DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to communication received 08/12/2022. Claims 1 and 15 are amended, claim 11 is canceled and claim 22 is newly added.

Response to Arguments
Applicant's arguments filed 08/12/2022 have been fully considered but they are not persuasive. 
Applicant argues “…However, nothing in Bhatia teaches or suggests that the email address or IP address (the alleged intelligence type) is determined from the rule threshold for incoming emails (the alleged first indicator of compromise)” and further argues “the Office Action relies on Bhatia as describing “based on the identified intelligence type associated with the first indicator of compromise, retrieve one or more system logs associated with the identified intelligence type.” Applicant respectfully disagrees”.

Examiner respectfully disagrees. 
Bhatia explicitly discloses “…a rule may state that if 90% of incoming emails are from unknown IP addresses, then a ticket should be issued. In this example, “90%” is the threshold of the rule that needs to be reached in order to issue a ticket” – Bhatia: par. 0096 – Note: In this example, the incoming emails are “events”, the intelligence type is “unknown/untrusted IP addresses” which is determined based on a “rule threshold”. In this example the retrieval of incoming emails, for example from email logs, is based on the identified “untrusted IP address” as the sender of those emails.
Rejections of record are nonetheless withdrawn because some relied upon inherent features of Bhatia are explicitly disclosed in Zorlular. New grounds of rejection are made as shown below over Zorlular in view Woodford. Please see closest prior arts reviewed but not relied on as well as those relied on, disclosed in the attached PTO – 892. After considering the instant action, Applicant is encouraged to initiate an interview to expedite prosecution.   

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-10 and 12-22 are rejected under 35 U.S.C. 103 as being unpatentable over Zorlular, US2018/0183827 in view of Woodford, US2019/0260794 .

Per claim 1, Zorlular discloses a computing platform (Fig. 1, computer 102), comprising: 
at least one processor (Fig. 10, 804); 
a communication interface communicatively coupled to the at least one processor (Fig. 10, 818); and 
memory storing computer-readable instructions (Fig. 10, 806) that, when executed by the at least one processor, cause the computing platform to: 
receive a plurality of threat intelligence data feeds from a plurality of sources, each threat intelligence data feed of the plurality of threat intelligence data feeds including intelligence data including a plurality of indicators  of compromise and each intelligence feed being received from a respective source (if the warning system receives indicators from multiple sources, all indicating a cyber attack against the same resource, presenting those indicators to the analyst together may serve the analyst in determining that there is a cyber attack in progress against a given resource. Advantageously, this may allow for various indicators, including those corresponding to user activity that may not be sufficiently suspicious when reviewed by an analyst individually, to be related to each other and linked to an ongoing cyber attack against a resource – par. 0021); 
identify, within a first threat intelligence data feed, a first indicator of compromise (if the administrator of an resource falls victim to a social engineering scam and a short period of time later multiple transactions are made from the resource that appear to be just below the threshold for which the administrator would have to seek internal approval, these two indicators when reviewed individually may not be sufficient for an analyst to commence closer scrutiny. If, however, these two indicators are presented to the analyst together, the analyst may be able to determine that a cyber attack against this resource is in progress and take appropriate action – par. 0021);
analyze the identified first indicator of compromise to determine an intelligence type associated with the first indicator of compromise (If, however, these two indicators are presented to the analyst together, the analyst may be able to determine that a cyber attack against this resource is in progress and take appropriate action – par. 0021);
based on the identified intelligence type associated with the first indicator of compromise, retrieve one or more system logs associated with the identified intelligence type (Some currently available systems allow the analyst to search for and review individual indicators. Although these currently available systems can be helpful in discovering indicators for known types of activity related to a cyber attack, they typically require the analyst to manually repeat the same series of searches to determine related indicators, to manually calculate aggregates where the analyst desires to use them, and to manually go through large amounts of irrelevant data to find relevant indicators contained therein… the warning system of the present disclosure automatically collects indicators from a variety of sources, analyzes the indicators to generate alerts, tags and groups the alerts, and generates an interactive user interface in which, in response to inputs from the analyst, information related to the alerts and relevant indicators may be efficiently provided to the analyst. Accordingly, the analyst may be enabled to efficiently evaluate the alerts – par. 0028-0029); 
Zorlular is not relied to explicitly disclose but Woodford discloses compare the first indicator of compromise to the retrieved one or more system logs to determine whether an occurrence of the first indicator of compromise in the one or more system logs exists (The comparison module can use the comparison to identify whether the network entity is in a breach state of the normal behavior benchmark. ..The cyber threat module can execute an autonomous analyst to use machine-learning to determine whether the network entity in the breach state is a cyber threat. The cyber threat module is configured to identify whether the breach state identified by the comparison module and a chain of relevant behavioral parameters deviating from the normal benign behavior of that network entity correspond to a cyber threat – Woodford: par. 0032-0035 – Note: the chain of unusual behaviors are collected from devices, containers, users, administrative changes, and traffic patterns that fall outside of being the normal benign behavior correspond to a malicious behavior associated with the cyber threat); 
Zorlular in view of Woodford further discloses based on the comparing, generate a binary output, generating the binary output including:
responsive to determining that an occurrence of the first indicator of compromise exists in the one or more system logs (i.e., checked selection box in the table), generate the binary output as actionable for the first indicator of compromise (The alerts and events table 1022 comprises, for each event displayed in the alerts and events table 1022, a selection check box 1024, an alert or event description column 1026, alert or event type column 1028, and a status column 1030 as well as an alert or event time column 1032. The selection check box 1024 allows the analyst to include in a selection by checking, or to exclude from a selection by unchecking, the selection check box 1024, corresponding one or more alerts…This allows the analyst to choose one or more alerts to take action on. For example, the analyst may check the selection check box 1024 corresponding to one or more alerts to either sign off, escalate, or initiate an investigation as to those one or more alerts…The alert or event type column 1028 indicates whether a given entry in the alerts and events table 1022 is an alert or an event. The status column 1030 indicates whether or not for a given event any action by the analyst is expected by the warning system. For example, … an alert the status column 1030 may indicate that action by the analyst is requested for an alert   – Zorlular: par. 0101-0102);
responsive to determining that an occurrence of the first indicator of compromise does not exist in the one or more system logs (i.e., unchecked selection box in the table), generate the binary output as inactionable for the first indicator of compromise (The alerts and events table 1022 comprises, for each event displayed in the alerts and events table 1022, a selection check box 1024, an alert or event description column 1026, alert or event type column 1028, and a status column 1030 as well as an alert or event time column 1032. The selection check box 1024 allows the analyst to include in a selection by checking, or to exclude from a selection by unchecking, the selection check box 1024, corresponding one or more alerts…This allows the analyst to choose one or more alerts to take action on. For example, the analyst may check the selection check box 1024 corresponding to one or more alerts to either sign off, escalate, or initiate an investigation as to those one or more alerts…The alert or event type column 1028 indicates whether a given entry in the alerts and events table 1022 is an alert or an event. The status column 1030 indicates whether or not for a given event any action by the analyst is expected by the warning system. For example, for an event the status column will indicate that there is no action necessary by the analyst – Zorlular: par. 101 and 102).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Zorlular in view of Woodford to include compare[ing] the first indicator of compromise to the retrieved one or more system logs to determine whether an occurrence of the first indicator of compromise in the one or more system logs exists.
One of ordinary skill in the art would have been motivated because it would allow “one or more actions to be taken to contain the cyber threat, identified by the cyber threat module, within an organization's portion of the cloud infrastructure environment when a cyber-threat risk parameter is indicative of a likelihood of a cyber-threat is equal to or above an actionable threshold” – Woodford: par. 0005, by contextualizing “cloud and SaaS events to link those events and better understand an entity's behavior by considering the SaaS metrics and events as well as the cloud metrics and events as an interconnected whole rather than separate realms” – Woodford: par. 0010.

Per claim 8, it recites a method, comprising: by a computing platform comprising at least one processor, memory, and a communication interface the method preforming the operations as recited in the computer platform of claim 1.
Therefore, claim 8 is rejected based on the same analysis and motivation to combine set forth in the rejection of claim 1 above. 

Per claim 15, it recites one or more non-transitory computer-readable media storing instructions that, when executed by a computing platform comprising at least one processor, memory, and a communication interface, cause the computing platform to perform the operations as recited in claim 1.
Therefore, claim 15 is rejected based on the same analysis and motivation to combine set forth in the rejection of claim 1 above. 

Per claims 2, 9 and 16, Zorlular in view of Woodford discloses features of claims 1, 8 and 15. Zorlular is not relied on to explicitly disclose but Woodford discloses further including instructions that, when executed, cause the computing platform to: 
responsive to generating the binary output as actionable for the first indicator of compromise, retrieve additional information associated with the first indicator of compromise (The plotting and comparison are a way to filter out what is normal for that system and then be able to focus the analysis on what is abnormal or unusual for that system. Then for each hypothesis of what could be happening with the chain of unusual events or alerts, the gather module may gather additional metrics from the data store including the pool of metrics originally considered ‘normal behavior’ to support or refute each possible hypothesis of what could be happening with this chain of unusual behavior under analysis – Woodford: par. 0058 – Note: data relevant to each type of possible hypothesis will be automatically pulled from additional external and internal sources. Some data is pulled or retrieved by the gather module for each possible hypothesis from the data store – par. 0022); and 
prioritize further processing of the first indicator of compromise based on the binary output and the additional information (Instead of generating the simple binary outputs ‘malicious’ or ‘benign,’ the cyber threat defense system's mathematical algorithms produce outputs that indicate differing degrees of potential compromise. This output enables users of the system to rank different alerts in a rigorous manner and prioritize those that most urgently require action, simultaneously removing the problem of numerous false positives associated with a rule-based approach – Woodford: par. 0126).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Zorlular in view of Woodford to include responsive to generating the binary output as actionable for the first indicator of compromise, retrieve additional information associated with the first indicator of compromise; and prioritize further processing of the first indicator of compromise based on the binary output and the additional information.
One of ordinary skill in the art would have been motivated because it would allow “autonomously respond to the unusual behavior, if an attack is indicated, in an automatic way that prevents the attack from progressing further” – Woodford: par. 0093.

Per claims 3, 10 and 17, Zorlular in view of Woodford discloses features of claims 2, 9 and 16, wherein the additional information includes at least the respective source from which the first threat intelligence data feed was received (In block 210 the information about the resource, the contextual data associated with the resource and the indicators of a potential cyberattack related to the resource as determined in block 204 are combined to determine, for each event, a risk estimate that indicates how much the resource is being put at risk by the event. In block 212 the risk estimate as determined in block 210 is compared against a threshold or in an alternative embodiment is compared against a threshold plus a random value. If the risk estimate exceeds the threshold or the threshold plus the random value control passes to block 214 wherein an alert is generated to indicate to an analyst information regarding a probably cyberattack against the resource. For example, the alert may comprise information about the time and date that the suspicious activity occurred, what resource is being put at risk, what users, what servers and what type of services are involved in the suspicious activity, and what the estimated risk is – Zorlular: par. 0084).

Per claims 4, 11 and 18, Zorlular in view of Woodford discloses features of claims 2, 9 and 16, wherein the additional information includes at least historical data associated with a previous occurrence of the first indicator of compromise (contextual data associated with the events potentially related to a cyber attack on the resource is determined. For example, in an embodiment the resource event history 154 may be queried to determine whether similar events related to a potential cyber attack on the resource have occurred in the past, and if so, whether those were determined by an analyst to be false positives or genuine causes for concern – Zorlular: par. 0082).

Per claims 5, 12 and 19, Zorlular in view of Woodford discloses features of claims 2, 9 and 16, wherein prioritizing further processing of the first indicator of compromise is performed using machine learning (the warning system may utilize machine-learning techniques to automatically determine which resources, activity and other observable variables are related to which resource. For example, the warning system may observe traffic patterns, user activity, past indicators and alerts, and other information, and apply supervised learning techniques known in the art, such as support vector machines, to those observations. This may allow the warning system to determine, based on an initial classification of certain resources and activities as part of a resource, other resources and activities that are likely related to that resource – Zorlular: par. 0080).

Per claims 6, 13 and 20, Zorlular in view of Woodford discloses features of claims 2, 9 and 16, further including instructions that, when executed, cause the computing platform to: transmit the first indicator of compromise and priority for further processing (At block 302, one or more alerts are retrieved from the alert queue 158. At block 304, the one or more alerts retrieved from the alert queue 158 are grouped, filtered and sorted. The alerts may dynamically be grouped and filtered, for example according to different alert types. In an embodiment, the alerts may be sorted by the risk score, for example so as to show the alerts starting with the highest risk score. [0088] At block 306, the alerts, as grouped and filtered, are displayed to the analyst in one or more interactive user interfaces (e.g., as described below in reference to FIGS. 5-9), – Zorlular: par. 0087-0088 – Note: Alerts that are sorted by risk score are displayed to the analyst/transmitted to the interactive user interface).

Per claims 7, 14 and 21, Zorlular in view of Woodford discloses features of claims 6, 13 and 20, wherein the further processing includes at least identifying one or more mitigating actions to execute (The quick action bar 1020 allows the analyst to select one out of several responses to the selected one or more alerts. For example, the analyst may be able to escalate the one or more alerts to a supervisor by selecting the escalate option, the analyst may dismiss the one or more alerts as non-critical by clicking the sign-off option, the analyst may be able to assign another analyst to conduct an investigation by clicking the initiate investigation option – Zorlular: par. 0099).

Per claim 22, Zorlular in view of Woodford discloses the computing platform of claim 1, wherein the intelligence type associated with the first indicator of compromise includes a specific type of internet protocol (IP) address (the warning system may extract time, date, users, servers and IP addresses involved, etc. The rules may be specifically written for the organization, or the resource, or they may be generic rules representing activity that is generally indicative of a cyber attack… an analyst may, even after the system has been deployed and is in operation, be able to define arbitrary rules to process information gathered from available data sources, such log files. For example, …rules may be automatically learned from activity related to a resource that was previously determined to be related, or not related, to a cyber attack. For example, the warning system may extract various features, such as IP addresses, ports, signatures, packet headers and other characteristics, from past alerts that were determined by an analyst to be related to a cyber attack on a resource – Zorlular: par. 0088).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Saraiya (US2021/0406041) discloses determining impact of a critical event by learning attributes such as overall cost to an organization, TTR, and infrastructure affect among other, wherein these attributes are useful for determining priority of newly arriving critical events that are automatically classified using one or more predictive models. 
Das (US11017764) discloses identifying patterns among notable events, wherein each notable event can be associated with an urgency value (e.g., low, medium, high, critical), which is indicated in an incident review dashboard. The urgency value for a detected event can be determined based on the severity of the event and the priority of the system component associated with the event. 
Leidner (US11132748) discloses priority notification being based on the warning notification generated to a first user to minimize delay in priority of an action by a second user based on at least a first identified risk-based event.
Kuppanna (US2020/0021609) discloses taking an automated action in response to a second threat in the absence of operator input, if a previously detected threat corresponds to an increased rate of threats or an increased level of threats. The step of taking an automated action in response to the second threat in the absence of operator input includes: checking the stored set of threat information and action information indicating an automatic action or operator instructed action to be taken in response to a previous threat of the first type having the same or a greater increased rate of threats of the first type or the same or a lesser level of threat of the first type (e.g., same or lesser severity level of threat for a threat of the first type).
Trost (US2021/0126938) discloses that when a security alert is determined to be a security threat event, a type of the security threat event is classified based on the related activity score and the metadata context, and a recommended mitigation course of action is output based on the classified type of the security threat event. 
Fellows (US2021/0273953) discloses unsupervised machine learning for spotting, highlighting, contextually prioritizing and isolating threats from within, which would otherwise go undetected. Machine learning has the capability to learn when to action automatic responses against the most serious cyber threats, disrupting in progress attacks before they become a crisis for the organization.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AREZOO SHERKAT whose telephone number is (571)272-8533. The examiner can normally be reached Monday - Friday 8:30-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 571 - 272 - 3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/AREZOO SHERKAT/Primary Examiner, Art Unit 2494