DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examine under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 21-26, 28, and 31-40 are rejected under 35 U.S.C. 103 as being unpatentable over Narula et al. (US 2021/0306352 A1) in view of Keller et al. (“A Fuzzy K-Nearest Neighbor Algorithm”) and DFLABS (“Security Orchestration, Automation and Response (SOAR) Technology”).
Regarding claims 21, 31 and 36, Narula discloses a method and corresponding system and computer product, the method comprising: 
	detecting, by one or more processors (Fig. 2, processor 202; Fig. 6, processor 670; par. [0027], [0083]-[0085]), a cybersecurity incident having a plurality of features (i.e., a feature set) (par. [0029], [0042]); 
	determining, by the one or more processors, a set of cybersecurity incidents similar to the cybersecurity incident based on the feature set (Fig. 4D, step 462; par. [0029], [0042], [0074]); 
	determining, by the one or more processors, a playbook associated with the cybersecurity incident based on previous cybersecurity incidents of the set of similar cybersecurity incidents, the playbook comprising a flow of one or more actions to be executed in response to detecting the cybersecurity incident (Fig. 4D, step 464; par. [0043]-[0044], [0075]); 
	causing, by the one or more processors, presentation of the playbook in a user interface (UI) showing details of the cybersecurity incident (i.e., UI showing a set of phrases for the incident such as detection, identification, confirmation, containment, eradication, recovery and aftermath) (Fig. 3A; par. [0047]); 
	executing the flow of one or more actions of the playbook (par. [0044]); and 
	causing, by the one or more processors, presentation in the UI of results after execution of the playbook (i.e., UI showing a set of phrases for the incident such as detection, identification, confirmation, containment, eradication, recovery and aftermath) (Fig. 3A; par. [0047]).
	Narula discloses determining a set of cybersecurity incidents similar to the cybersecurity incident based on the feature set (par. [0029]). Narula does not disclose utilizing a nearest neighbor algorithm for determining cybersecurity incidents similar to the cybersecurity incident. Specifically, Narula does not disclose determining a set of nearest neighbors of the cybersecurity incident in a feature space, the set of nearest neighbors comprising other cybersecurity incidents having a distance from the cybersecurity incident within the feature space and within a predetermined threshold. Keller discloses determining a set of nearest neighbors of an object in a feature space, the set of nearest neighbors comprising other objects having a distance from the object within the feature space and within a predetermined threshold (p. 581-582, Fuzzy K-NN Classifier). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Narula’s method to determine a set of nearest neighbors of the cybersecurity incident in a feature space, the set of nearest neighbors comprising other cybersecurity incidents having a distance from the cybersecurity incident within the feature space and within a predetermined threshold, as taught by Keller. The fuzzy algorithm had a low error rate and compared well against other standard, more-sophisticated pattern recognition procedures (Abstract).
	Narula discloses using a playbook. Narula does not disclose utilizing a runbook comprising a flow of one or more actions to be executed in response to detecting the cybersecurity incident and flow control for execution of the one or more actions. DFLABS discloses utilizing a runbook comprising a flow of one or more actions to be executed in response to detecting a cybersecurity incident and flow control for execution of the one or more actions (page 6, Automation). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Narula’s method to utilize a runbook comprising a flow of one or more actions to be executed in response to detecting the cybersecurity incident and flow control for execution of the one or more actions, as taught by Keller. Runbooks provide a greater level of flexibility than playbooks can provide. Runbooks allow multi-path processes to be defined, enabling the automated, semi-automated or manual execution differing workflows depending on any number of conditions.
Regarding claims 22, 32 and 37, DFLABS further discloses that the runbook is configurable to execute automatically, and the runbook is configurable to execute in interactive mode (i.e., enabling the automated, semi-automated or manual execution differing workflows) (page 6, Automation; page 8, Process Workflows).
Regarding claims 23, 33 and 38, DFLABS further discloses that the actions are selected from a group comprising data enrichment actions, threat containment actions (i.e., automation of the enrichment of alert data…followed by automated containment actions) (page. 6, Automation), and notification transmittals of the cybersecurity incident (page 12, Vulnerability Management; page 13, Case Management).
Regarding claims 24, 34 and 39, Narula further discloses identifying a parent for the cybersecurity incident based on the feature set and causing presentation in the UI of the identified parent for the cybersecurity incident (i.e., displaying playbook(s) associated with a similar cybersecurity incident(s)) (par. [0076]).
Regarding claims 25, 35 and 40, Narula further discloses providing an option in the UI for creating a new playbook (par. [0066]). Accordingly, the combination of Narula and DFLABS would lead to providing an option in the UI for creating a new runbook. The motivation for doing so would have been to allow for flexibility in management of runbooks.
Regarding claim 26, Narula further discloses providing an option in the UI to edit the runbook, including options for adding, modifying, and deleting actions of the playbook (par. [0080]-[0081]). Accordingly, the combination of Narula and DFLABS would lead to providing an option in the UI to edit the runbook, including options for adding, modifying, and deleting actions of the runbook. The motivation for doing so would have been to allow for flexibility in management of runbooks.
Regarding claim 28, Narula does not disclose assigning the cybersecurity incident to a first runbook from a plurality of runbooks in a general repository, each runbook having a category value. DFLABS discloses assigning the cybersecurity incident to a first runbook from a plurality of runbooks in a general repository, each runbook having a category value (i.e., …which types of runbooks are chosen based on any number of incident attributes) (page. 6, Automation). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Narula’s method to assigning the cybersecurity incident to a first runbook from a plurality of runbooks in a general repository, each runbook having a category value, as taught by DFLABS.  The motivation for doing so would have been to facilitate recognizing decision patterns and automating the recommendation of runbooks for new incidents based on the actions perform during previous incidents.
Allowable Subject Matter
Claims 27 and 29-30 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MINH DINH whose telephone number is (571)272-3802. The examiner can normally be reached Mon-Fri: 9 AM - 5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MINH DINH/Primary Examiner, Art Unit 2432