Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 101 (Abstract Idea)
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


8.	Claims 1 – 17 is / are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more analyzed according to 2019 Revised Patent Subject Matter Eligibility Guidance (“2019 PEG”). The claim recites an endpoint device comprising: a processing resource; and a non-transitory computer-readable medium, coupled to the processing resource, having stored therein instructions that when executed by the processing resource cause the processing resource to: receive, by an endpoint protection platform running on the endpoint device via an event management agent of the endpoint protection platform, a request from an event management service for process information relating to an incident detected by the event management service; cause the request to be processed by an endpoint detection and response (EDR) service by transmitting the request to an EDR agent of the endpoint protection platform corresponding to the EDR service; receive via the EDR agent a response to the request from the EDR service, wherein the response includes the process information; and facilitate enrichment of an alert generated by the event management service based on the process information by transmitting the response to the event management service via the event management agent.Step 1: The claims 1, 8 and 13 do fall into one of the four statutory categories of device (i.e., system) claims. Nevertheless the claims still is/are considered as abstract idea for the following prongs and reasons.
Step 2A: Prong 1: The limitation of claims 1, 8 and 13 recites: an endpoint device comprising: a processing resource; and a non-transitory computer-readable medium, coupled to the processing resource, having stored therein instructions that when executed by the processing resource cause the processing resource to: receive, by an endpoint protection platform running on the endpoint device via an event management agent of the endpoint protection platform, a request from an event management service for process information relating to an incident detected by the event management service; cause the request to be processed by an endpoint detection and response (EDR) service by transmitting the request to an EDR agent of the endpoint protection platform corresponding to the EDR service; receive via the EDR agent a response to the request from the EDR service, wherein the response includes the process information; and facilitate enrichment of an alert generated by the event management service based on the process information by transmitting the response to the event management service via the event management agent. Except for words ‘device with processing resource and non-transitory… medium…’, there is nothing in the claim element precludes the step from practically being performed in human mind and/or with pen and paper. For example, receiving request to process alerts and obtaining various information, in any office or campus can also be perceived to be done manually by human in an orderly fashion. In the context of these claims output detection of malware accordingly. 
Dependent claims 2 – 7, 9 – 12 and 14 – 17 which in turn claims services comprise deployed SIEM on endpoints, EDR provided by managed security service, comprises process id, incident relates to sensitive file / suspicious process, further enrich the alerts based on further request(s) etc. is/are mere structural addendums and are other steps that could be performed by human manually with/without need for a general purpose computer.  If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in a human mind but for the recitation of generic computer components, then it falls within the “mental processes” grouping of abstract ideas and can be done manually. Accordingly, the claim recites an abstract idea.
Prong 2: This judicial exception is not integrated into a practical application. In particular, the claims do not recite any additional element to perform beyond routine steps of: an endpoint device comprising: a processing resource; and a non-transitory computer-readable medium, coupled to the processing resource, having stored therein instructions that when executed by the processing resource cause the processing resource to: receive, by an endpoint protection platform running on the endpoint device via an event management agent of the endpoint protection platform, a request from an event management service for process information relating to an incident detected by the event management service; cause the request to be processed by an endpoint detection and response (EDR) service by transmitting the request to an EDR agent of the endpoint protection platform corresponding to the EDR service; receive via the EDR agent a response to the request from the EDR service, wherein the response includes the process information; and facilitate enrichment of an alert generated by the event management service based on the process information by transmitting the response to the event management service via the event management agent.  The steps are recited at a high-level of generality (i.e., as generic terms performing generic computer functions (spec. [0015]) such that it amounts no more than mere instructions to apply the exception using generic computer components). Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. Therefore the claims is directed to an abstract idea.
Step 2B: The claims does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, an endpoint device comprising: a processing resource; and a non-transitory computer-readable medium, coupled to the processing resource, having stored therein instructions that when executed by the processing resource cause the processing resource to: receive, by an endpoint protection platform running on the endpoint device via an event management agent of the endpoint protection platform, a request from an event management service for process information relating to an incident detected by the event management service; cause the request to be processed by an endpoint detection and response (EDR) service by transmitting the request to an EDR agent of the endpoint protection platform corresponding to the EDR service; receive via the EDR agent a response to the request from the EDR service, wherein the response includes the process information; and facilitate enrichment of an alert generated by the event management service based on the process information by transmitting the response to the event management service via the event management agent, amounts to no more than mere instructions to apply the exception using a generic computer terms. Mere instructions to apply an exception using a generic computer components cannot provide an inventive concept. The claims is / are not patent eligible. Therefore all the corresponding dependent claims 2 – 7, 9 – 12 and 14 – 17 are also rejected for the same rationale.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1 – 17 is/are rejected under 35 U.S.C. 102(a) (1)/(2) as being unpatentable by Lorge (US 8,200,606), hereafter Lor.
Claim 1: Lor teaches an endpoint device comprising: a processing resource; and a non-transitory computer-readable medium, coupled to the processing resource, having stored therein instructions that when executed by the processing resource cause the processing resource to (Figs. 1-2): receive, by an endpoint protection platform running on the endpoint device via an event management agent of the endpoint protection platform, a request from an event management service for process information relating to an incident detected by the event management service; (C6L6-8, Fig. 1: Event Decision-Maker initiates the Alert Decision Requester that requests and (C10L54-56) Operator Console detects an addressing alert issued by the Alert Decision Requester to thereby initiate action by the Operator and Inference Module);
cause the request to be processed by an endpoint detection and response (EDR) service by transmitting the request to an EDR agent of the endpoint protection platform corresponding to the EDR service; (C10L58-62: information contained in the addressing alert is adapted from the current format into a format compatible (Formatted Addressing Alert) for processing by the Inference Module, and is transmitted to the Inference Module for identification and action);
receive via the EDR agent a response to the request from the EDR service, wherein the response includes the process information; (C10, 11L64-67, 1-2, Figs. 2-4, C12L29-30: (Alert Pre-processing) the Inference Module queries the Conceptual Data Model..., Inference Module provides a complete list of actions (i.e., response) and (C6, 7L67, 1-4) generates contextual information (i.e., process info.) such as any of a variety of relevant information, such as, the computer network impacted by the alert, customer name, application name, time when alert occurred, etc.);
and facilitate enrichment of an alert generated by the event management service based on the process information by transmitting the response to the event management service via the event management agent. (C2L32-36: using a further set of inference rules to enrich the identified alert with at least contextual information (i.e., process info.) relevant to an operator, including at least identification of the components in said computer network that are impacted by the alert and (C10L11-14) Operator Automation Module  receives from the Automation Module the enriched alert information with the inferred contextual information that fully identifies the alert, and the execution orders).
Claim 2: Lor teaches the endpoint device of claim 1, wherein the event management service comprises a security information and event management (SIEM) security product deployed within a private network with which the endpoint device is associated. (C1L39-41: Event Management Systems used to monitor and manage data centers work like "event expert systems", specialized in the management of data center events).
Claim 3: Lor teaches the endpoint device of claim 2, wherein the EDR service is provided by a managed security service provider (MSSP). (C6L34-36: "operator" refers in a general sense: it refers for instance a system watcher… or a system administrator).
Claim 4: Lor teaches the endpoint device of claim 3, wherein the request is transmitted by the event management agent to the EDR agent via an inter-process communication mechanism of an operating system of the endpoint device. (C6L6-8, Fig. 1: Event Decision-Maker initiates the Alert Decision Requester that requests and (C10L54-56) Operator Console detects an addressing alert issued by the Alert Decision Requester to thereby initiate action by the Operator and Inference Module and (C6L45-52) an Inference Module interfacing with an operator Console, a Conceptual Data Model of the monitored environment made of 3 sub-models...).
Claim 5: Lor teaches the endpoint device of claim 4, wherein the process information comprises a process identifier (PID) or a process name of a process executing on the endpoint device. (C6, 7L67, 1-4: generates contextual information (i.e., process info.) such as any of a variety of relevant information, such as, the computer network impacted by the alert, customer name, application name, time when alert occurred, etc.).
Claim 6: Lor teaches the endpoint device of claim 4, wherein the incident relates to a modification of a sensitive file. (C4L25-28: associating the received alert request to a generic conceptual data model of alert request and alert resolution and using a set of inference rules to construct a personalized model related to the computer network being monitored; C8L23-25: provide a general description of the components of data centers, how arising alerts shall be related to these components).
Claim 7: Lor teaches the endpoint device of claim 6, wherein the instructions further cause the processing resource to: receive, by the endpoint protection platform via the event management agent, a second request from the event management service for information indicative of how common the sensitive file is within the private network; cause the second request to be processed by the endpoint detection and response (EDR) service by transmitting the second request to the EDR agent; receive via the EDR agent a second response to the second request from the EDR service, wherein the response includes the information; and facilitate enrichment of the alert by the event management service based on the information by transmitting the second response to the event management service via the event management agent. (C7L28-32: dialog leads to the acquisition of new knowledge by the Inference Module, and the new knowledge is stored by the Inference Module,... for later reuse; C6L6-8, Fig. 1: Event Decision-Maker initiates the requests and (C10L54-56) Operator Console detects an addressing alert issued by the Alert Decision Requester to thereby initiate action by the Operator and Inference Module; C10L58-62: information contained in the addressing alert is adapted into a format compatible for processing by the Inference Module, and is transmitted to the Inference Module; C10, 11L64-67, 1-2, Fig. 2: the Inference Module queries and finds out which operator concepts are used to recognize an alert and the resolution actions, which attributes describe and identify them and (C6, 7L67, 1-4) generates contextual information (i.e., process info.) such as any of a variety of relevant information, such as, the computer network impacted by the alert, customer name, application name, time when alert occurred, etc.; C2L32-36: using a further set of inference rules to enrich the identified alert with at least contextual information (i.e., process info.) relevant to an operator, including at least identification of the components in said computer network that are impacted by the alert and (C10L11-14) Operator Automation Module  receives from the Automation Module the enriched alert information with the inferred contextual information that fully identifies the alert, and the execution orders).
Claim 8: Lor teaches an endpoint device comprising: a processing resource; and a non-transitory computer-readable medium, coupled to the processing resource, having stored therein instructions that when executed by the processing resource cause the processing resource to: receive, by an endpoint protection platform running on the endpoint device via an endpoint detection and response (EDR) agent of the endpoint protection platform, a request from an EDR service for information regarding other security control alerts for connections similar to a connection detected and blocked by the EDR service; cause the request to be processed by an event management service by transmitting the request to an event management agent of the endpoint protection platform corresponding to the event management service; receive via the event management agent a response to the request from the event management service, wherein the response includes the information; and facilitate enrichment of findings by the EDR service based on the information by transmitting the response to the EDR service via the EDR agent. (C6L6-8, Fig. 1: Event Decision-Maker initiates the Alert Decision Requester that requests and (C10L54-56) Operator Console detects an addressing alert issued by the Alert Decision Requester to thereby initiate action by the Operator and Inference Module; C10L58-62: information contained in the addressing alert is adapted from the current format into a format compatible (Formatted Addressing Alert) for processing by the Inference Module, and is transmitted to the Inference Module for identification and action; C10, 11L64-67, 1-2, Figs. 2-4, C12L29-30: (Alert Pre-processing) the Inference Module queries the Conceptual Data Model..., Inference Module provides a complete list of actions (i.e., response) and (C6, 7L67, 1-4) generates contextual information (i.e., process info.) such as any of a variety of relevant information, such as, the computer network impacted by the alert, customer name, application name, time when alert occurred, etc.; C2L32-36: using a further set of inference rules to enrich the identified alert with at least contextual information (i.e., process info.) relevant to an operator, including at least identification of the components in said computer network that are impacted by the alert and (C10L11-14) Operator Automation Module  receives from the Automation Module the enriched alert information with the inferred contextual information that fully identifies the alert, and the execution orders). 
Claim 9: Lor teaches the endpoint device of claim 8, wherein the EDR service is provided by a managed security service provider (MSSP) and wherein the event management service comprises a security information and event management (SIEM) security product deployed within a private network with which the endpoint device is associated. (C1L39-41: Event Management Systems used to monitor and manage data centers work like "event expert systems", specialized in the management of data center events; C6L34-36: "operator" refers in a general sense: it refers for instance a system watcher… or a system administrator).
Claim 10: Lor teaches the endpoint device of claim 9, wherein the request is transmitted by the EDR agent to the EDR agent via an inter-process communication mechanism of an operating system of the endpoint device. (C6L6-8, Fig. 1: Event Decision-Maker initiates the Alert Decision Requester that requests and (C10L54-56) Operator Console detects an addressing alert issued by the Alert Decision Requester to thereby initiate action by the Operator and Inference Module and (C6L45-52) an Inference Module interfacing with an operator Console, a Conceptual Data Model of the monitored environment made of 3 sub-models...).
Claim 11: Lor teaches the endpoint device of claim 10, wherein the connection is associated with a suspicious process. (C4L25-28: associating the received alert request to a generic conceptual data model of alert request and alert resolution and using a set of inference rules to construct a personalized model related to the computer network being monitored; C8L23-25: provide a general description of the components of data centers, how arising alerts shall be related to these components).
Claim 12: Lor teaches the endpoint device of claim 11, wherein the instructions further cause the processing resource to: receive, by the endpoint protection platform via the EDR agent, a second request from the EDR service for information indicative of whether a file associated with the suspicious process has been reported by other security controls; cause the second request to be processed by the SIEM service by transmitting the second request to the event management agent; receive via the event management agent a second response to the second request from the SIEM service, wherein the response includes the information indicative of whether the file has been reported by other security controls; and facilitate enrichment of the findings by the EDR service based on the information indicative of whether the file has been reported by other security controls by transmitting the second response to the EDR service via the event management agent. (C7L28-32: dialog leads to the acquisition of new knowledge by the Inference Module, and the new knowledge is stored by the Inference Module,... for later reuse; C6L6-8, Fig. 1: Event Decision-Maker initiates the requests and (C10L54-56) Operator Console detects an addressing alert issued by the Alert Decision Requester to thereby initiate action by the Operator and Inference Module; C10L58-62: information contained in the addressing alert is adapted into a format compatible for processing by the Inference Module, and is transmitted to the Inference Module; C10, 11L64-67, 1-2, Fig. 2: the Inference Module queries and finds out which operator concepts are used to recognize an alert and the resolution actions, which attributes describe and identify them and (C6, 7L67, 1-4) generates contextual information (i.e., process info.) such as any of a variety of relevant information, such as, the computer network impacted by the alert, customer name, application name, time when alert occurred, etc.; C2L32-36: using a further set of inference rules to enrich the identified alert with at least contextual information (i.e., process info.) relevant to an operator, including at least identification of the components in said computer network that are impacted by the alert and (C10L11-14) Operator Automation Module  receives from the Automation Module the enriched alert information with the inferred contextual information that fully identifies the alert, and the execution orders).
Claim 13: Lor teaches an endpoint device comprising: a processing resource; and a non-transitory computer-readable medium, coupled to the processing resource, having stored therein instructions that when executed by the processing resource cause the processing resource to: receive, by an endpoint protection platform running on the endpoint device via an endpoint detection and response (EDR) agent of the endpoint protection platform, a request from an EDR service for information regarding other security control alerts for connections similar to a connection detected and blocked by the EDR service; cause the request to be processed by an event management service by transmitting the request to an event management agent of the endpoint protection platform corresponding to the event management service; receive via the event management agent a response to the request from the event management service, wherein the response includes the information; and facilitate classification of an incident relating to the connection by the EDR service based on the information by transmitting the response to the EDR service via the EDR agent. (C6L6-8, Fig. 1: Event Decision-Maker initiates the Alert Decision Requester that requests and (C10L54-56) Operator Console detects an addressing alert issued by the Alert Decision Requester to thereby initiate action by the Operator and Inference Module; C10L58-62: information contained in the addressing alert is adapted from the current format into a format compatible (Formatted Addressing Alert) for processing by the Inference Module, and is transmitted to the Inference Module for identification and action; C10, 11L64-67, 1-2, Figs. 2-4, C12L29-30: (Alert Pre-processing) the Inference Module queries the Conceptual Data Model..., Inference Module provides a complete list of actions (i.e., response) and (C6, 7L67, 1-4) generates contextual information (i.e., process info.) such as any of a variety of relevant information, such as, the computer network impacted by the alert, customer name, application name, time when alert occurred, etc.; C2L32-36: using a further set of inference rules to enrich the identified alert with at least contextual information (i.e., process info.) relevant to an operator, including at least identification of the components in said computer network that are impacted by the alert and (C10L11-14) Operator Automation Module  receives from the Automation Module the enriched alert information with the inferred contextual information that fully identifies the alert, and the execution orders). 
Claim 14: Lor teaches the endpoint device of claim 13, wherein the EDR service is provided by a managed security service provider (MSSP) and wherein the event management service comprises a security information and event management (SIEM) security product deployed within a private network with which the endpoint device is associated. (C1L39-41: Event Management Systems used to monitor and manage data centers work like "event expert systems", specialized in the management of data center events; C6L34-36: "operator" refers in a general sense: it refers for instance a system watcher… or a system administrator).
Claim 15: Lor teaches the endpoint device of claim 14, wherein the request is transmitted by the EDR agent to the EDR agent via an inter-process communication mechanism of an operating system of the endpoint device. (C6L6-8, Fig. 1: Event Decision-Maker initiates the Alert Decision Requester that requests and (C10L54-56) Operator Console detects an addressing alert issued by the Alert Decision Requester to thereby initiate action by the Operator and Inference Module and (C6L45-52) an Inference Module interfacing with an operator Console, a Conceptual Data Model of the monitored environment made of 3 sub-models...).
Claim 16: Lor teaches the endpoint device of claim 15, wherein the connection is associated with a suspicious process. (C4L25-28: associating the received alert request to a generic conceptual data model of alert request and alert resolution and using a set of inference rules to construct a personalized model related to the computer network being monitored; C8L23-25: provide a general description of the components of data centers, how arising alerts shall be related to these components).
Claim 17: Lor teaches the endpoint device of claim 16, wherein the instructions further cause the processing resource to: receive, by the endpoint protection platform via the EDR agent, a second request from the EDR service for information indicative of whether a file associated with the suspicious process has been reported by other security controls; cause the second request to be processed by the SIEM service by transmitting the second request to the event management agent; receive via the event management agent a second response to the second request from the SIEM service, wherein the response includes the information indicative of whether the file has been reported by other security controls; and facilitate classification of the incident by the EDR service based on the information indicative of whether the file has been reported by other security controls by transmitting the second response to the EDR service via the event management agent. (C7L28-32: dialog leads to the acquisition of new knowledge by the Inference Module, and the new knowledge is stored by the Inference Module,... for later reuse; C6L6-8, Fig. 1: Event Decision-Maker initiates the requests and (C10L54-56) Operator Console detects an addressing alert issued by the Alert Decision Requester to thereby initiate action by the Operator and Inference Module; C10L58-62: information contained in the addressing alert is adapted into a format compatible for processing by the Inference Module, and is transmitted to the Inference Module; C10, 11L64-67, 1-2, Fig. 2: the Inference Module queries and finds out which operator concepts are used to recognize an alert and the resolution actions, which attributes describe and identify them and (C6, 7L67, 1-4) generates contextual information (i.e., process info.) such as any of a variety of relevant information, such as, the computer network impacted by the alert, customer name, application name, time when alert occurred, etc.; C2L32-36: using a further set of inference rules to enrich the identified alert with at least contextual information (i.e., process info.) relevant to an operator, including at least identification of the components in said computer network that are impacted by the alert and (C10L11-14) Operator Automation Module  receives from the Automation Module the enriched alert information with the inferred contextual information that fully identifies the alert, and the execution orders).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867. The examiner can normally be reached M-F: 8:30am-5pm (EST). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on 5712727624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/BADRINARAYANAN /P'Examiner, Art Unit 2496.