DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on July 19, 2022 has been entered.     
Response to arguments
 Claims 1, 13 and 18 have been amended. Claims 4-5, 7-8, 10, and 15 have been cancelled. No claim has been added. Therefore, claims 1-3, 6, 9, 11-14 and 16-20 are pending. 
Claims 1-3, 6, 9, 11-14 and 16-20 are rejected over Milazzo, US pat. No 20200186569 in view of Thomas US pat. No 10129290 in further view of Joseph US pat. No 20180084012. The reason of obviousness is below.   
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 6, 9, 11-14, and 16-20 are rejected under 35 U.S.C 103 as being unpatentable over Milazzo, US pat. No 20200186569 in view of Thomas US pat. No 10129290 in further view of Joseph US pat. No 20180084012. (IDS submitted, 2/25/2020) 

Claims 1, 13, 18. The combination of Milazzo, Thomas and Joseph discloses a method, performed by one or more processors, (See abstract; The cognitive computing system processes the natural language content from the one or more corpora and the security event log data to identify attack characteristics applicable to the security event log data.) comprising: 
receiving a plurality of system event records; (See [0070]; input data 114 from electronic content sources 102 external to the monitored computing environment 104)
processing the plurality of system event records using a set of event detectors to determine that a suspicious system event associated with a first system has occurred; (See  [0072 ]; That is, the knowledge extracted by the cognitive computing system 112 from external sources 114 may be combined with information extracted from internal sources 116 to identify attack characteristic 120 which may then be used along with  specific customer/client information and/or monitored computing environment information to identify that particular security events detected in the monitored computing environment are actual attacks or threats)
in response to receiving the one or more properties selected by user input initiating a generation one or more new event detectors based on the selected one or more properties selected by the user input; (See [0032]; a SIEM rule generator of the SIEM rules management system generates a new SIEM rules specifying the attack characteristics extracted from the ingested information)
and adding the one or more new event detectors to the set of event detectors. (See [0032]; the automatically generated SIEM rule generated by the SIEM may be stored in a SIEM rule repository)
Milazzo does not appear to explicitly disclose sending, to a client device, a plurality of properties associated with the first system, including one or more: event properties associated with the suspicious system event, 
properties of the first system, or vulnerability properties, wherein the plurality of properties are displayed 
on a user interface comprising a plurality of user interface elements corresponding to the plurality of 
properties; 
However, Thomas discloses sending, to a client device, a plurality of properties associated with the first system, including one or more: event properties associated with the suspicious system event, 
properties of the first system, or vulnerability properties, wherein the plurality of properties are displayed 
on a user interface comprising a plurality of user interface elements corresponding to the plurality of 
properties; (See Thomas, Col 22, lines 45-50; the security alert may indicate an internal attack (i.e, event properties) that originates from inside the enterprise 708, for example, from a desktop 724. In other instances, the security alert may indicate an external attack (i.e, event properties) that originates from outside the enterprise 708, for example, from the Internet 704. Operation 1308 may be executed following operation 1304. See col 25, lines 33-39; if one or more icons turn red, then the analyst knows there are negative findings on the IP/URL in question (i.e, properties), then when the analyst hovers over the icon he/she will see more summary information appear, like the name of the source of the negative finding within a particular category (i.e, properties). When the analyst then clicks on/selects the icon, they will be taken to a full report of the information (i.e, properties). see col 2, lines 45-55; further respond to the security threat by initiating at least one mapped preplanned response, the mapped preplanned response corresponding to a selection made by network security personal. see also col 4, lines 19-30; display a plurality of network security element icons in a network security map; display a plurality of cyber-security countermeasure icons in the network security map; receive user input that correlates at least one of the network security elements icons (i.e., event properties) with at least one of the cyber-security countermeasure icons; see fig 14, a plurality of display panel) 
Milazzo and Thomas are analogous art because they are from the same field of endeavor which is intrusion detection. It would have been obvious to a person of ordinary skill in the art at the time the invention was made to modify the invention of Milazzo with the teaching of Thomas to include the displays panels because it would have allowed to enforce policy updates to perimeter defense assets to block threat actors from causing further damage. (See Thomas, col 1, lines 65-66)
The combination of Milazzo and Thomas does not explicitly disclose receiving, from the client device, user input of one or more user interface elements indicating a selected one or more properties of the plurality of properties;  
However, Joseph discloses receiving, from the client device, user input of one or more user interface elements indicating a selected one or more properties of the plurality of properties; (See Joseph, [0107    ]; FIGS. 12A and 12B illustrate an example of the UI 1205 for enabling an administrator to create one or more policies according to certain embodiments. In some embodiments, the administrator may decide to create one or more policies after observing anomalous activity using any of the UIs described herein. The administrator may specify a source 1210 for the policy by user ID, IP address, user ID, group designation, etc., or leave blank to specify the source 1210 to be any source. The administrator may specify the destination 1215 for the policy by hostname, target system name or ID, IP address, resource name, etc., or leave blank to specify the destination 1215 to be any destination. The administrator may specify an enforcement action 1220 for the policy. See also [ 0129])  
Milazzo, Thomas and Joseph are analogous art because they are from the same field of endeavor which is intrusion detection. It would have been obvious to a person of ordinary skill in the art at the time the invention was made to modify the invention of Milazzo and Thomas with the teaching of Joseph to include the user input because it would have allowed the new event detector to be created based on user information. 

Claim 2. The combination of Milazzo,  Thomas and Joseph discloses  the method of claim 1, wherein the plurality of system event records comprise system log records. (See [0008 ]; and security event log data from a monitored computing environment.)Claim 3.  The combination of Milazzo,  Thomas and Joseph discloses  the method of claim 1, wherein the plurality of system event records comprise records generated by a security monitoring application. (See [ 0008 ]; and security event log data from a monitored computing environment )Claim 6. The combination of Milazzo and Thomas   discloses the method of claim 1, wherein receiving the plurality of system event records comprises receiving a respective one or more system event records for each of a plurality of systems. (See [0070]; system 116 and system 114 events )
Claim 9. The combination of Milazzo,  Thomas and Joseph discloses  the method of claim 1, wherein the vulnerability properties indicate  one or more known security vulnerabilities of the  first system on which the suspicious system event occurred. (See [0070-0071] and [0048 ])Claim 11. The combination of Milazzo,  Thomas and Joseph discloses  the method of claim 1, comprising: 
receiving a second plurality of system event records; (See [0070]; event from external data 114 and internal data 114) 
and determining a second one or more system event records of the second plurality of system event records to be indicative of an occurrence of a second suspicious system event based on the one or more new event detectors. (See [0070])  
 Claim 12. The combination of Milazzo,  Thomas and Joseph discloses  the method of claim 11, further comprising sending a plurality of properties associated with the second suspicious system event to the client device. (See [0074] ) Claim 14. The combination of Milazzo,  Thomas and Joseph discloses  the computing system of claim 13, wherein the operations further comprise receiving an event descriptor, wherein the event descriptor comprises the plurality of properties associated with the suspicious system event. (See [0070]) 
Claim 16. The combination of Milazzo,  Thomas and Joseph discloses  the computing system of claim 13, wherein the vulnerability properties indicate one or more known security vulnerabilities of the first system on which the suspicious system event occurred; ((See Thomas, Col 22, lines 45-50; the security alert may indicate an internal attack that originates from inside the enterprise 708, for example, from a desktop 724. In other instances, the security alert may indicate an external attack that originates from outside the enterprise 708, for example, from the Internet 704. Operation 1308 may be executed following operation 1304)

Claim 17.  The combination of Milazzo,  Thomas and Joseph discloses  the computing system of claim 13, wherein the operations further comprise: receiving, from the server, a plurality of properties associated with a second suspicious system event, wherein the server has determined that the second suspicious system event has occurred based on one or more new event detectors, (See, [0020], [0032], [0070], [0074])    
and displaying the plurality of properties associated with the second suspicious system event. (See Thomas, col 4, lines 19-30; display a plurality of network security element icons in a network security map; display a plurality of cyber-security countermeasure icons in the network security map; receive user input that correlates at least one of the network security elements icons with at least one of the cyber-security countermeasure icons; see fig 14, a plurality of display panel)
Milazzo and Thomas are analogous art because they are from the same field of endeavor which is intrusion detection. It would have been obvious to a person of ordinary skill in the art at the time the invention was made to modify the invention of Milazzo with the teaching of Thomas to include the displays panels because it would have allowed to enforce policy updates to perimeter defense assets to block threat actors from causing further damage. (See Thomas, col 1, lines 65-66 )  
Claim19. The combination of Milazzo,  Thomas and Joseph discloses  the computer readable medium of claim 18, wherein the plurality of system event records comprise system log records. (See [0008 ]; and security event log data from a monitored computing environment.)Claim 20. The combination of Milazzo,  Thomas and Joseph discloses  the computer readable medium of claim 18, wherein the plurality of system event records comprise records generated by a security monitoring application. (See [0008]; and security event log data from a monitored computing environment.) 
                                                               Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Reuss, US 20190036864, title “Generating automated messages within messaging threads that facilitate digital signatures by verified users “.



Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSNEL JEUDY whose telephone number is (571)270-7476.  The examiner can normally be reached on M-F 10:00-8:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Arani T Taghi can be reached on (571)272-3787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

Date: 8/11/2022 




/JOSNEL JEUDY/Primary Examiner, Art Unit 2438