DETAILED ACTION

1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

 Continued Examination Under 37 CFR 1.114
2.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office Action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on July 27, 2022 has been entered. 
 
 3.	Applicant’s response filed on July 27, 2022 have been considered.  Claims 1, and 10 have been amended.  New claims 21-23 have been added.  Claims 6, and 17-18 have been canceled.  Claims 1-5, 7-16, and 19-23 are pending.  

Claim Rejections - 35 USC § 103

4.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

5.	Claims 1-5, 7, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Roundy et al. (U.S. 2017/0289178 A1), hereinafter “Roundy”, in view of Reybok et al. (U.S. 2015/0207813 A1), hereinafter “Reybok”, further in view of Persaud et al. (U.S. 2013/0042106 a1), hereinafter “Persaud”.
Referring to claim 1:
	 	Roundy teaches:
                      A method comprising: 
           receiving, by a master secure orchestration and automated response (SOAR) node of a managed security service provider (MSSP), a plurality of messages via a secure router coupling a computing environment of the MSSP in communication with respective computing environments of a plurality of customers of the MSSP, wherein the plurality of messages contain information regarding a plurality of alerts relating to network infrastructure of the plurality of customers (see Roundy, [0037] ‘a managed security service provider (“MSSP”)… may aggregate and/or normalize signature reports, or other notifications [i.e., a plurality of alerts from a plurality of customers ],’; [0045] ‘firewall [i.e., a secure router ]’; [0075] ‘multi-tenancy within a cloud-based computing…a server [i.e., a master SOAR node ]…tenants [i.e., the tenant SOAR nodes ]’); and 
            based on an investigation into an alert of the plurality of alerts relating to a network infrastructure of a customer of the plurality of customers, causing, by the master SOAR node, a workflow to be remotely executed by a tenant SOAR node of the plurality of tenant SOAR nodes within the computing environment of the customer of the plurality of customers (see Roundy, [0003] ‘(2) querying an association database with the signature report to deduce another signature report [i.e., investigating ]’; [0037] ‘a managed security service provider (“MSSP”) may function according to a MSSP workflow 402,’; [0042] ‘protective action may include…a remedial action such as …executing one or more cleaning or inoculation scripts or programs [i.e., ‘workflow’ ], enabling…one or more security measures [i.e. ‘workflow’ ]…(e.g., where one or more of these protective actions [i.e., ‘workflow’ ] are specifically prescribed and/or tailed to signature report 210 and/or signature report 212)’).
	Roundy further discloses sharing resources among tenants (see Roundy, [0075] ‘sharing…among multiple customers (i.e., tenants)’).
	However, Roundy does not disclose data sharing policies implemented by a plurality of tenant SOAR nodes within the respective computing environments of the plurality of customers, and wherein the information provided to the master SOAR node is controlled by data sharing policies.
	Roundy does not explicitly disclose the master SOAR node does not have inbound network connectivity to the computing environment of the customer.
 	Reybok discloses data sharing policies implemented by a plurality of tenant SOAR nodes within the respective computing environments of the plurality of customers and wherein the information provided to the master SOAR node is controlled by data sharing policies (see Reybok, [0055] ‘client-provided rules…sharing policy …sharing of queries and/or response data…’; [0033] ‘each query and/or any provided results are sanitized, to strip some or all information identifying a reporting client, directly or indirectly. ... In another embodiment, these functions [i.e., sanitizing, stripping some identifying information ] can be partially or fully performed on a client portal (e.g., ACP).’).
	In addition, Reybok further discloses a secure router (see Reybok, ‘routes this information to one or more other clients based on profile information’).
	 	It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Reybok into the system of Roundy to include data sharing policies implemented by a plurality of tenant SOAR nodes within the respective computing environments of the plurality of customers.  Roundy teaches "methods for detecting security threats.” (see Roundy, [0017]).  Therefore, Reybok’s teaching could enhance the system of Roundy, because Reybok teaches “techniques systems for pooling and filtering security threat data across multiple, diverse networks.” (see Reybok, [0025]).
	Persaud discloses the master SOAR node does not have inbound network connectivity to the computing environment of the customer (see Persaud, fig. 4, where management server 20(1) [i.e., the master SOAR node] does not have inbound network connectivity to client 30(1) [i.e., the computing environment of the customer ] ).
           It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Persaud into the system of Roundy so that the master SOAR node does not have inbound network connectivity to the computing environment of the customer.  Roundy teaches "methods for detecting security threats.” (see Roundy, [0017]).  Therefore, Persaud’s teaching could enhance the system of Roundy, because Persaud discloses “secure routers 15(1) and 15(2) are authenticated by server 20 and are registered to a specific access group. … Due to the subsequent authentications of clients during data file storage or retrieval, separation and confidentiality of data files between the two enterprises 105(1) and 105(2) may be maintained.” (see Persaud, [0049]). 
Referring to claims 2:
		Roundy, Reybok, and Persaud further disclose:
		wherein remote execution of the workflow by the tenant SOAR node causes a network security device within the computing environment of the customer to perform an action (see Roundy, [0042] ‘protective action may include…a remedial action such as …executing one or more cleaning or inoculation scripts or programs [i.e., where executing ‘scripts or programs’ corresponding to ‘workflow’ ], enabling…one or more security measures…(e.g., where one or more of these protective actions are specifically prescribed and/or tailed to signature report 210 and/or signature report 212)’).
Referring to claims 3:
		Roundy, Reybok, and Persaud further disclose:
           wherein the network security device comprises a firewall and wherein the action is blocking of network traffic (see Roundy, [0049] ‘not blocked, blocked,’. Additionally, Reybok, [0030] ‘block a suspicious IP address’; [0037] ‘automatically block traffic associated with a specific IP address’).
Referring to claims 4:
		Roundy, Reybok, and Persaud further disclose:
           wherein the network security device comprises an intrusion detection system and wherein the action is providing additional information regarding the alert (see Roundy, [0079] ‘intrusion detection and prevention systems’. Additionally, Reybok, [0073] ‘intrusion monitoring or detection service (IDS)’).
Referring to claims 5:
		Roundy, Reybok, and Persaud further disclose:
          wherein the network security device comprises a Security Information and Event Management (SIEM) system and wherein the action is providing additional information regarding the alert (see Reybok, [0034] ‘a security incident management system (“SEIMS”)’).
             It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Reybok into the system of Roundy to include a security information and event management system (SIEM).  Roundy teaches "methods for detecting security threats.” (see Roundy, [0017]).  Therefore, Reybok’s teaching could enhance the system of Roundy,  because Reybok teaches “techniques systems for pooling and filtering security threat data across multiple, diverse networks.” (see Reybok, [0025]).
Referring to claims 7:
		Roundy, Reybok, and Persaud further disclose:
	wherein the workflow is triggered responsive to a workflow on the master SOAR node in support of an analyst of the MSSP performing a generic investigation relating to the alert (see Roundy, [0030] ‘investigate’).
Referring to claim 19:
		Roundy, Reybok, and Persaud further disclose:
		wherein a first information from a first customer of the plurality of customers excludes data from a given field based upon the data sharing policies of the first customer, and wherein a second information from a second customer of the plurality of customers includes data from the given field based upon the data sharing policies of the second customer (see Reybok, [0055] ‘client-provided rules…sharing policy …sharing of queries and/or response data…’; [0033] ‘each query and/or any provided results are sanitized, to strip some or all information identifying a reporting client, directly or indirectly. ... In another embodiment, these functions [i.e., sanitizing, stripping some identifying information ] can be partially or fully performed on a client portal (e.g., ACP).’).
           It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Reybok into the system of Roundy to include data sharing policies implemented by a plurality of tenant SOAR nodes within the respective computing environments of the plurality of customers.  Roundy teaches "methods for detecting security threats.” (see Roundy, [0017]).  Therefore, Reybok’s teaching could enhance the system of Roundy, because Reybok teaches “techniques systems for pooling and filtering security threat data across multiple, diverse networks.” (see Reybok, [0025]).

6.	Claims 10-16, and 20-21 are rejected under 35 U.S.C. 103 as being unpatentable over Roundy et al. (U.S. 2017/0289178 A1), hereinafter “Roundy”, in view of Reybok et al. (U.S. 2015/0207813 A1), hereinafter “Reybok”, further in view of Toepke et al. (U.S. 2018/0027071 A1), hereinafter “Toepke”.
Referring to claim 10:
	 	Roundy teaches:
                      a master secure orchestration and automated response (SOAR) node within a computing environment of a managed security service provider (MSSP) (see Roundy, [0037] ‘a managed security service provider (“MSSP”) may function according to a MSSP workflow 402,’); 
           a plurality of tenant SOAR nodes within respective computing environments of a plurality of customers of the MSSP ([0075] ‘multi-tenancy within a cloud-based computing…a server [i.e., a master SOAR node ]…tenants [i.e., the tenant SOAR nodes ]’); 
            a secure router logically interposed between the master SOAR node and the plurality of tenant SOAR nodes (see Roundy, [0045] ‘firewall [i.e., a secure router ]’;); and wherein the master SOAR node performs a method comprising:           
            receiving, by a master secure orchestration and automated response (SOAR) node of a managed security service provider (MSSP), a plurality of messages via a secure router coupling a computing environment of the MSSP in communication with respective computing environments of a plurality of customers of the MSSP, wherein the plurality of messages contain information regarding a plurality of alerts relating to network infrastructure of the plurality of customers (see Roundy, [0037] ‘a managed security service provider (“MSSP”)… may aggregate and/or normalize signature reports, or other notifications [i.e., a plurality of alerts from a plurality of customers ],’; [0045] ‘firewall [i.e., a secure router ]’; [0075] ‘multi-tenancy within a cloud-based computing…a server [i.e., a master SOAR node ]…tenants [i.e., the tenant SOAR nodes ]’); and
            based on an investigation into an alert of the plurality of alerts relating to a network infrastructure of a customer of the plurality of customers, causing, by the master SOAR node, a workflow to be remotely executed by a tenant SOAR node of the plurality of tenant SOAR nodes within the computing environment of the customer of the plurality of customers (see Roundy, [0003] ‘(2) querying an association database with the signature report to deduce another signature report [i.e., investigating ]’; [0037] ‘a managed security service provider (“MSSP”) may function according to a MSSP workflow 402,’; [0042] ‘protective action may include…a remedial action such as …executing one or more cleaning or inoculation scripts or programs, enabling…one or more security measures…(e.g., where one or more of these protective actions are specifically prescribed and/or tailed to signature report 210 and/or signature report 212)’).
	Roundy further discloses sharing resources among tenants (see Roundy, [0075] ‘sharing…among multiple customers (i.e., tenants)’).
	However, Roundy does not disclose data sharing policies implemented by a plurality of tenant SOAR nodes within the respective computing environments of the plurality of customers, and wherein the information provided to the master SOAR node is controlled by data sharing policies.
           Roundy does not disclose guaranteeing delivery of at least a portion of the plurality of messages by storing unsent messages for one of the plurality of tenant SOAR nodes in the local database of the one of the plurality of tenant SOAR nodes during periods of loss of connectivity with the secure router. 
 	Reybok discloses data sharing policies implemented by a plurality of tenant SOAR nodes within the respective computing environments of the plurality of customers and wherein the information provided to the master SOAR node is controlled by data sharing policies (see Reybok, [0055] ‘client-provided rules…sharing policy …sharing of queries and/or response data…’; [0033] ‘each query and/or any provided results are sanitized, to strip some or all information identifying a reporting client, directly or indirectly. ... In another embodiment, these functions [i.e., sanitizing, stripping some identifying information ] can be partially or fully performed on a client portal (e.g., ACP).’).
	In addition, Reybok further discloses a router (see Reybok, ‘routes this information to one or more other clients based on profile information’).
           Toepke discloses guaranteeing delivery of at least a portion of the plurality of messages by storing unsent messages for one of the plurality of tenant SOAR nodes in the local database of the one of the plurality of tenant SOAR nodes during periods of loss of connectivity with the secure router (see Toepke, [0086] ‘the request may specify guaranteed delivery, whereby a copy of the message is temporarily persisted in a database or other origination client storage while ascertaining the ability of the endpoint client to receive the message by acknowledging receipt, at which point the copy of the message is erased from the database.’). 
             It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Toepke into the system of Roundy to provide guaranteed delivery of messages. Roundy teaches "methods for detecting security threats.” (see Roundy, [0017]).  Therefore, Toepke’s teaching could enhance the system of Roundy, because Toepke discloses “the request may specify quality of service in the communication between endpoints.” (see Toepke, [0086]).
Referring to claim 11:
		Roundy, Reybok, and Toepke further disclose:
		wherein remote execution of the workflow by the tenant SOAR node causes a network security device within the computing environment of the customer to perform an action (see Roundy, [0042] ‘protective action may include…a remedial action such as …executing one or more cleaning or inoculation scripts or programs [i.e., where executing ‘scripts or programs’ corresponding to ‘workflow’ ], enabling…one or more security measures…(e.g., where one or more of these protective actions are specifically prescribed and/or tailed to signature report 210 and/or signature report 212)’).
Referring to claim 12:
		Roundy, Reybok, and Toekpe further disclose:
           wherein the network security device comprises a firewall and wherein the action is blocking of network traffic (see Roundy, [0049] ‘not blocked, blocked,’. Additionally, Reybok, [0030] ‘block a suspicious IP address’; [0037] ‘automatically block traffic associated with a specific IP address’).
Referring to claim 13:
		Roundy, Reybok, and Toepke further disclose:
           wherein the network security device comprises an intrusion detection system and wherein the action is providing additional information regarding the alert (see Roundy, [0079] ‘intrusion detection and prevention systems’. Additionally, Reybok, [0073] ‘intrusion monitoring or detection service (IDS)’).
 Referring to claim 14:
		Roundy, Reybok, and Toepke further disclose:
          wherein the network security device comprises a Security Information and Event Management (SIEM) system and wherein the action is providing additional information regarding the alert (see Reybok, [0034] ‘a security incident management system (“SEIMS”)’).
             It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Reybok into the system of Roundy to include a security information and event management system (SIEM).  Roundy teaches "methods for detecting security threats.” (see Roundy, [0017]).  Therefore, Reybok’s teaching could enhance the system of Roundy,  because Reybok teaches “techniques systems for pooling and filtering security threat data across multiple, diverse networks.” (see Reybok, [0025]). 
 Referring to claim 15:
		Roundy, Reybok, and Toepke further disclose:
		wherein the master SOAR node need not have inbound network connectivity to the computing environment of the customer (see Roundy, [0070] ‘a communication interface, such as communication interface 522 in FIG. 5, may be used to provide connectivity between each client system 610, 620, and 630 and network 650.’. And, Reybok, [0084] ‘other identifier (e.g., associated with inbound or outbound traffic)’).
             It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Reybok into the system of Roundy to include only outbound network connectivity. Roundy teaches "methods for detecting security threats.” (see Roundy, [0017]).  Therefore, Reybok’s teaching could enhance the system of Roundy,  because Reybok teaches “techniques systems for pooling and filtering security threat data across multiple, diverse networks.” (see Reybok, [0025]).
Referring to claim 16:
		Roundy, Reybok, and Toepke further disclose:
	wherein the workflow is triggered responsive to a workflow on the master SOAR node in support of an analyst of the MSSP performing a generic investigation relating to the alert (see Roundy, [0030] ‘investigate’).
Referring to claim 20:
		Roundy, Reybok, and Toepke further disclose:
		wherein a first information from a first customer of the plurality of customers excludes data from a given field based upon the data sharing policies of the first customer, and wherein a second information from a second customer of the plurality of customers includes data from the given field based upon the data sharing policies of the second customer (see Reybok, [0055] ‘client-provided rules…sharing policy …sharing of queries and/or response data…’; [0033] ‘each query and/or any provided results are sanitized, to strip some or all information identifying a reporting client, directly or indirectly. ... In another embodiment, these functions [i.e., sanitizing, stripping some identifying information ] can be partially or fully performed on a client portal (e.g., ACP).’).
           It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Reybok into the system of Roundy to include data sharing policies implemented by a plurality of tenant SOAR nodes within the respective computing environments of the plurality of customers.  Roundy teaches "methods for detecting security threats.” (see Roundy, [0017]).  Therefore, Reybok’s teaching could enhance the system of Roundy, because Reybok teaches “techniques systems for pooling and filtering security threat data across multiple, diverse networks.” (see Reybok, [0025]).
Referring to claim 21:
	Roundy teaches:
A system comprising: 
           a master secure orchestration and automated response (SOAR) node within a computing environment of a managed security service provider (MSSP) (see Roundy, [0037] ‘a managed security service provider (“MSSP”)… may aggregate and/or normalize signature reports, or other notifications [i.e., a plurality of alerts from a plurality of customers ],’; [0075] ‘multi-tenancy within a cloud-based computing…a server [i.e., a master SOAR node ]…tenants [i.e., the tenant SOAR nodes ]’); 
           a plurality of tenant SOAR nodes within respective computing environments of a plurality of customers of the MSSP (see Roundy, [0037] ‘a managed security service provider (“MSSP”)… may aggregate and/or normalize signature reports, or other notifications [i.e., a plurality of alerts from a plurality of customers ],’ [0075] ‘multi-tenancy within a cloud-based computing…a server [i.e., a master SOAR node ]…tenants [i.e., the tenant SOAR nodes ]’); 
           a secure router logically interposed between the master SOAR node and the plurality of tenant SOAR nodes, wherein a respective local database is implemented within the secure router; and wherein the master SOAR node performs a method comprising (see Roundy, [0037] ‘a managed security service provider (“MSSP”)… may aggregate and/or normalize signature reports, or other notifications [i.e., a plurality of alerts from a plurality of customers ],’; [0045] ‘firewall [i.e., a secure router ]’; [0075] ‘multi-tenancy within a cloud-based computing…a server [i.e., a master SOAR node ]…tenants [i.e., the tenant SOAR nodes ]’): 
           receiving a plurality of messages via the secure router, wherein the plurality of messages contain information regarding a plurality of alerts relating to network infrastructure of the plurality of customers (see Roundy, [0037] ‘a managed security service provider (“MSSP”)… may aggregate and/or normalize signature reports, or other notifications [i.e., a plurality of alerts from a plurality of customers ],’; [0045] ‘firewall [i.e., a secure router ]’; [0075] ‘multi-tenancy within a cloud-based computing…a server [i.e., a master SOAR node ]…tenants [i.e., the tenant SOAR nodes ]’); and
           based on an investigation into an alert of the plurality of alerts relating to a network infrastructure of a customer of the plurality of customers, causing a workflow to be remotely executed by a tenant SOAR node of the plurality of tenant SOAR nodes within the computing environment of the customer of the plurality of customers (see Roundy, [0003] ‘(2) querying an association database with the signature report to deduce another signature report [i.e., investigating ]’; [0037] ‘a managed security service provider (“MSSP”) may function according to a MSSP workflow 402,’; [0042] ‘protective action may include…a remedial action such as …executing one or more cleaning or inoculation scripts or programs, enabling…one or more security measures…(e.g., where one or more of these protective actions are specifically prescribed and/or tailed to signature report 210 and/or signature report 212)’).
            Roundy further discloses sharing resources among tenants (see Roundy, [0075] ‘sharing…among multiple customers (i.e., tenants)’).
	However, Roundy does not disclose data sharing policies implemented by a plurality of tenant SOAR nodes within the respective computing environments of the plurality of customers, and wherein the information provided to the master SOAR node is controlled by data sharing policies.
           Roundy does not disclose guaranteeing delivery of at least a portion of the plurality of messages by storing unsent messages for one of the plurality of tenant SOAR nodes in the local database of the one of the plurality of tenant SOAR nodes during periods of loss of connectivity with the secure router. 
 	Reybok discloses data sharing policies implemented by a plurality of tenant SOAR nodes within the respective computing environments of the plurality of customers and wherein the information provided to the master SOAR node is controlled by data sharing policies (see Reybok, [0055] ‘client-provided rules…sharing policy …sharing of queries and/or response data…’; [0033] ‘each query and/or any provided results are sanitized, to strip some or all information identifying a reporting client, directly or indirectly. ... In another embodiment, these functions [i.e., sanitizing, stripping some identifying information ] can be partially or fully performed on a client portal (e.g., ACP).’).
	In addition, Reybok further discloses a router (see Reybok, ‘routes this information to one or more other clients based on profile information’).
           Toepke discloses guaranteeing delivery of at least a portion of the plurality of messages by storing unsent messages for one of the plurality of tenant SOAR nodes in the local database of the one of the plurality of tenant SOAR nodes during periods of loss of connectivity with the secure router (see Toepke, [0086] ‘the request may specify guaranteed delivery, whereby a copy of the message is temporarily persisted in a database or other origination client storage while ascertaining the ability of the endpoint client to receive the message by acknowledging receipt, at which point the copy of the message is erased from the database.’). 
             It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Toepke into the system of Roundy to provide guaranteed delivery of messages. Roundy teaches "methods for detecting security threats.” (see Roundy, [0017]).  Therefore, Toepke’s teaching could enhance the system of Roundy, because Toepke discloses “the request may specify quality of service in the communication between endpoints.” (see Toepke, [0086]). 

7.	Claims 8-9, and 22-23 is rejected under 35 U.S.C. 103 as being unpatentable over Roundy et al. (U.S. 2017/0289178 A1), in view of Reybok et al. (U.S. 2015/0207813 A1), in view of Persaud et al. (U.S. 2013/0042106 a1), further in view of Toepke et al. (U.S. 2018/0027071 A1). 
Referring to claims 8:
		Roundy, Reybok, and Persaud further suggest:
          wherein guaranteed delivery of the plurality of messages is facilitated by implementation of a local database by each of the plurality of tenant SOAR nodes into which unsent messages of the plurality of messages are stored during periods of loss of connectivity with the secure router (see Roundy, fig. 5, 120 ‘database’; [0067] ‘client systems 610…such as exemplary computing system 510 in fig. 5.’).
	However, they do not elaborate on guaranteed delivery.
           Toepke discloses guaranteeing delivery of at least a portion of the plurality of messages by storing unsent messages for one of the plurality of tenant SOAR nodes in the local database of the one of the plurality of tenant SOAR nodes during periods of loss of connectivity with the secure router (see Toepke, [0086] ‘the request may specify guaranteed delivery, whereby a copy of the message is temporarily persisted in a database or other origination client storage while ascertaining the ability of the endpoint client to receive the message by acknowledging receipt, at which point the copy of the message is erased from the database.’). 
             It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Toepke into the system of Roundy to provide guaranteed delivery of messages. Roundy teaches "methods for detecting security threats.” (see Roundy, [0017]).  Therefore, Toepke’s teaching could enhance the system of Roundy, because Toepke discloses “the request may specify quality of service in the communication between endpoints.” (see Toepke, [0086]). 
Referring to claims 9:
		Roundy, Reybok, and Persaud further suggest:
          wherein guaranteed delivery of the plurality of messages is facilitated by implementation of a local database within the secure router into which undelivered messages of the plurality of messages are stored during periods of loss of connectivity with the master SOAR node (see Roundy, [0067] ‘servers 640 and 645 generally represent computing devices or systems, such as application servers or database servers, configured to provide various database services and/or run certain software applications.’).
However, they do not elaborate on guaranteed delivery.
           Toepke discloses guaranteeing delivery of at least a portion of the plurality of messages by storing unsent messages for one of the plurality of tenant SOAR nodes in the local database of the one of the plurality of tenant SOAR nodes during periods of loss of connectivity with the secure router (see Toepke, [0086] ‘the request may specify guaranteed delivery, whereby a copy of the message is temporarily persisted in a database or other origination client storage while ascertaining the ability of the endpoint client to receive the message by acknowledging receipt, at which point the copy of the message is erased from the database.’). 
             It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Toepke into the system of Roundy to provide guaranteed delivery of messages. Roundy teaches "methods for detecting security threats.” (see Roundy, [0017]).  Therefore, Toepke’s teaching could enhance the system of Roundy, because Toepke discloses “the request may specify quality of service in the communication between endpoints.” (see Toepke, [0086]). 
Referring to claims 22-23:
	Roundy, Reybok, and Toepke disclose or suggest the limitations as described in claim 21.  However, they do not disclose the master SOAR node does not have inbound network connectivity to the computing environment of the customer.
           Persaud discloses the master SOAR node does not have inbound network connectivity to the computing environment of the customer (see Persaud, fig. 4, where management server 20(1) [i.e., the master SOAR node] does not have inbound network connectivity to client 30(1) [i.e., the computing environment of the customer ] ).
           It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Persaud into the system of Roundy so that the master SOAR node does not have inbound network connectivity to the computing environment of the customer.  Roundy teaches "methods for detecting security threats.” (see Roundy, [0017]).  Therefore, Persaud’s teaching could enhance the system of Roundy, because Persaud discloses “secure routers 15(1) and 15(2) are authenticated by server 20 and are registered to a specific access group. … Due to the subsequent authentications of clients during data file storage or retrieval, separation and confidentiality of data files between the two enterprises 105(1) and 105(2) may be maintained.” (see Persaud, [0049]).  

Response to Arguments
8.	Applicant's arguments filed July 27, 2022 have been fully considered.  Independent claims have been amended to include new limitations.  However, upon further consideration, a new grounds of rejection is being made in view of Persuade and Toepke.  Applicant’s arguments are moot due to the new grounds of rejection.

Conclusion

9.	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
 (a)	KROCHIK; Ghenya et al. (US 20190166088 A1) disclose internet of things (iot) mediation and adaptation secure application gateway;
(b)	ALMOHAMEDH; Hamad (US 20170019454 A1) disclose mobile video quality prediction systems and methods;
(c)	Verzun; Ievgen et al. (US 20160219024 A1) disclose Secure Dynamic Communication Network And Protocol;
(d)	O'Hare; Mark S. et al. (US 20160150047 A1) disclose gateway for cloud-based secure storage;
(e)	Charan; Deborah K. et al. (US 20160057116 A1) disclose method for network communication past encryption devices;
(f)	ORSINI; RICK L. et al. (US 20110202755 A1) disclose systems and methods for securing data in motion;
(g)	Mastel; Missy Sue (US 20070027919 A1) disclose Dispute resolution processing method and system.

 10.       Any inquiry concerning this communication or earlier communications from the examiner should be directed to Peiliang Pan whose telephone number is (571) 272-5987.  The examiner can normally be reached on Monday-Friday 8:00 am - 5:00 pm EST.
           If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
           Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/PEILIANG PAN/Examiner, Art Unit 2492                                                                                                                                                                                                        



/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492