SECURITY ORCHESTRATION, AUTOMATION, AND RESPONSE (SOAR) PLAYBOOK GENERATION

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION This final action is responsive to amendment filed on 02/04/2026. In this amendment, claims 1, 4, 14 and 17 have been amended, claims 7 and 20 have been canceled and claims 21 and 22 have been added. Claims 1-6, 8-19, 21 and 22 are pending, with claims 1, 9 and 14 being independent. Response to Arguments Applicant’s arguments have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 2, 14 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Narula et al. (US 2021/0306352, published Sep. 30, 2021), May (US 12,101,231, published Sep.24,2024) and Saxena et al. (US 2023/0140918, published May 11, 2023). As per claim 1, Narula discloses a computer-implemented method (Narula Fig. 4D), comprising: receiving an incident occurring in a system (Narula par. 43, recommendation sequence generating engine 216 is responsible for generating a recommended sequence of one or more actions in response to an incident observed by the SOAR platform that is similar in nature to another previously observed incident or an incident of a particular class or type); providing the incident to a network to select a security orchestration, automation, and response (SOAR) playbook from among a plurality of SOAR playbooks to address the incident (Narula par. 43, recommendation sequence generating engine 216 is responsible for generating a recommended sequence of one or more actions in response to an incident observed by the SOAR platform that is similar in nature to another previously observed incident or an incident of a particular class or type; Narula par. 32, The recommended sequence is stored in form of a playbook), wherein each of the plurality of SOAR playbooks comprises a plurality of incident response actions (Narula par. 32, The recommended sequence is stored in form of a playbook); and automatically executing the selected SOAR playbook (Narula par. 67, the analyst has accepted the recommended flow, as such the complete flow is run as an automated flow). Narula does not explicitly disclose: providing the incident to a neural network trained to select a playbook; wherein the incident comprises an incident type selected from at least one of a system error or component misconfiguration. May teaches: providing the incident to a neural network trained to select a playbook (May Fig. 3, Apply Playbook Machine Learning Model to the Occurrence Vector to Yield the Most Likely Playbooks for the Series of Occurrences 308). It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify the method of Narula with the teaching of May in order to incorporate the neural network trained to select a playbook. One of ordinary skilled in the art would have been motivated because it offers the advantage of automating network incident management. Narula-May does not explicitly disclose: wherein the incident comprises an incident type selected from at least one of a system error or component misconfiguration. Saxena teaches: the incident comprises an incident type selected from at least one of a system error (Saxena par. 28, The term "incident response," as used herein, refers to actions taken in response to incidents or events that may occur during system operation such as security incidents (e.g. security breaches, unauthorized /malicious actions, etc.) , performance incidents (e.g. suboptimal performance relative to some predefined metrics), failures (software and/or hardware), bugs (e.g. errors affecting system operation)) or component misconfiguration. It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify the method of Narula with the teaching of May for wherein the incident comprises an incident type selected from at least one of a system error or component misconfiguration. One of ordinary skilled in the art would have been motivated because it offers the advantage of enhancing the system to support more incident types. As per claim 2, Narula-May-Saxena discloses the computer-implemented method of claim 1, further comprising training the neural network with a plurality of input nodes (May 4:64-5:6, The first machine learning model is trained using an incident and playbook database including at least: a first incident and a corresponding first playbook… and a second incident and a corresponding second playbook), wherein the input nodes comprise aspects of a past incident and a plurality of past output nodes (May Fig. 3, Add Combination of Incident (Series of Occurrences) and Playbook (Series of Actions) to Database at 326), and wherein each past output node of the plurality of past output nodes corresponds to a past SOAR playbook (May Fig. 3, Apply Playbook Machine Learning Model to the Occurrence Vector to Yield the Most Likely Playbooks for the Series of Occurrences 308; Narula par. 6, Systems and methods are described for a machine-learning based approach for dynamically generating incident-specific playbooks for a security orchestration and automated response (SOAR) platform). The same rationale as in claim 1 applies. Claims 14 and 15 do not teach or further define over the limitations in claims 1 and 2 respectively. As such, claims 14 and 15 are rejected for the same reasons as set forth in claims 1 and 2, respectively. Claims 3 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Narula et al. (US 2021/0306352, published Sep. 30, 2021), May (US 12,101,231, published Sep.24,2024), Saxena et al. (US 2023/0140918, published May 11, 2023) and Sato (US 2018/0152734, published May 31, 2018). As per claim 3, Narula-May-Saxena discloses the computer-implemented method of claim 2, but does not explicitly disclose wherein each past output node of the plurality of past output nodes comprises an on-off state, and wherein an on state of the on-off state indicates that the corresponding past output node was executed in the past SOAR playbook and an off state of the on-off state indicates the corresponding past output node was not executed in the past SOAR playbook. Sato teaches: an on-off state, and wherein an on state of the on-off state indicates that the processing was executed and an off state of the on-off state indicates the processing was not executed (Sato par. 230-231, the filtering unit 354 generates an adaptive filter flag (on/off flag), which is filter identification information indicating whether or not filter processing has been performed… the adaptive filter flag may be set to have a value indicating that filter processing has been performed (for example, "1 "). Also, for example, in a case where adaptive loop filter processing has not been performed on all the pixels in the block, the adaptive filter flag may be set to have a value indicating that filter processing has not been performed (for example, "0"). The value of the adaptive filter flag may be set on the basis of another standard). It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Narula with the teaching of Sato for each past output node of the plurality of past output nodes comprises an on-off state, and wherein an on state of the on-off state indicates that the corresponding past output node was executed in the past SOAR playbook and an off state of the on-off state indicates the corresponding past output node was not executed in the past SOAR playbook. One of ordinary skilled in the art would have been motivated because it offers the advantage of providing insight for analyst regarding execution status of the playbooks. Claim 16 does not teach or further define over the limitations in claim 3. As such, claim 16 is rejected for the same reasons as set forth in claim 3. Claims 4 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Narula et al. (US 2021/0306352, published Sep. 30, 2021), May (US 12,101,231, published Sep.24,2024), Saxena et al. (US 2023/0140918, published May 11, 2023) and Zettel, II (US 2018/0152734, published May 31, 2018, hereinafter “Zettel”). As per claim 4, Narula-May-Saxena discloses the computer-implemented method of claim 2, wherein: the incident comprises an attribute (Narula par. 29, attributes associated with incident metadata (e.g., name, description, severity, phase, status, type, date, and the like) may constitute a feature set); and at least one input node is determined in accordance with the attribute (Narula par. 43, recommendation sequence generating engine 216 is responsible for generating a recommended sequence of one or more actions in response to an incident observed by the SOAR platform that is similar in nature to another previously observed incident or an incident of a particular class or type). Narula-May-Saxena does not explicitly disclose: attribute selected from at least one of business impact, risk score, sensor type, affected user type, affected user reputation score, domain name server reputation score, internet protocol address reputation score, outcome, and country of origin. Zettel teaches: attribute selected from at least one of business impact, risk score (Zettel par. 85, The incident status and metadata 650 displays numerous fields of information about the network security incident. The incident status and metadata 650 may display… a risk score), sensor type, affected user type, affected user reputation score, domain name server reputation score, internet protocol address reputation score, outcome, and country of origin. It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Narula with the teaching of Sato to incorporate the attribute selected from at least one of business impact, risk score, sensor type, affected user type, affected user reputation score, domain name server reputation score, internet protocol address reputation score, outcome, and country of origin. One of ordinary skilled in the art would have been motivated because it offers the advantage of providing information about the network security incident. Claim 17 does not teach or further define over the limitations in claim 4. As such, claim 17 is rejected for the same reasons as set forth in claim 4. Claims 5 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Narula et al. (US 2021/0306352, published Sep. 30, 2021), May (US 12,101,231, published Sep.24,2024), Saxena et al. (US 2023/0140918, published May 11, 2023) and Bharathram et al. (US 11,894,981, published Feb.6, 2024). As per claim 5, Narula-May-Saxena discloses the computer-implemented method of claim 2, wherein at least one output node is determined in accordance with the action (May Fig. 3, Apply Playbook Machine Learning Model to the Occurrence Vector to Yield the Most Likely Playbooks for the Series of Occurrences 308; May Fig. 2C, Playbook 203 comprises Action 231 and 232). The same rationale as in claim 1 applies. Narula-May-Saxena does not explicitly disclose: an action is selected from at least one of create ticket, check uniform resource locator, check for suspicious activity, scan an affected endpoint, block an email sender address, alert security system, close ticket, check domain name server reputation score, and block processing of a task. Bharathram teaches: an action is selected from at least one of create ticket, check uniform resource locator, check for suspicious activity, scan an affected endpoint, block an email sender address, alert security system, close ticket, check domain name server reputation score, and block processing of a task (Bharathram 3:61-4:1, the automated remediation may be to automatically restart the network device and send a message to an incident lead identifying the conditions surrounding the incident… the automated remediation may be to automatically stop a process executing on the network device). It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Narula with the teaching of Bharathram for an action is selected from at least one of create ticket, check uniform resource locator, check for suspicious activity, scan an affected endpoint, block an email sender address, alert security system, close ticket, check domain name server reputation score, and block processing of a task. One of ordinary skilled in the art would have been motivated because it offers the advantage of expanding remediation to resolve incidents. Claim 18 does not teach or further define over the limitations in claim 5. As such, claim 18 is rejected for the same reasons as set forth in claim 5. Claims 6 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Narula et al. (US 2021/0306352, published Sep. 30, 2021), May (US 12,101,231, published Sep.24,2024), Saxena et al. (US 2023/0140918, published May 11, 2023) and Williams et al. (US 2024/0242184, filed Jan. 17, 2023). As per claim 6, Narula-May-Saxena discloses the computer-implemented method of claim 1, but does not explicitly disclose wherein: the neural network comprises a first neural network trained in a first domain, and a second neural network trained in a second domain different from the first domain; and providing the incident to the neural network further comprises determining a best match between the incident and either the first domain or the second domain; and further comprising providing the incident to either the first domain or the second domain in accordance with the best match and receiving the selected SOAR playbook therefrom. Williams teaches: a first network trained in a first domain, and a second network trained in a second domain different from the first domain (Williams Fig. 4A, Set Of Machine Learning Models 410; Williams par. 95, each of the set of machine learning models (410) is trained separately using input data from the sorted input data (408) that corresponds to the specified business type); and determining a best match between the input and either the first domain or the second domain (Williams par. 64, selecting, based on the selected domain, a selected machine learning model from among a set of machine learning models); and further comprising providing the input to either the first domain or the second domain in accordance with the best match (Williams par. 65, executing the selected machine learning model on the dataset). It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Narula with the teaching of Williams in order to incorporate technique using various models trained in various domains for the neural network comprises a first neural network trained in a first domain, and a second neural network trained in a second domain different from the first domain; and providing the incident to the neural network further comprises determining a best match between the incident and either the first domain or the second domain; and further comprising providing the incident to either the first domain or the second domain in accordance with the best match and receiving the selected SOAR playbook therefrom. One of ordinary skilled in the art would have been motivated because it offers the advantage of improving accuracy of output from neural networks. Claim 19 does not teach or further define over the limitations in claim 6. As such, claim 19 is rejected for the same reasons as set forth in claim 6. Allowable Subject Matter Claims 8, 20 and 21 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten to include all of the limitations of the base claim and any intervening claims. Claims 9-13 are allowed. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. US 20220210029 A1; Framework For Determining Metrics Of An Automation Platform Systems and methods for determining an efficiency score for an automation platform are provided. US 12511395 B1; Automated Security, Orchestration, Automation, And Response (SOAR) Service App Management Described herein are techniques are provided for enabling a security orchestration, automation, and response (SOAR) service to automatically manage apps used to interface with an integrated security operations service and other related devices and services. US 20200372367 A1; Cognitive Methods And Systems For Responding To Computing System Incidents Embodiments for responding to computing system incidents are provided. Information associated with a computing system is analyzed to generate a base system model of the computing system. The information includes at least one of system logs and metrics data of the computing system. An indication of an incident associated with the computing system is received. The base system model is utilized to analyze the incident. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHANG DO whose telephone number is (571)270-7837. The examiner can normally be reached Monday-Friday 8:00 - 5:00 EST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, RUPAL DHARIA can be reached at (571) 272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /KHANG DO/Primary Examiner, Art Unit 2492