Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed 7/12/22 have been fully considered but they are not persuasive. Applicant argues (boldface emphasis Examiner’s):
The Office Action alleges that element 4002 of FIG. 40A of Muddu is analogous to a primary node of claim 1, that element 4004 of FIG. 40A of Muddu is analogous to a field node of claim 1, and that element 4010 of FIG. 40A of Muddu is analogous to an action node of claim 1. If such an analogy is accepted, the Muddu clearly does not disclose, teach, or suggest that the action node is based at least in part on one or more of the field nodes. The "actions tab 4010" (i.e., element 4010 of FIG. 40A of Muddu) allows a user to "select from several options ..." to characterize the threat (i.e., the primary node). Muddu at ¶0464. For example, "[i]f the user determines that the threat is not a concern, the user can select 'Not a Threat"'. Muddu at ¶0464. This actions tab 4010 operates independent of element 4004 of FIG. 40A, and as such it cannot be reasonably argued that the "actions tab 4010" is "based at least on" element 4004 of FIG. 40A.

	Examiner disagrees, noting in particular that the highlighted statement by Applicant is incorrect, as Muddu clearly discloses that the data listed in GUI element 4004 – e.g. the users, devices, and applications [i.e. “field nodes” as per Applicant’s claim language] are displayed specifically because they are the pertinent details comprising the threat displayed as element 4002.  See e.g. Muddu at paragraphs 0455 (“The “Users” view 3908, “Devices” view 3909, and “Applications” view 3910 provide separate listings for each type of entity (namely, users, devices, and applications, respectively) that is associated with an anomaly or threat.”) and 0462 (“The list of Users identifies each user associated with the threat and provides a score for each user. Similarly, the list of Devices and list of Apps identify each device (by IP address) and App (by file name/type), respectively, along with a score.”).  Furthermore, at least some of the Actions explicitly disclosed as belonging to the Actions tab 4010 – in particular, the “Export” selection which enables the user to export data associated with the threat to another data mining platform (Muddu, paragraph 0464) – is clearly based at least on the one or more field nodes as per the claim, as a person of ordinary skill in the art would clearly recognize that, in order to supply an external data mining platform with meaningful data regarding a threat, would need more data than merely the text string from element 4002 that merely states a threat was detected as per Applicant’s understanding of the Muddu reference.
	Applicant’s remaining argument, being predicated on the erroneous assumption discussed supra, are rebutted for substantially similar reasons.

Claim Rejections - 35 USC § 103
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu (U.S. Patent Publication 2017/0063899) in view of Franke (U.S. Patent 9,319,420).

Regarding claims 1, 8, and 15:
Muddu discloses a method, computer program product, and system comprising: receiving, by a Security Orchestration, Automation and Response (SOAR) platform (the security platform of the Muddu disclosure: e.g. Abstract, and paragraphs 0135-0137), alert data pertaining to an incident observed within a monitored network (e.g. paragraphs 0169-0170); as part of an investigation into the incident and based on the received alert data, generating, by the SOAR platform, a mind map view within a graphical user interface (GUI) of a console used by an analyst (paragraph 0171; see also e.g. Figures 40A-40C), wherein the mind map view includes a primary node corresponding to the incident (e.g. element 4002 of Figure 2A), one or more field nodes associated with the primary node (the various entities listed below in element 4004 of Figure 40A; see also paragraphs 0462-0463), one or more action nodes based at least on one of the one or more field nodes, wherein each of the one or more action nodes is associated with one or more dynamic actions selectable by the analyst to be executed by the SOAR platform (element 4010 of Figures 40A & 40C); receiving, by the SOAR platform, information regarding a selected action of the one or more dynamic actions selected by the analyst (paragraph 0154); training, by the SOAR platform, a machine-learning model based on the incident and the selected action (e.g. paragraphs 0150-0154; & 0171); and updating, by the SOAR platform, the mind map view in real-time based on a suggestion by the machine-learning model (Ibid).
	The graphical user interface disclosed by Muddu is not explicitly referred to as a “mind map”.  However, Franke discloses a related invention for computer security that explicitly implements mind map GUIs (col. 7, lines 18-35 and 59-67).  It would have been obvious prior to the filing date of the instant application to employ mind map visual interfaces in the invention disclosed by Muddu, as mind maps can be beneficial in identifying possible links between information in which there are not presently tangible links but where an intelligence gathering professional can work through different potential links (Franke, Ibid).

Regarding claims 2, 9, and 16:	The combination further discloses wherein the one or more field nodes each represent an investigation phase (Muddu, e.g. element 4002 of Figure 40A, and element 4540 of Figure 45E)

Regarding claims 3, 10, and 17:	The combination further discloses wherein a dynamic action of the one or more dynamic actions represents an enrichment action or a mitigation action (Muddu: enrichment at paragraphs 0159-0160 & 0398-0400; mitigation at e.g. paragraphs 0151 & 0321) .

Regarding claims 4, 11, and 18:	The combination further discloses wherein the enrichment action enriches an artifact associated with the incident with threat intelligence (Muddu: e.g. paragraphs 0159-0160 & 0398-0400).

Regarding claims 5, 12, and 19:	The combination further discloses wherein a dynamic action of the one or more dynamic actions causes the SOAR platform to issue an operation to a security tool associated with the monitored network (Muddu: the “Export” option of paragraph 0464; and Fig. 40C).

Regarding claims 6, 13, and 20:	The combination further discloses wherein the operation causes the security tool to block an Internet Protocol (IP) address associated with the incident (blocking specific network communication at Muddu, e.g. paragraphs 0151 & 0321).

Regarding claims 7 and 14:	The combination further discloses wherein the incident pertains to any or a combination of an unknown new threat, a known new threat, an unknown one-off threat, a known one-off threat, an unknown probable threat, and a known probable threat (unknown and known threats at Muddu, paragraphs 0137 & 0140).

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS A GYORFI whose telephone number is (571)272-3849. The examiner can normally be reached 10:00am - 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

THOMAS A. GYORFI
Examiner
Art Unit 2435



/THOMAS A GYORFI/Examiner, Art Unit 2435                                                                                                                                                                                                        10/31/2022

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435