CYBERSECURITY OPERATIONS CASE TRIAGE GROUPINGS

DETAILED ACTION Claims 1-23 remain for examination. The amendment filed 7/30/25 amended claims 1, 22, and 23. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s arguments, see page 6 of the amendment filed 7/30/25, with respect to the amended claim language explicitly reciting the use of cryptojacking threat protection applications have been fully considered and are persuasive. Therefore, the rejection of claims 1-23 has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of Trost combined with the newly discovered reference to Lancioni. Claim Rejections - 35 USC § 103 The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action. Claims 1-8, 10-18, 22, & 23 are rejected under 35 U.S.C. 103 as being unpatentable over Trost (U.S. Patent Publication 2021/0126938) in view of Lancioni (U.S. Patent Publication 2020/0053109). Regarding claims 1, 22, and 23: Trost discloses a computer-implemented method, computer program product, and system for cybersecurity management comprising: accessing a plurality of network-connected cybersecurity threat protection applications (e.g. paragraph 0042, including: “FIG. 4 is an illustration of one or more data streams being provided from network devices, such as client systems 105, 110, and 115. The streams may include, for example, data related to monitored web activity (e.g. web proxy logs), network activity (e.g. firewall logs), endpoint activity (Endpoint Detection and Response (EDR) logs, Windows® Event logs), malware related activity (Anti-Virus logs), email activity (email security logs), cloud activity (AWS, Azure, GCP logs), IT change activity, threat intelligence, and raw packets”; see also paragraph 0045: “Cloud monitoring works through a set of tools that supervise the servers, resources, and applications running web-hosted applications. These tools may be in-house tools from the cloud provider, or tools from independent SaaS provider”); receiving a plurality of inputs from the cybersecurity threat protection applications, wherein the plurality of inputs is initiated by one or more cybersecurity events (paragraph 0059: “The triage engine would have alerts as inputs, and processes the alerts by retrieving all related signals, retrieving any relevant enrichment data, uses pre-trained ML models to score the combination of inputs (e.g. alerts, signals, enrichments), outputs (e.g. numeric score, recommended action) and stores the results alongside the alert in the same case management system”; see also paragraph 0057); analyzing, on a computer platform, metadata associated with the plurality of inputs from the cybersecurity threat protection applications (paragraph 0048: “…the triage system looks into events surrounding the alert event in order to provide additional context. One such context may be event metadata relating to the alert”; & paragraph 0067: “The metadata of the alert and metadata of the signals may be utilized to perform the correlation. As previously discussed, alerts and signals include meta data with further identification of the alert, origination, location, equipment and users it is associated with. Accordingly, such correlation strengthens or weakens the possibility of the alert event being classified as a malicious event”; see also paragraph 0109); triaging the inputs into groupings, based on the metadata (paragraphs 0067-0068, including “In one embodiment, rules engine 1008 may detect an alert and query the variable data storage for related events that, on their own, are not sufficiently actionable”; the invention can correlate [“group”] a series of alerts and events that individually would not necessarily indicate a cyber threat event, but when analyzed as a group can lead to such a determination); and generating a cybersecurity threat response, based on the groupings (paragraph 0068: “Moreover, as will be further seen herein, the plot produced on a display associated with a server or computing device (e.g. server 120) may also include additional diagnostics and triage support to help remedy the problem caused by the cyber threat event”; see also paragraph 0049: “Triage system 700 may be implemented by server system 120 (in FIG. 1) and configured to identify true positive alerts and output triage analysis and recommendations for addressing the security threat…”; and paragraph 0109: “…and outputting a recommended mitigation course of action based on the classified type of the security threat event”). Trost does not explicitly disclose wherein the at least one of the plurality of cybersecurity threat applications is a cryptojacking cybersecurity threat protection application configured to detect a cryptojacking threat, with the subsequent consequence(s) of detecting, triaging, and responding to a cryptojacking threat specifically. However, Lancioni discloses a related cybersecurity application specifically dedicated to analyzing input signals in order to detect cryptojacking events (Lancioni, e.g. paragraphs 0049-0055; see also cryptojacking explicitly defined as illicitly mining cryptocurrency at e.g. paragraphs 0025-0031 & 0048), and can further perform remediation when cryptojacking is detected (Lancioni, paragraph 0082). It would have been obvious prior to the effective filing date of the instant application to include an anti- cryptojacking application such as that disclosed by Lancioni as one of the cybersecurity applications employed by the Trost invention, as a person of ordinary skill in the art would have had good reason to pursue the known options within one’s technical grasp. If Trost using an anti-cryptojacking tool as one of the plurality of security monitoring tools known to be employed by that invention would lead to success, it would be the result not of innovation but of ordinary skill and common sense. Regarding claim 2: Trost further discloses wherein the groupings are based on a number of users experiencing the plurality of inputs (paragraph 0063, including: “Prevalence/popularity analytics may be useful in identifying suspicious activity related to an alert. These analytics seek to identify activity associated with new or rare entities such as domain names, executables, etc. For example, is this the first sighting of this activity, last sighting, how often is this activity sighted, any unique users/hosts related to the activity may also be contemplated…”). Regarding claim 3: Trost further discloses wherein the number of users is matched against a threshold for the plurality of inputs (Ibid). Regarding claim 4: Trost further discloses wherein the threshold is based on a particular grouping (Ibid). Regarding claim 5: Trost further discloses wherein the threshold is set recursively for a particular grouping (Ibid). Regarding claim 6: Trost further discloses wherein the analyzing is based on parsing incoming traffic alerts from the cybersecurity threat protection applications (paragraphs 0054-0056, including “The baseline activity may be used during event triage when evaluating activities that deviate from the baseline, but may also be available for alerting and use cases as well. If an activity is deemed to be within a baseline range (e.g. within one standard deviation unit), the activity may be deemed normal. For example, if a user (e.g. user ABC123) uploaded 10.5× more data via HTTP POST than they usually do, or within the last 24 h, user ABC123 attempted to authenticate to 30× more hosts than usual”). Regarding claim 7: Trost further discloses wherein the groupings establish modal commonality for the one or more cybersecurity events (paragraph 0109: “…classifying the type of the security threat event based on the related activity score and the metadata context score…”. Regarding claim 8: Trost further discloses wherein the triaging determines commonality of threats among the plurality of inputs (paragraph 0064: “… rather they are designed to provide context that is useful to SOC analysts in the event of an alert that can be correlated (through common attributes and through time) with one or more signals”). Regarding claim 10: Trost further discloses wherein the triaging confirms a true positive analysis of one or more of the plurality of inputs (paragraph 0049: “Triage system 700 may be implemented by server system 120 (in FIG. 1) and configured to identify true positive alerts and output triage analysis and recommendations for addressing the security threat…”). Regarding claim 11: Trost further discloses mapping the plurality of inputs from the cybersecurity threat protection applications (paragraph 0068). Regarding claim 12: Trost further discloses wherein the mapping enables categorization of the groupings (paragraphs 0100-0101). Regarding claim 13: Trost further discloses wherein the categorization of the groupings modifies the triaging (Ibid). Regarding claim 14: Trost further discloses wherein the triaging that was modified triggers a modified cybersecurity threat response (Ibid). Regarding claim 15: Trost further discloses wherein the triaging confirms a true positive cybersecurity threat event (paragraph 0049). Regarding claim 16: Trost further discloses mapping the metadata associated with the plurality of inputs from the cybersecurity threat protection applications (paragraphs 0100-0101 & 0109). Regarding claim 17: Trost further discloses wherein the mapping the metadata modifies the triaging (Ibid). Regarding claim 18: Trost further discloses wherein the accessing, the receiving, the analyzing, the triaging, and the generating are converted to machine learning training data (paragraph 0051: “The results may also be used for new alerting use cases and provided as starting point for machine learning/artificial intelligence training applications”; see also paragraph 0058). Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 9 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Trost in view of Lancioni as applied to claim 1 above, and further in view of Hakala (U.S. Patent Publication 2023/0071264) Regarding claim 9: Neither Trost nor Lancioni explicitly disclose wherein the cybersecurity threat response addresses a zero-day event. However, the ability to detect and mitigate security events including zero-day exploits using machine learning models (see Trost, e.g. paragraphs 0051 & 0058) was known in the art, as evidenced by Hakala (paragraph 0109). It would have been obvious prior to the effective filing date of the instant application for the Trost invention (alone or in combination with Lancioni) to detect a zero-day exploit, given that Trost as disclosed is capable of using machine learning to detect new attacks based on the observed behavior of the network and its difference from established norms. If, in the process of the normal operation of the Trost invention, the machine learning component were to detect a zero-day exploit as suggested by Hakala, then the result would not be innovative but rather a product of ordinary skill and common sense. Regarding claim 21: Neither Trost nor Lancioni explicitly disclose wherein the accessing, the receiving, the analyzing, the triaging, and the generating are managed by a security orchestration, automation, and response (SOAR) system. However, Hakala discloses a related invention for detecting and mitigating security threats on a computer network where SOAR tools may be combined with the machine learning models used for network triage (Hakala, paragraph 0110). It would have been obvious prior to the effective filing date of the instant application for Trost (alone or in combination with Lancioni) to use a SOAR system as part of his network triage system, as SOAR tools were a known option within the grasp of a person of ordinary skill in the art, to achieve the predictable result of having additional sources of information to detect security events, and develop mitigation actions in response. Claims 19 & 20 are rejected under 35 U.S.C. 103 as being unpatentable over Trost in view of Lancioni as applied to claim 18 above, and further in view of Lee (U.S. Patent Publication 2021/0037043). Regarding claim 19: Although Trost further discloses training a machine learning model using the machine learning training data (paragraphs 0051 & 0058), Trost and Lancioni are silent regarding the machine learning model specifically being a neural network. However, Lee discloses a related invention wherein neural networks are presented as one of several options for implementing a machine learning model to implement network triage (paragraphs 0128 & 0138). It would have been obvious prior to the effective filing date of the instant application for Trost [alone or in combination with Lancioni] to use a neural network as the machine learning model of his invention, as this was clearly option within the grasp of a person of ordinary skill in the art, to achieve the predictable result of analyzing large volumes of network traffic to detect anomalies that require triage (Lee, Ibid). Regarding claim 20: The combination further discloses executing the analyzing, the triaging, and the generating on the neural network that was trained (Trost: paragraphs 0051 & 0058; Lee, Ibid). Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS A GYORFI whose telephone number is (571)272-3849. The examiner can normally be reached 10:00am - 6:30pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached at 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. THOMAS A. GYORFI Examiner Art Unit 2435 /THOMAS A GYORFI/Examiner, Art Unit 2435 10/3/2025