Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsMicrosoft Technology Licensing, LLC › 18340371
Last updated: April 19, 2026
Application No. 18/340,371

SECURITY DATA SEARCH ENGINE IN A SECURITY MANAGEMENT SYSTEM

Non-Final OA §101§103§112
Filed
Jun 23, 2023
Examiner
CHOLLETI, RAGHAVENDER NMN
Art Unit
2492
Tech Center
2400 — Computer Networks
Assignee
Microsoft Technology Licensing, LLC
OA Round
2 (Non-Final)
61%
Grant Probability
Moderate
2-3
OA Rounds
3y 1m
To Grant
99%
With Interview

Interview Optional

+40.8% interview lift. This examiner has a relatively high allow rate; a written response may suffice.
Based on 23 resolved cases, 2023–2026

Examiner Intelligence

CHOLLETI, RAGHAVENDER NMN View full profile →
Grants 61% of resolved cases
61%
Career Allow Rate
14 granted / 23 resolved
+2.9% vs TC avg
Strong +41% interview lift
Without
With
+40.8%
Interview Lift
resolved cases with interview
Typical timeline
3y 1m
Avg Prosecution
24 currently pending
Career history
47
Total Applications
across all art units

Statute-Specific Performance

§101
12.6%
-27.4% vs TC avg
§103
63.6%
+23.6% vs TC avg
§102
7.5%
-32.5% vs TC avg
§112
14.0%
-26.0% vs TC avg
Black line = Tech Center average estimate • Based on career data from 23 resolved cases

Office Action

§101 §103 §112
DETAILED ACTION This communication is in response to application number 18/340,371 filed on 12/29/2025. Claims 1-20 are pending examination Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to arguments Examiner inadvertently omitted a rejection of claim 11 under 35 U.S.C 101 in the previous office action. Accordingly, this office action includes a rejection under 35 U.S.C 101. Because this ground of rejection is newly raised, this action is made non-final. Rejections based on 35 U.S.C. § 112(b) or 35 U.S.C. § 112 (pre-AIA ), second paragraph Applicants’ arguments regarding claims 1-15 and 18-20 overcoming claim rejection under 112(b) have been fully considered and are not persuasive. It is unclear what is being done after the request is being received (claim 1) and what happens request is being sent (claim 11). Hence, rejection has been maintained. Rejections based on 35 U.S.C. § 103 Applicant’s arguments with respect to claim(s) 1-6, 8, 10-13, 15-19 and 7, 9, 14, 20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Ross et al. (US 20210342441 A1) discloses a digest driven two-stage search by (i) maintaining an intermediate, entity-centric security model derived from raw, structured or unstructured data and (ii) running further detection by selectively querying both that model and the underlying raw data. The system receives structured or unstructured raw data input from various sources related to actions of an entity and monitors over time, the raw data input and associates the actions of the entity to particular time periods while determining a detection probability per each time period and providing a trigger indicator of behavior if the detection probability reaches a threshold value thereby creating a compact, time-indexed entity-behavior representation that functions as a security data digest over the raw telemetry. That digest is then used as the primary surface for later detections and indicators (first stage), with detection logic evaluating entity-level probabilities and trigger conditions before any detailed drill-down into raw events. The system first searches the digest to identify entities and time windows whose detection probability or trigger state indicates data of interest (summary entities), and only after that identification, it relies on the associated raw data segments for deeper inspection, explanation or responsive actions (second stage over scoped raw data tied to those entity/time keys). Thus, Ross teaches the same architectural pattern of the amended claims, an intermediate, digest-like entity model derived from raw, unstructured security data, used as a scoped index for subsequent, more expensive analysis of the raw data. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefore, subject to the conditions and requirements of this title. Claims 11 and 16 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. Claim 11 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. According to the published guideline on subject matter eligibility of computer readable media (OG Notice 1351 OG 212, Feb. 23, 2010), the broadest reasonable interpretation of a claim drawn to a non-volatile computer-readable medium (also called machine readable/storage medium and other such variations) typically covers forms of non-transitory tangible media and transitory propagating signals per se in view of the ordinary and customary meaning of computer readable media. See MPEP 2111.01, and as such, claim 11 are rejected under 35 U.S.C. § 101 as covering non-statutory subject matter. Applicant’s specification in paragraph [0066] does not have an “explicit definition” set forth to exclude the transitory signal embodiment from the scope of the claimed “a computer- storage media”. A claim drawn to such a computer-storage media may be amended to narrow the claim to cover only statutory embodiments to avoid a rejection under 35 U.S.C. § 101 by adding the limitation "non-transitory" to the in the claim. Independent claim Step 1: Claims 11 and 16 are drawn to a method, therefore falls under one of four categories of statutory subject matter (process/method, machines/products/apparatus manufactures, and compositions of matter). Step 2A, Prong 1: Nonetheless, claims 11 and 16 are directed to a judicially recognized exception of an abstract idea without significantly more. Claim 11 and 16 recites a method of "a request for a security posture of a computing environment", "receiving a security posture visualization associated with the computing environment", enumerates a mental concept. This is merely a display, akin to a pen and paper method of a person thinking about a security posture. Claim 16 is similarly a person thinking about security posture and includes a "deploying". Deploying may reasonably be interpreted as storing data, or writing it down using pen and paper, as no technical details of a deployment are claimed. As such, these steps are nothing more than an abstract mental concept (MPEP 2106.04(a)(2)(III)). Step 2A, Prong 2: Claims 11 and 16 recites additional step of "causing display of the security posture visualization comprising the summary entity" and “the security data digest is associated with a two-stage search” that fails to integrate the abstract idea into a practical application. This is simply a visualization comprising an entity which is a form of information presentation without any specific technological improvement. The two-staged search is merely humans reviewing summaries and deciding what to inspect next without requiring a particular machine implementation. This additional step of causing display and performing a search, is a form of insignificant extra solution activity where a display for the purpose of conveying information is necessary for all uses of the judicial exception. The additional steps fails to integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea (MPEP 2106.05(g)) (MPEP 2106.05(g)). Step 2B: The additional step that is a form of insignificant extra-solution activity, does not amount to significantly more than an abstract idea because the courts have recognized that this additional step to be well-understood, routine, and conventional when claimed in a merely generic manner for a method for thinking about a security posture (See MPEP 2106.05(d)(II)(i)). As such claims 11 and 16 is not patent eligible. Dependent claims Dependent claims 12-14, 17-20 are ineligible for the same reasons given with respect to claims 11, 16. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.-The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Regarding claim 1 recites- "receiving a request for the security posture of the computing environment,", it is unclear what the request performs. The request is not used further in the independent or dependent claims. Hence, claim 1 is being rejected under 35 U.S.C 112(b). Regarding claim 8 recites- "communicating the request for the security posture", it is unclear what the request performs. The request is not used further in the independent or dependent claims. Hence, claim 8 is being rejected under 35 U.S.C 112(b). Regarding claim 11 recites- "communicating the request for the security posture", it is unclear what the request performs. The request is not used further in the independent or dependent claims. Hence, claim 11 is being rejected under 35 U.S.C 112(b). Regarding claim 11, amended claim recites in the limitation " the raw data". There is insufficient antecedent basis for this limitation in the claim. Regarding claim 18 recites-"receiving a request for the security posture of the computing environment;" it is unclear what the request performs. The request is not used further in the independent or dependent claims. Hence, claim 18 is being rejected under 35 U.S.C 112(b). Additionally, claims 2-7, 9,10, 12-15, 18-20 are rejected for being dependent on at least one rejected independent claim. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-6,8,10-13 and 15-19 are rejected under 35 U.S.C. 103 as being unpatentable over Noel et al. (US 20170289187 A1), hereinafter referred to as Noel in view of Ross et al. (US 20210342441 A1), hereinafter referred to as Ross As per claim 1, Noel discloses a computerized system comprising: one or more computer processors; and (One or more of processor 1110, Noel, para [0071]) computer memory storing computer-useable instructions that, when used by the one or more computer processors, cause the one or more computer processors to perform operations, the operations comprising: (Storage 1140 such as RAM, Noel, para [0073]) accessing raw data associated with security posture management of a computing environment; (Receive data from the one or more network sensors and convert the received data to a common format, Noel, claim 1) based on the raw data, generating a security data digest comprising a plurality of summary entities of the raw data that operate as a scoping-index of the raw data, wherein the security data digest is associated with a two-stage search that includes: (Ingested data 1002 can be parsed so as to provide data to build a multitude of nodes 1004 and relationships 1006, Noel, para [0068]. Generating higher-level summary graph entities from raw data). using the security data digest, generating a security posture visualization associated with the computing environment, wherein the security posture visualization comprises a summary entity of the security data digest; (Ingested data 1002 can be parsed so as to provide data to build a multitude of nodes 1004 and relationships 1006 that will eventually be converted into nodes and edges of a graph database and system can synthesize information to create an overall visualization of the security posture, Noel, para [0018] and [0068]). communicating the security posture visualization comprising the summary entity; (The graph model 200 can be ready to be queried by a user of the graph model using a domain-specific query language, Noel, para [0036]. This implies that results are communicated to the users/UI). receiving an indication to execute a remediation action associated with the summary entity, wherein the remediation action is associated with the security posture visualization; and (The system can correlate intrusion alerts to known vulnerability paths and suggest best courses of action for responding to attacks, Noel, para [0005]). However, Noel does not explicitly disclose the limitations: a first search over the security data digest to identify summary entities that contain data of interest; and a second search over a scoped sub-portion of the raw data to identify detailed query results; deploying the security data digest associated with generating a security posture of the computing environment; receiving a request for the security posture of the computing environment; executing the remediation action Ross discloses: (i) a first search over the security data digest to identify summary entities that contain data of interest; and (Detecting malicious entity behavior and providing accurate indicator of behaviors indicating occurrence of malicious behavior. Data input as to the entity behavior is received and monitored from different sources. The entity behavior is monitored over time at time periods. Detection probability is determined at each time period, Ross, Abstract. This implies building a compact, time-indexed entity model (a digest) summarizing behavior. Searching or querying this entity model to determine whether detection probability exceeds a threshold is a first search over the digest to identify entities whose state indicates potentially malicious behavior) (ii) a second search over a scoped sub-portion of the raw data to identify detailed query results; (Receives structured or unstructured raw data input from various sources related to actions of an entity, Ross, para [0005]. Querying raw data and writing observables, Ross, para [0046]. The first method maintains an entity-centric digest (detection probability, trigger indicator, entity state) and also retains structured or unstructured raw data and drills down from suspicious entities or time windows (identified in the digest) into the corresponding raw events for detailed inspection. This drill down is a second, scoped search over the subset of raw data associated with the triggered entity/ time period, producing detailed query results) deploying the security data digest associated with generating a security posture of the computing environment; (The progressive trigger framework system 122 to include a primary analysis engine 124. The primary analysis engine 124 can be configured to receive structured or unstructured data input (i.e., raw data) from various sources, Ross, para [0045]. The system ingests structured or unstructured raw data and transforms it into higher-level quantities such as detection probability per time period and a trigger indicator of behavior. Those quantities are effectively a security data digest (a summarized, model-based representation of entity behavior) that is deployed in the computing environment to detect malicious entity behavior and provide accurate indicator of behavior which functions as a security posture indicator for entities) receiving a request for the security posture of the computing environment; (Device 202 may request a particular service, Ross, para [0096]. Accurate indicator of behaviors indicating occurrence of malicious behavior is effectively a security posture indicator for each entity in the computing environment) executing the remediation action (Breaking or disrupting an opponent's kill chain is a method of defense or preemptive action, Ross, para [0256]) A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Noel with Ross by analyzing cyber-attacks and progressive trigger data and detection model (Ross). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Noel with Ross in order to effectively identify and mitigate risks (See Ross, para [0096]). As per claim 2, Noel and Ross disclose the system of claim 1, further comprising Furthermore, Noel discloses: causing display of the security posture visualization comprising the summary entity (The system can synthesize information from multiple sources to create an overall visualization of the security posture, Noel, para [0018]) As per claim 3, Noel and Ross disclose the system of claim 1, wherein Furthermore, Ross discloses: generating the security data digest is based on an aggregation function comprising two or more key summary entities associated with identifying a sub-portion of the raw data for executing security queries, wherein the security data digest is stored in a data exploration service and the raw data is stored as unstructured data in an unstructured data storage (Querying raw data and writing summary data. Structured or unstructured data input (i.e., raw data) from various sources, Ross, para [0045] and [0046]. This step of querying the raw data and writing summary data describes an aggregation function that transforms raw security telemetry into summary entities tied to specific entities and time windows. The model keeps raw data as structured or unstructured raw data input from various sources while separately maintaining summary data, observables and entity state) A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Noel with Ross by analyzing cyber-attacks and progressive trigger data and detection model (Ross). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Noel with Ross in order to effectively identify and mitigate risks (See Ross, para [0096]). As per claim 4, Noel and Ross disclose the system of claim 1, wherein Furthermore, Noel discloses: generating the security data digest comprises using a security data digest model to generate the plurality of summary entities, the plurality of summary entities are generated based on a plurality of summary entity types associated with known security queries of security investigations (The system can correlate intrusion alerts to known vulnerability paths and suggest best courses of action for responding to attacks for maintaining mission readiness. The ingested data parsed so as to provide data to build a multitude of nodes and relationships. Queries can be executed against the graph database model to investigate security incidents, Noel, para [0005], [0066] - [0070]). As per claim 5, Noel and Ross disclose the system of claim 1, further comprising Furthermore, Ross discloses: a security data digest model update engine associated with periodically updating the plurality of summary entities, wherein the security data digest model update engine comprises update summary entity types associated with executed search queries and query results on the security data digest and the raw data (Monitoring over time, the raw data input and associating the actions of the entity to particular time periods, Ross, para [0007] and computing detection probability at each time period, then repeatedly querying the raw data and writing observables, writing summary data, writing detection results, Ross, para [0046]. This continuous monitoring and re-writing of observables, summaries and entity state embodies a security data digest model update engine that periodically updates the plurality of summary entities based on executed queries and their results on both raw and summary layers). A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Noel with Ross by analyzing cyber-attacks and progressive trigger data and detection model (Ross). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Noel with Ross in order to effectively identify and mitigate risks (See Ross, para [0096]). As per claim 6, Noel and Ross disclose the system of claim 1, wherein generating the security posture visualization comprises: generating a first query result for the security query, wherein the first query result comprises the summary entity; and (The database login (after stealing the password) is essentially indistinguishable from a benign login, and thus has no associated vulnerability or alert, Noel, para [0048]. This is a query result the analyst might suspect that these are potentially multiple attack steps by the same threat actor) using the first query result, generating the security posture visualization (System 1000 can synthesize information from disparate and varied sources to create an overall visualization of the security posture, Noel, para [0018]). However, Noel does not explicitly disclose the limitation: accessing a security query associated with the security data digest; executing the security query using the security data digest; Ross discloses: accessing a security query associated with the security data digest; (The primary analysis engine 124 can also be configured to send signals (dynamic risk signals) as to dynamic actions, dynamic data protection, dynamic user protection, etc. back to the data source (e.g., sending endpoint), Ross, para [0046]) executing the security query using the security data digest; (Processed data from the primary analysis engine 124 is communicated to a data stores, that can include storage system 106, Ross, para [0047]). A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Noel with Ross by analyzing cyber-attacks and progressive trigger data and detection model (Ross). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Noel with Ross in order to effectively identify and mitigate risks (See Ross, para [0096]). As per claim 8, Noel and Ross disclose the system of claim 1, the operations further comprising: based on the request, receiving the security posture visualization associated with the computing environment, wherein the security posture visualization comprises the summary entity that is associated with the security data digest; and causing display of the security posture visualization comprising the summary entity (Ingested data 1002 can be parsed so as to provide data to build a multitude of nodes 1004 and relationships 1006 that will eventually be converted into nodes and edges of a graph database and system can synthesize information to create an overall visualization of the security posture, Noel, para [0018] and [0068]). Furthermore, Ross discloses: communicating the request for the security posture of the computing environment; (Device 202 may request a particular service, Ross, para [0096]. Accurate indicator of behaviors indicating occurrence of malicious behavior is effectively a security posture indicator for each entity in the computing environment). A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Noel with Ross by analyzing cyber-attacks and progressive trigger data and detection model (Ross). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Noel with Ross in order to effectively identify and mitigate risks (See Ross, para [0096]). As per claim 10, Noel and Ross disclose the system of claim 1, wherein Furthermore, Noel discloses: the security posture visualization comprises an alert associated with the summary entity, wherein the alert is associated with a prioritization identifier and the remediation action, wherein the prioritization identifier is based on the summary entity and the remediation action is executable to address a security threat associated with the alert (The cyber threats layer 204 can also include an alert node 204c. Alert node 204c can include information gathered in real-time about the state of a network, such as the type of data gathered by Splunk discussed above. Using Splunk as an example, when Splunk identifies a suspicious pattern of behavior within a network, it can generate an alert that can be represented by an alert node 204c. The pattern of behavior that generated alert 204c can be represented by an edge 204c of the graph model 200 that can contain information related to the pattern that would trigger an alert 204c. The edge 204c can connect nodes 204a and 204c such that the relationship between a particular alert as discovered by data sources such as Splunk can be related back to known cyber-threats as detailed in a classification of cyber-threats, such as CAPEC, Noel, para [0032]). As per claim 11, Noel discloses one or more computer-storage media having computer-executable instructions embodied thereon that, when executed by a computing system having a processor and memory, cause the processor to perform operations, the operations comprising: based on the request, receiving a security posture visualization associated with the computing environment, wherein the security posture visualization comprises a summary entity of a security data digest, wherein the security data digest is associated with a two-stage search that includes: (Ingested data 1002 can be parsed so as to provide data to build a multitude of nodes 1004 and relationships 1006 that will eventually be converted into nodes and edges of a graph database and system can synthesize information to create an overall visualization of the security posture, Noel, para [0018] and [0068]). causing display of the security posture visualization comprising the summary entity (The system can synthesize information from multiple sources to create an overall visualization of the security posture, Noel, para [0018]). However, Noel does not explicitly disclose the limitation: communicating a request for a security posture of a computing environment; (i) a first search over the security data digest to identify summary entities that contain data of interest; and (ii) a second search over a scoped sub-portion of the raw data to identify detailed query results; and Ross discloses: communicating a request for a security posture of a computing environment; (Device 202 may request a particular service, Ross, para [0096]. Accurate indicator of behaviors indicating occurrence of malicious behavior is effectively a security posture indicator for each entity in the computing environment) (i) a first search over the security data digest to identify summary entities that contain data of interest; and (Detecting malicious entity behavior and providing accurate indicator of behaviors indicating occurrence of malicious behavior. Data input as to the entity behavior is received and monitored from different sources. The entity behavior is monitored over time at time periods. Detection probability is determined at each time period, Ross, Abstract. This implies building a compact, time-indexed entity model (a digest) summarizing behavior. Searching or querying this entity model to determine whether detection probability exceeds a threshold is a first search over the digest to identify entities whose state indicates potentially malicious behavior) (ii) a second search over a scoped sub-portion of the raw data to identify detailed query results; and (Receives structured or unstructured raw data input from various sources related to actions of an entity, Ross, para [0005]. Querying raw data and writing observables, Ross, para [0046]. The first method maintains an entity-centric digest (detection probability, trigger indicator, entity state) and also retains structured or unstructured raw data and drills down from suspicious entities or time windows (identified in the digest) into the corresponding raw events for detailed inspection. This drill down is a second, scoped search over the subset of raw data associated with the triggered entity/ time period, producing detailed query results). A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Noel with Ross by analyzing cyber-attacks and progressive trigger data and detection model (Ross). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Noel with Ross in order to effectively identify and mitigate risks (See Ross, para [0096]). As per claim 12, Noel and Ross discloses the media of claim 11, the operations further comprising: accessing raw data associated with security posture management of the computing environment; (Receive data from the one or more network sensors and convert the received data to a common format, Noel, claim 1) based on the raw data, generating the security data digest comprising a plurality of summary entities of the raw data that operate as a scoping-index of the raw data; and (Ingested data 1002 can be parsed so as to provide data to build a multitude of nodes 1004 and relationships 1006, Noel, para [0068]. Generating higher-level summary graph entities from raw data). Furthermore, Ross discloses: deploying the security data digest to support generating the security posture of the computing environment (The progressive trigger framework system 122 to include a primary analysis engine 124. The primary analysis engine 124 can be configured to receive structured or unstructured data input (i.e., raw data) from various sources, Ross, para [0045]. The system ingests structured or unstructured raw data and transforms it into higher-level quantities such as detection probability per time period and a trigger indicator of behavior. Those quantities are effectively a security data digest (a summarized, model-based representation of entity behavior) that is deployed in the computing environment to detect malicious entity behavior and provide accurate indicator of behavior which functions as a security posture indicator for entities) . A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Noel with Ross by analyzing cyber-attacks and progressive trigger data and detection model (Ross). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Noel with Ross in order to effectively identify and mitigate risks (See Ross, para [0096]). As per claim 13, Noel and Ross disclose the media of claim 11, the operations further comprising: generating a first query result for security, wherein the first query result comprises the summary entity; and (The database login (after stealing the password) is essentially indistinguishable from a benign login, and thus has no associated vulnerability or alert, Noel, para [0048]. This is a query result the analyst might suspect that these are potentially multiple attack steps by the same threat actor) using the first query result, generating the security posture visualization (System 1000 can synthesize information from disparate and varied sources to create an overall visualization of the security posture, Noel, para [0018]). Furthermore, Ross discloses: accessing a security query associated with the security data digest; (The primary analysis engine 124 can also be configured to send signals (dynamic risk signals) as to dynamic actions, dynamic data protection, dynamic user protection, etc. back to the data source (e.g., sending endpoint), Ross, para [0046]) executing the security query using the security data digest; (Processed data from the primary analysis engine 124 is communicated to a data stores, that can include storage system 106, Ross, para [0047]). A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Noel with Ross by analyzing cyber-attacks and progressive trigger data and detection model (Ross). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Noel with Ross in order to effectively identify and mitigate risks (See Ross, para [0096]). As per claim 15, Noel and Ross disclose the media of claim 11, the operations further comprising: Furthermore, Noel discloses: receiving an indication to execute a remediation action associated with the summary entity, wherein the remediation action is associated with the security posture visualization; and (The system can correlate intrusion alerts to known vulnerability paths and suggest best courses of action for responding to attacks, Noel, para [0005]). communicating the indication to execute the remediation action to cause execution of the remediation action (The graph model 200 can be ready to be queried by a user of the graph model using a domain-specific query language, Noel, para [0036]. This implies that results are communicated to the users/UI). As per claim 16, Noel discloses a computer-implemented method, the method comprising: accessing raw data associated with security posture management of a computing environment; (Receive data from the one or more network sensors and convert the received data to a common format, Noel, claim 1) based on the raw data, generating a security data digest comprising a plurality of summary entities of the raw data that operate as a scoping-index of the raw data, wherein the security data digest is associated with a two-stage search that includes: (Ingested data 1002 can be parsed so as to provide data to build a multitude of nodes 1004 and relationships 1006, Noel, para [0068]. Generating higher-level summary graph entities from raw data). However, Noel does not explicitly disclose the limitation: (i) a first search over the security data digest to identify summary entities that contain data of interest; and (ii) a second search over a scoped sub-portion of the raw data to identify detailed query results; and deploying the security data digest associated with generating a security posture of the computing environment. Ross discloses: (i) a first search over the security data digest to identify summary entities that contain data of interest; and (Detecting malicious entity behavior and providing accurate indicator of behaviors indicating occurrence of malicious behavior. Data input as to the entity behavior is received and monitored from different sources. The entity behavior is monitored over time at time periods. Detection probability is determined at each time period, Ross, Abstract. This implies building a compact, time-indexed entity model (a digest) summarizing behavior. Searching or querying this entity model to determine whether detection probability exceeds a threshold is a first search over the digest to identify entities whose state indicates potentially malicious behavior) (ii) a second search over a scoped sub-portion of the raw data to identify detailed query results; and (Receives structured or unstructured raw data input from various sources related to actions of an entity, Ross, para [0005]. Querying raw data and writing observables, Ross, para [0046]. The first method maintains an entity-centric digest (detection probability, trigger indicator, entity state) and also retains structured or unstructured raw data and drills down from suspicious entities or time windows (identified in the digest) into the corresponding raw events for detailed inspection. This drill down is a second, scoped search over the subset of raw data associated with the triggered entity/ time period, producing detailed query results). deploying the security data digest associated with generating a security posture of the computing environment (The progressive trigger framework system 122 to include a primary analysis engine 124. The primary analysis engine 124 can be configured to receive structured or unstructured data input (i.e., raw data) from various sources, Ross, para [0045]. The system ingests structured or unstructured raw data and transforms it into higher-level quantities such as detection probability per time period and a trigger indicator of behavior. Those quantities are effectively a security data digest (a summarized, model-based representation of entity behavior) that is deployed in the computing environment to detect malicious entity behavior and provide accurate indicator of behavior which functions as a security posture indicator for entities) A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Noel with Ross by analyzing cyber-attacks and progressive trigger data and detection model (Ross). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Noel with Ross in order to effectively identify and mitigate risks (See Ross, para [0096]). As per claim 17, Noel and Ross disclose the method of claim 16, wherein Furthermore, Noel discloses: generating the security data digest comprises using a security data digest model to generate the plurality of summary entities, the plurality of summary entities are generated based on a plurality of summary entity types associated with security queries of known security investigations (The system can correlate intrusion alerts to known vulnerability paths and suggest best courses of action for responding to attacks for maintaining mission readiness. The ingested data parsed so as to provide data to build a multitude of nodes and relationships. Queries can be executed against the graph database model to investigate security incidents, Noel, para [0005], [0066] - [0070]). As per claim 18, Noel and Ross discloses the method of claim 16, further comprising: using the security data digest, generating a security posture visualization associated with the computing environment, wherein the security posture visualization comprises a summary entity of the security data digest; and (Ingested data 1002 can be parsed so as to provide data to build a multitude of nodes 1004 and relationships 1006 that will eventually be converted into nodes and edges of a graph database and system can synthesize information to create an overall visualization of the security posture, Noel, para [0018] and [0068]). communicating the security posture visualization to cause display of the security posture visualization comprising the summary entity (The graph model 200 can be ready to be queried by a user of the graph model using a domain-specific query language, Noel, para [0036]. This implies that results are communicated to the users/UI). Furthermore, Ross discloses: receiving a request for the security posture of the computing environment; (Device 202 may request a particular service, Ross, para [0096]. Accurate indicator of behaviors indicating occurrence of malicious behavior is effectively a security posture indicator for each entity in the computing environment). A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Noel with Ross by analyzing cyber-attacks and progressive trigger data and detection model (Ross). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Noel with Ross in order to effectively identify and mitigate risks (See Ross, para [0096]). As per claim 19, Noel and Ross discloses the method of claim 18, wherein generating the security posture visualization comprises: generating a first query result for security, wherein the first query result comprises the summary entity; and (The database login (after stealing the password) is essentially indistinguishable from a benign login, and thus has no associated vulnerability or alert, Noel, para [0048]. This is a query result the analyst might suspect that these are potentially multiple attack steps by the same threat actor) using the first query result, generating the security posture visualization (System 1000 can synthesize information from disparate and varied sources to create an overall visualization of the security posture, Noel, para [0018]). Furthermore, Ross discloses: accessing a security query associated with the security data digest; (The primary analysis engine 124 can also be configured to send signals (dynamic risk signals) as to dynamic actions, dynamic data protection, dynamic user protection, etc. back to the data source (e.g., sending endpoint), Ross, para [0046]) executing the security query using the security data digest; (Processed data from the primary analysis engine 124 is communicated to a data stores, that can include storage system 106, Ross, para [0047]) A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Noel with Ross by analyzing cyber-attacks and progressive trigger data and detection model (Ross). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Noel with Ross in order to effectively identify and mitigate risks (See Ross, para [0096]). Claims 7,9,14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Noel et al. (US 20170289187 A1), hereinafter referred to as Noel in view of Ross et al. (US 20210342441 A1), hereinafter referred to as Ross in further view of Trost et al (US 10902114 B1), hereinafter referred to as Trost. As per claim 7, Noel and Ross discloses the system of claim 1, wherein generating the security posture visualization comprises: generating a first query result for security; (Queries are inputted into the system and results are outputted, Noel, para [0057]). Furthermore, Ross discloses: accessing a security query associated with the security data digest; (The primary analysis engine 124 can also be configured to send signals (dynamic risk signals) as to dynamic actions, dynamic data protection, dynamic user protection, etc. back to the data source (e.g., sending endpoint), Ross, para [0046]) executing the security query using the security data digest; (Processed data from the primary analysis engine 124 is communicated to a data stores, that can include storage system 106, Ross, para [0047]). A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Noel with Ross by analyzing cyber-attacks and progressive trigger data and detection model (Ross). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Noel with Ross in order to effectively identify and mitigate risks (See Ross, para [0096]). However, Noel in view of Ross does not explicitly disclose the limitations: based on the first query result, determining to execute the security query using the raw data; using the security query, the security data digest, and the first query result, identifying a sub-portion of the raw data for executing the security query; using the sub-portion of the raw data, generating a second query result for the security query; and using the second query result, generating the security posture visualization Trost discloses: based on the first query result, determining to execute the security query using the raw data; (Determine a degree of overlap between the first and second subsets, Trost, col 14, lines 45-46. This is similar to using the first result to decide whether and where to run a deeper data query) using the security query, the security data digest, and the first query result, identifying a sub-portion of the raw data for executing the security query; (Executing a query for additional indicators of compromise based on the overlap, Trost, col 14, lines 51-58) using the sub-portion of the raw data, generating a second query result for the security query; and (Identifying common indicators of compromise in the first and second subset data, Trost, col 14, lines 47-50) using the second query result, generating the security posture visualization (The investigations platform can be configured to display data in layers, Trost, col 15, lines 25-29). A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Noel and Ross with Trost by analyzing cyber-attacks (Noel) and progressive trigger data and detection model (Ross) with the detection, aggregation, and integration of cybersecurity threats (Trost). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Noel and Ross with Trost in order to effectively evaluate information based on defined scores to display threats and risks to users (See Trost, col 15, lines 25-29). As per claim 9, Noel and Ross disclose the system of claim 1, wherein However, Noel in view of Ross does not explicitly disclose the limitations: the security posture visualization is associated with a first query result generated using the security data digest and a second query result generated using the security data digest and an identified sub-portion of the raw data Trost discloses: the security posture visualization is associated with a first query result generated using the security data digest and a second query result generated using the security data digest and an identified sub-portion of the raw data (Exporting a first subset of the formatted threat intelligence information, Trost, col 14, lines 38-40, determining a degree of overlap between the first and second subsets, Trost, col 14, lines 45-46, calculating a graphical side-by-side comparison, Trost, col 14, lines 51-52). A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Noel and Ross with Trost by analyzing cyber-attacks (Noel) and progressive trigger data and detection model (Ross) with the detection, aggregation, and integration of cybersecurity threats (Trost). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Noel and Ross with Trost in order to effectively evaluate information based on defined scores to display threats and risks to users (See Trost, col 15, lines 25-29). As per claim 14, Noel and Ross discloses the media of claim 11, the operations further comprising: generating a first query result for security; (Queries are inputted into the system and results are outputted, Noel, para [0057]). Furthermore, Ross discloses: accessing a security query associated with the security data digest; (The primary analysis engine 124 can also be configured to send signals (dynamic risk signals) as to dynamic actions, dynamic data protection, dynamic user protection, etc. back to the data source (e.g., sending endpoint), Ross, para [0046]) executing the security query using the security data digest; (Processed data from the primary analysis engine 124 is communicated to a data stores, that can include storage system 106, Ross, para [0047]). A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Noel with Ross by analyzing cyber-attacks and progressive trigger data and detection model (Ross). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Noel with Ross in order to effectively identify and mitigate risks (See Ross, para [0096]). However, Noel does not explicitly disclose the limitations: based on the first query result, determining to execute the security query using the raw data; (Determine a degree of overlap between the first and second subsets, Trost, col 14, lines 45-46. This is similar to using the first result to decide whether and where to run a deeper data query). using the security query, the security data digest, and the first query result, identifying a sub-portion of the raw data for executing the security query; (Executing a query for additional indicators of compromise based on the overlap, Trost, col 14, lines 51-58) using the sub-portion of the raw data, generating a second query result for the security query; and (Identifying common indicators of compromise in the first and second subset data, Trost, col 14, lines 47-50) using the second query result, generating the security posture visualization (The investigations platform can be configured to display data in layers, Trost, col 15, lines 25-29). A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Noel and Ross with Trost by analyzing cyber-attacks (Noel) and progressive trigger data and detection model (Ross) with the detection, aggregation, and integration of cybersecurity threats (Trost). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Noel and Ross with Trost in order to effectively evaluate information based on defined scores to display threats and risks to users (See Trost, col 15, lines 25-29). As per claim 20, Noel and Ross disclose the method of claim18, wherein generating the security posture visualization comprises: generating a first query result for security; (Queries are inputted into the system and results are outputted, Noel, para [0057]). Furthermore, Ross discloses: accessing a security query associated with the security data digest; (The primary analysis engine 124 can also be configured to send signals (dynamic risk signals) as to dynamic actions, dynamic data protection, dynamic user protection, etc. back to the data source (e.g., sending endpoint), Ross, para [0046]) executing the security query using the security data digest; (Processed data from the primary analysis engine 124 is communicated to a data stores, that can include storage system 106, Ross, para [0047]). A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Noel with Ross by analyzing cyber-attacks and progressive trigger data and detection model (Ross). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Noel with Ross in order to effectively identify and mitigate risks (See Ross, para [0096]). However, Noel in view of Ross does not explicitly disclose the limitations: based on the first query result, determining to execute the security query using the raw data; using the security query, the security data digest, and the first query result, identifying a sub-portion of the raw data for executing the security query; using the sub-portion of the raw data, generating a second query result for the security query; and using the second query result, generating the security posture visualization Trost discloses: based on the first query result, determining to execute the security query using the raw data; (Determine a degree of overlap between the first and second subsets, Trost, col 14, lines 45-46. This is similar to using the first result to decide whether and where to run a deeper data query) using the security query, the security data digest, and the first query result, identifying a sub-portion of the raw data for executing the security query; (Executing a query for additional indicators of compromise based on the overlap, Trost, col 14, lines 51-58) using the sub-portion of the raw data, generating a second query result for the security query; and (Identifying common indicators of compromise in the first and second subset data, Trost, col 14, lines 47-50). using the second query result, generating the security posture visualization (The investigations platform can be configured to display data in layers, Trost, col 15, lines 25-29). A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Noel and Ross with Trost by analyzing cyber-attacks (Noel) and progressive trigger data and detection model (Ross) with the detection, aggregation, and integration of cybersecurity threats (Trost). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Noel and Ross with Trost in order to effectively evaluate information based on defined scores to display threats and risks to users (See Trost, col 15, lines 25-29). Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to RAGHAVENDER CHOLLETI whose telephone number is (703) 756-1065. The examiner can normally be reached M-F 9am-5pm ET. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, RUPAL DHARIA can be reached on (571) 272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. Respectfully submitted, /RAGHAVENDER NMN CHOLLETI/Examiner, Art Unit 2492 /RUPAL DHARIA/ Supervisory Patent Examiner, Art Unit 2492
Read full office action

Prosecution Timeline

Jun 23, 2023
Application Filed
Sep 16, 2025
Non-Final Rejection — §101, §103, §112
Oct 14, 2025
Applicant Interview (Telephonic)
Oct 14, 2025
Examiner Interview Summary
Dec 29, 2025
Response Filed
Mar 05, 2026
Non-Final Rejection — §101, §103, §112 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

17/960,013
Patent 12603878
ELECTRONIC DEVICE AND METHOD FOR CONTROLLING VEHICLE BASED ON DRIVER AUTHENTICATION
2y 5m to grant Granted Apr 14, 2026
18/034,844
Patent 12591686
SCALABLE SOURCE CODE VULNERABILITY REMEDIATION
2y 5m to grant Granted Mar 31, 2026
18/142,698
Patent 12591687
METHOD AND SYSTEM FOR FACILITATING APPLICATION VULNERABILITY DRIFT ANALYTICS
2y 5m to grant Granted Mar 31, 2026
18/120,160
Patent 12585762
METHOD AND SYSTEM FOR DETECTING ANOMALOUS BEHAVIOR IN STREAM DATA
2y 5m to grant Granted Mar 24, 2026
18/077,493
Patent 12541617
REDUCING RESOURCE CONSUMPTION FOR CROSS-TENANT KERNEL SERVICES
2y 5m to grant Granted Feb 03, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

2-3
Expected OA Rounds
61%
Grant Probability
99%
With Interview (+40.8%)
3y 1m
Median Time to Grant
Moderate
PTA Risk
Based on 23 resolved cases by this examiner. Grant probability derived from career allow rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month