Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Detailed Action
1.	This action is responsive to communication filed on: 29 July 2022 with acknowledgement of an original application filed on 17 April 2020.
2.	Claims 1-20 are currently pending.  Claims 1, 7, and 16, are independent claims. 
Claims 1, 6, 7, 10, 16, and 18, have been amended.  
Response to Arguments

3.	Applicant's arguments filed 29 July 2022 have been fully considered however they are not persuasive where noted below.  The 101 rejection as well as the 112 rejections are removed due to amendment and/or arguments submitted.  On 14 October 2022 the Examiner and the attorney of record John Ogilvie had an interview to discuss the below rejection, no agreement was reached, see attached Interview Summary.
I)	In response to Applicant’s argument beginning on page 9, “Section 103. As discussed during the interview, the claims involve training or using a machine learning model to predict an alert-incident grouping action.  Predicting an alert-incident grouping action is different than predicting an alert or generating an alert.  Review of the five cited references with regard to “group” fails to identify any teaching using machine learning to predict alert-incident grouping actions”.
	The Examiner disagrees with argument.  The references cited clearly teach training a machine learning model to predict security incidents, see Roundy/’902 Abstract and paragraphs 18-23 and 45.  Note the “security management server” described in Roundy/’902 that aggregates a collection of security events is training to predict security incidents or alert-incident grouping action.  In addition, Roundy/’902 clearly uses machine learning to train the security management server see paragraph 21-22.  Also, Roundy/’902 states in paragraph 45 “Alternatively, in another embodiment, if there is a ground truth set available, the confidence score component 202 provides the information to the learning component 204, which inputs the information into a machine learning algorithm in order to train a security incident detection model”.  This description in paragraph 45 clearly teaches/suggests the purpose of the Roundy/’902 invention is to train a module to detect security incidents.  All of the cited references are related to machine-learning or training a module to predict security incidents.  In addition to the paragraphs cited above with Roundy/’902 please review, Hertzog/’909 paragraphs 7, and 62-64 which shows a training mode.  As well as Brdiczka/’195 paragraphs 8, 23, 36-37, and 39, which uses a training model, also Humphrey/’782 uses the term machine learning throughout the disclosure as is directed to “Artificial Intelligence Research Assistant for Cybersecurity Analysis” as the title implies.  Furthermore, see Joyce/’809 uses machine learning techniques/engine throughout the disclosure for input to a risk model or risk analysis.  Therefore, the Applicant’s arguments are not persuasive all of the cited references use some form of a training/learning method to train models or machines.
II)	In response to Applicant’s argument beginning on page 9, “To promote compact prosecution, Applicant also respectfully directs attention to the difference between training a machine learning model based on historic alert-incident grouping action, per Applicant’s claims, and training a model based on a kill chain, e.g., the MITRE ATT&CK kill chain approach noted in the Elitzur reference submitted in the 6/28/2021 IDS.  Kill chain approaches are discussed and distinguished in Applicant’s specification at [0024-0025] and [0084]”.
	The Examiner disagrees with the argument.  The applied references clearly teach the Applicant’s argued limitation ‘historic alert-incident grouping’ is clearly taught/suggested in paragraph 23 of Roundy/‘902, below is a table showing a comparison of Roundy paragraph 23 alongside the Applicant’s disclosure paragraph 25.
APPLICANT’S ¶ 25
Roundy/’902 ¶ 23
By contrast, some embodiments described herein provide personalized incident generation based on a customer's historic manual investigation actions. Some embodiments perform automatic incident creation or modification per customer, and per a customer's specific custom data. Some embodiments allow users to create an incident for various kinds of data and alerts, including custom data and custom alerts. An embodiment may learn user actions from previous investigations made by an organization's security analysts, for example, and use that knowledge to group newly arriving alerts to incidents based on the alerts' relationships to the learned prior grouping actions.
In one embodiment, once a security incident is detected (e.g., using the thresholds, etc.), the security management server provides a system analyst with a list of the security events associated with the security incident, along with the evidence that supports each security event. Once the security management server receives an indication of the type of feedback (e.g., a response, no response, etc.) from the analyst, the security management server re-fines at least one of the set of thresholds or the evidence set, based on the type of analyst feedback.


Note both “inventions” custom the alerts based on user actions.  In the Roundy/’902 reference the analyst is interpreted equivalent to the user.  

In addition, paragraphs 3, 21-22, 24, 45, and 84-85 of the Applicant’s disclosure use the term security information and event management tool (SIEM) and explain how the invention is enhanced by using user’s action from previous investigations.  Likewise, the Roundy/’902 references uses the SIEM term in paragraphs 4-6, 19, 25-26, and 33 and explain how improvements are needed.  In addition, the Humphrey/’782 reference also uses the SIEM term in paragraph 4, how improvements are needed.  Therefore, the Applicant’s arguments are not persuasive.

Claim Rejections – 35 USC § 103
4.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


5.	Claims 1-4, 7-8, 10-12, and 14-20 are rejected under 35 U.S.C. 103 as being unpatentable over Roundy et al. U.S. Patent Application Publication No. U.S. 2017/0093902 (hereinafter ‘902) in view of Humphrey et al. U.S. Patent Application Publication No. 2019/0260782 (hereinafter ‘782).
	As to independent claim 1, “A machine learning model training system which predictively groups cybersecurity alerts with cybersecurity incidents based on historic grouping actions, the system comprising: a digital memory; and a processor in operable communication with the memory, the processor configured to perform machine learning model training steps, the steps including collecting a plurality of digital representations of alert-incident grouping actions previously received in a tool user interface presented to an analyst” is taught in ‘902 Abstract, paragraphs 21-23 and 45;
	“submitting at least a portion of the plurality to a machine learning model as training data, and training the machine learning model such that the model predicts an alert-incident grouping action” is shown in ‘902 paragraphs 24, and 27-28;

the following is not explicitly taught in ‘902:
	“each representation including an entity identifier, an alert identifier, an incident identifier, an action indicator, and an action time” however ‘782 teaches a user interface module that represents alerts and/or events with a horizontal time axis, scale indicator of the threat risk assigned, as well as various identifiers and indicators (i.e. color) for various devices in paragraph 80.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of detecting of security incidents taught in ‘902 to provide a representation including an entity identifier, an alert identifier, an incident identifier, an action indicator, and an action time.  One of ordinary skill in the art would have been motivated to perform such a modification because in cyber security environments the tools currently used are insufficient in the new age of cyber threats including email, virus, trojan horse, and worms that can subtly cause harm to a network.
	As to dependent claim 2, “The system of claim 1, wherein the digital representations of alert-incident grouping actions further comprise incident classifications” is taught in ‘902 Abstract and paragraph 28.
	As to dependent claim 3, “The system of claim 1, wherein the entity identifiers identify at least four of the following kinds of entity: account, malware, process, file, file hash, registry key, registry value, network connection, IP address, host, host logon session, application, cloud application, domain name, cloud resource, security group, uniform resource locator, mailbox,                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        mailbox cluster, mail message, network entity, cloud entity, computing device, or Internet of Things device” is shown in ‘782 paragraphs 35-36, 53, and 68.
	As to dependent claim 4, “The system of claim 1, wherein the action indicators indicate at least one of the following alert-incident grouping actions by the analyst: adding an alert to an incident; removing an alert from an incident; merging at least two incidents into a single incident; or dividing an incident into at least two incidents” is disclosed in ‘902 paragraph 37.
	As to independent claim 7, “A machine learning model training method of predictively grouping cybersecurity alerts with cybersecurity incidents based on historic grouping actions, the method comprising: collecting a plurality of digital representations of alert-incident grouping actions” is taught in ‘902 Abstract, paragraphs 21-23 and 45;
	“and submitting at least a portion of the plurality to a machine learning model as training data, thereby training the machine learning model in alert-incident grouping action prediction” is shown in ‘902 paragraphs 24, and 27-28;the following is not explicitly taught in ‘902:
	“each representation including an entity identifier, an alert identifier, an incident identifier, an action indicator, and an action time” however ‘782 teaches a user interface module that represents alerts and/or events with a horizontal time axis, scale indicator of the threat risk assigned, as well as various identifiers and indicators (i.e. color) for various devices in paragraph 80.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of detecting of security incidents taught in ‘902 to provide a representation including an entity identifier, an alert identifier, an incident identifier, an action indicator, and an action time.  One of ordinary skill in the art would have been motivated to perform such a modification because in cyber security environments the tools currently used are insufficient in the new age of cyber threats including email, virus, trojan horse, and worms that can subtly cause harm to a network see ‘782 paragraphs 4-5.
	As to dependent claim 8. The method of claim 7, further comprising using the trained machine learning model to predictively group an alert with an incident” is taught in ‘902 paragraph 34 and 36.
	As to dependent claim 10, “The method of claim 7, wherein collecting the plurality of digital representations of alert-incident grouping actions includes collecting data from at least one of the following: an investigation graph; an investigation data structure; a log of investigative actions taken by at least one human user while investigating an alert; an incident handling data structure; or a log of incident-handling actions taken by at least one human user while handling an incident” is shown in ‘902 paragraphs 6, and 45-46.
	As to dependent claim 11, “The method of claim 7, wherein collecting includes collecting data from a log of human user activity which grouped alerts with incidents” is disclosed in ‘902 paragraphs 45-46.
	As to dependent claim 12, “The method of claim 7, wherein collecting includes collecting data from activity which responded to an alert that is based on a custom rule” is taught in ‘902 paragraphs 45-46.
	As to dependent claim 14, “The method of claim 7, wherein collecting includes collecting data corresponding to an activity in which an alert was implicitly grouped with an incident” is shown in ‘902 Abstract and paragraph 28.
	As to dependent claim 15, “The method of claim 7, further comprising inputting to the trained machine learning model an incident identifier which identifies an incident, and receiving from the trained model an alert identifier which identifies an alert that was not previously grouped with the incident” is disclosed in ‘902 paragraph 37.
	As to independent claim 16. A computer-readable storage medium configured with data and instructions which upon execution by a processor cause a computing system to perform a method using a trained machine learning model to predictively group a cybersecurity alert with a cybersecurity incident based on historic grouping actions, the method comprising: getting an alert” is taught in ‘902 Abstract, paragraphs 21-23, 27 and 45;
	“sending the alert to a trained machine learning model, the model having been trained with training data that includes a plurality of digital representations of alert-incident grouping actions performed by one or more people as opposed to grouping based on a rules data structure” is shown in ‘902 paragraphs 34 and 37;
	“and receiving at least one of the following incident updates from the trained model in response to the sending: an alert-incident grouping which groups the alert with an incident, an incident merger which identifies an incident which was created by merging two incidents, or an incident division which identifies at least two incidents which were created by dividing an incident” is disclosed in ‘902 paragraph 37;the following is not explicitly taught in ‘902:
	“each representation including an entity identifier, an alert identifier, an incident identifier, an action indicator, and an action time” however ‘782 teaches a user interface module that represents alerts and/or events with a horizontal time axis, scale indicator of the threat risk assigned, as well as various identifiers and indicators (i.e. color) for various devices in paragraph 80.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of detecting of security incidents taught in ‘902 to provide a representation including an entity identifier, an alert identifier, an incident identifier, an action indicator, and an action time.  One of ordinary skill in the art would have been motivated to perform such a modification because in cyber security environments the tools currently used are insufficient in the new age of cyber threats including email, virus, trojan horse, and worms that can subtly cause harm to a network.
	As to dependent claim 17. The storage medium of claim 16, further comprising transmitting the incident update to a security information and event management tool” is taught in ‘902 paragraphs 37 and 46.
	As to dependent claim 18. The storage medium of claim 16, wherein the machine learning model has been trained with training data that includes a plurality of digital representations of alert-incident grouping actions corresponding to activities in which an alert was explicitly grouped with an incident by a person” is shown in ‘902 paragraphs 35-37 and 45-47.
	As to dependent claim 19. The storage medium of claim 16, wherein the computing system performs the method at a performance level of at least twenty-five thousand incident updates per minute” is disclosed in ‘782 paragraph 120.
	As to dependent claim 20. The storage medium of claim 16, wherein the incident update includes a confidence level that is associated with the alert-incident grouping or the incident merger or the incident division which is also part of the incident update” is taught in ‘902 paragraphs 35-37.
6.	Claims 5-6 are rejected under 35 U.S.C. 103 as being unpatentable over Roundy et al. U.S. Patent Application Publication No. U.S. 2017/0093902 (hereinafter ‘902) in view of Humphrey et al. U.S. Patent Application Publication No. 2019/0260782 (hereinafter ‘782) in further view of Hertzog et al. U.S. Patent Application Publication No. 2007/0118909 (hereinafter ‘909).
	As to dependent claim 5, the following is not explicitly taught in ‘902 and ‘782: The system of claim 1, wherein the training data includes a tuple with components that include a current entity identifier, an optional entity identifier, and a chosen entity identifier, and wherein the optional entity identifier identifies an entity presented to the analyst but not chosen by the analyst” however ‘909 teaches each connection may be described with an n-tuple element wherein the administrator is to categorize, filter, and visualize the components the anomaly in paragraphs 48-51.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of detecting of security incidents taught in ‘902 and ‘782 to include a tuple the analyst can chose which identifiers are presented.  One of ordinary skill in the art would have been motivated to perform such a modification to improve on existing methods to make it easier for administrators (i.e. analyst) to decide and appropriate action for system alarms see paragraphs 3-11 and 14.
	As to dependent claim 6. The system of claim 1, wherein the action indicator indicates an action was performed by an actor at the action time, and the system is configured to train the machine learning model using at least one of the following nonempty training data subsets: a data subset defined at least in part by a limitation on the action time; a data subset defined at least in part by a limitation on which actor performed the action; a data subset defined at least in part by a limitation on which cloud tenant performed or authorized the action; a data subset defined at least in part by a limitation on which customer performed or authorized the action; or a data subset defined at least in part by a limitation on which computing environment the action was performed in” is taught in ‘909 paragraphs 54-60.

7.	Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Roundy et al. U.S. Patent Application Publication No. U.S. 2017/0093902 (hereinafter ‘902) in view of Humphrey et al. U.S. Patent Application Publication No. 2019/0260782 (hereinafter ‘782) in further view of Brdiczka et al. U.S. Patent Application Publication No. 2014/0165195 (hereinafter ‘195).	
	As to dependent claim 9, the following is not explicitly taught in ‘902 and ‘782: “The method of claim 8, wherein using the trained machine learning model comprises executing a link prediction algorithm” however ‘195 teaches using link predictions to detect anomalies in paragraphs 38-39.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of detecting of security incidents taught in ‘902 and ‘782 to use a machine learning model comprising executing a link prediction algorithm.  One of ordinary skill in the art would have been motivated to perform such a modification to improve on existing methods to detect threats from insiders within government and large organization see ‘195 paragraphs 4-5.

8.	Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Roundy et al. U.S. Patent Application Publication No. U.S. 2017/0093902 (hereinafter ‘902) in view of Humphrey et al. U.S. Patent Application Publication No. 2019/0260782 (hereinafter ‘782) in further view of Joyce et al. U.S. Patent No. 10,558,809 (hereinafter ‘809).	
	As to dependent claim 13, the following is not explicitly taught in ‘902 and ‘782: “The method of claim 7, wherein submitting avoids submitting any of the following alert details data as training data: an alert provider name; an alert vendor name; an alert severity; or an identification of which rule triggered the alert” however ‘909 teaches an analyst is able to use an API-agnostic to generate an overall risk assessment (prediction) of a computer system in col. 5, lines 15-20, as explain in the Applicant disclosure paragraph 71 avoiding submitting any of the following alert details is an ‘agnostic’ with regard to the type of alert.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of detecting of security incidents taught in ‘902 and ‘782 to avoid submitting detail data as training.  One of ordinary skill in the art would have been motivated to perform such a modification because many of the existing tools fail to identify potential vulnerabilities see ‘890 col. 1 lines 11-34.
9.	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.  All of the below references are directed to security information event management and improvements.
	Street			U.S. Patent Application Publication No. 2020/0327221
	Street			U.S. Patent No. 11,126,711
	Israel et al.		U.S. Patent Application Publication No. 2019/0347578
	Bolding et al.		U.S. Patent Application Publication No. 2015/0172832
	Bolding et al.		U.S. Patent No. 11,238,366
	Klaedtke		U.S. Patent Application Publication No. 2019/0215340
	Klaedtke		U.S. Patent No. 10,904,290
	Hudis et al.		U.S. Patent Application Publication No. 2018/0084001
	Hudis et al.		U.S. Patent No. 10,771,492

Conclusion
THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
10.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to ELLEN C TRAN whose telephone number is (571) 272-3842.  The examiner can normally be reached from M-F 9 AM to 6PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
		If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeff Pwu can be reached at 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/ELLEN TRAN/Primary Examiner, Art Unit 2433                                                                                                                                                                                                        13 October 2022