage medium of claim 1,
While Zorlular teaches one or more visualizations include information of the plurality of incidents, Zorlular does not explicitly disclose
wherein the visualizations include one or more pie charts illustrating the plurality of incidents. 
However, Newman teaches:
wherein the visualizations include one or more pie charts illustrating the plurality of incidents (Para 0044 - Detected threats 510 may present graphically and textually types of threats detected such as malware, viruses, phishing, scams, etc.; and Para 0047 - The visualizations may include graphic representations such as bar charts, pie charts, maps, and other representations, wherein the users may change the graphic representation, etc.). 
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Zorlular to include the teachings of Newman. The motivation for doing so is to enable users to see  an incident comparison at a glance to make an immediate analysis or to understand information quickly.
- 29 -DOCS 123144-014UT1/2670836.1
Regarding claim 13,
Claim 13 is analyzed and interpreted as a method of claim 6.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DA T. TON whose telephone number is (571)272-9956. The examiner can normally be reached Mon-Fri (9am-5pm).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Oscar A. Louie can be reached on 571-270-1684. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/DA T TON/Acting Patent Examiner of Art Unit 2445                                                                                                                                                                                                        

/YOUNES NAJI/Primary Examiner, Art Unit 2445