Prosecution Insights
Last updated: July 17, 2026
Application No. 18/544,240

GLOBAL SEARCH OF A SECURITY RELATED DATA STORE USING NATURAL LANGUAGE PROCESSING

Non-Final OA §101§103§112
Filed
Dec 18, 2023
Examiner
MAY, ROBERT F
Art Unit
2154
Tech Center
2100 — Computer Architecture & Software
Assignee
Palo Alto Networks Inc.
OA Round
5 (Non-Final)
75%
Grant Probability
Favorable
5-6
OA Rounds
5m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 75% — above average
75%
Career Allowance Rate
221 granted / 295 resolved
+19.9% vs TC avg
Strong +30% interview lift
Without
With
+30.5%
Interview Lift
resolved cases with interview
Typical timeline
3y 0m
Avg Prosecution
28 currently pending
Career history
333
Total Applications
across all art units

Statute-Specific Performance

§101
4.1%
-35.9% vs TC avg
§103
82.8%
+42.8% vs TC avg
§102
10.1%
-29.9% vs TC avg
§112
2.2%
-37.8% vs TC avg
Black line = Tech Center average estimate • Based on career data from 295 resolved cases

Office Action

§101 §103 §112
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION The Action is responsive to the Request for Continued Examination and Amendments and Remarks filed on 3/30/2026. Claims 1-4, 6-14, and 16-19 are pending claims. Claims 1, 11, and 16 are written in independent form. Claims 5, 15, and 20 have been previously cancelled. Claim Objections Claims 1, 11, and 16 are objected to because of the following informalities: Claims 1, 11, and 16 appear to recite the typographical error of “wherein the plurality of categories include a vulnerability category, an IP category, and/or a date category”. The limitation is understood to recite “wherein the plurality of categories includes a vulnerability category, an IP category, and/or a date category” because “plurality” is a singular collective noun requiring the singular verb “includes”. Appropriate correction is required. Claim Rejections - 35 USC § 112 The following is a quotation of the first paragraph of 35 U.S.C. 112(a): (a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention. The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112: The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention. Claims 1-4, 6-14, and 16-19 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. Independent Claims 1, 11, and 16 contain the subject matter “wherein the plurality of categories includes a first category and a second category” and “wherein the plurality of categories include a vulnerability category, an IP category, and/or a date category” which is understood as the plurality of categories including five different categories and was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.It is noted that while Applicant states in the Remarks dated 3/30/2026 that “support for the amendments to claims 1, 11, and 16 can be found in the specification at, for example, FIG. 4C and paragraphs [0099] and [0105]”, the cited paragraphs and figure(s) merely recite three definitive categories as “IP”, “Vulnerability”, and “Time” (with the associated value being a date) and does not appear to support up to five distinct categories, let alone explicitly “first category” or “second category” as distinct categories, as the claim language is being interpreted as reciting. Independent Claims 1, 11, and 16 contain the subject matter “Wherein the IP category includes MAC (Media Access Control) Address and/or Device ID,” which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.It is not clearly stated in the written description any IP category that includes a MAC address and/or Device ID. In fact, an IP (internet protocol), MAC address, and Device ID are all very different identifiers that do not mean the same thing or hierarchically fall within the same category.It is noted that while Applicant states in the Remarks dated 3/30/2026 that “support for the amendments to claims 1, 11, and 16 can be found in the specification at, for example, FIG. 4C and paragraphs [0099] and [0105]”, the cited paragraphs and figure(s) merely recite IP, MAC, and Device ID as different possible fields, including “Category” as a separate field, for device matching using one or multiple fields (Paragraphs [0099] and [0103]).For purposes of compact prosecution and based on Figure 4C cited by Applicant as support for the amendments, the claim limitation is being interpreted as “Wherein the IP category includes an IP address Dependent Claims 2-4, 6-10, 12-14, and 17-19 inherit the deficiencies of their parent claims and are therefore being rejected based upon the same reason(s) stated for their parent claims. The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 1-4, 6-14, and 16-19 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Regarding Claims 1, 11, and 16, the limitations “wherein the plurality of categories includes a first category and a second category” and “wherein the plurality of categories includes a vulnerability category, an IP category, and/or a date category” renders the claims indefinite because when analyzed using its broadest reasonable interpretation, it is unclear whether the first and second category included in the plurality of categories, but not explicitly defined in the Specification, are the same or different categories from the “vulnerability category”, the “IP category”, and the “date category” also recited as being included in “the plurality of categories”. For purposes of compact prosecution, the “first category” and the “second category” are being understood as different categories from the “vulnerability category”, “IP category”, and/or “date category” capable of also being included in the “plurality of categories” because at least “IP” and “Category” are listed separately in Paragraphs [0099] and [0103] of the Specification. Dependent Claims 2-4, 6-10, 12-14, and 17-19 inherit the deficiencies of their parent claims and are therefore being rejected based upon the same reason(s) stated for their parent claims. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-4, 6-14, and 16-19 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-patentable subject matter. The claimed invention is directed to one or more abstract ideas without significantly more. The judicial exception is not integrated into a practical application. The claims do not include additional elements that are sufficient to amount to significantly more than judicial exception. The eligibility analysis in support of these findings is provided below. As per Claims 1, 11, and 16, STEP 1:In accordance with Step 1 of the eligibility inquiry (as explained in MPEP 2106), the claimed system (claims 1-4 and 6-10), method (claims 11-14), and product (claims 16-19) are directed to one of the eligible categories of subject matter and therefore satisfies Step 1. STEP 2A Prong One:The independent claims 1, 11, and 16 recite the following limitations directed to an abstract idea: Translate the first query using natural language processing (NLP) classifier to process natural language included in the first query; The limitation recites a mental process of observation, evaluation, judgement, and/or opinion capable of being performed by the human mind by observing and evaluating the first query, including natural language included in the first query, and a natural language processing (NLP) classifier, and based on the observation and evaluation, making a judgement and/or opinion of a translation of the first query. Extract, using the NLP classifier, one or more categories of a plurality of categories from the processed natural language, The limitation recites a mental process of observation, evaluation, judgement, and/or opinion capable of being performed by the human mind by observing the natural language query, evaluating the natural language of a query based on a natural language processing classifier and a plurality of categories, and based on the observation and evaluation, making a judgement and/or opinion of particular one or more categories of the plurality of categories to extract. Perform a second query of one or more tables of a plurality of tables in the security related data store based on the one or more categories; The limitation recites a mathematical concept of executing a mathematical formula in the form of a database query based on one or more categories or fields. Wherein the performing of the second query comprises: Select a table based on the first category or the second category; and The limitation recites a mental process of observation, evaluation, judgement, and/or opinion capable of being performed by the human mind by observing and evaluating the plurality of tables and a first or second category and, based on the observation and evaluation, making a judgement and/or opinion to select a table. Perform the second query based on the selected table, Wherein in the event that the one or more categories includes the first category, perform the second query based on the first table; and The limitation recites a mental process of observation, evaluation, judgement, and/or opinion capable of being performed by the human mind by observing and evaluating the one or more categories, based on the observation and evaluation, making a judgement and/or opinion that the one or more categories includes the first category, and based on the observation and evaluation leading to the judgement and/or opinion that the one or more categories includes the first category, making another judgement and/or opinion to perform the second query based on the first table selected based on the first category. Wherein in the event that the one or more categories includes the second category, perform the second query based on the second table; The limitation recites a mental process of observation, evaluation, judgement, and/or opinion capable of being performed by the human mind by observing and evaluating the one or more categories, based on the observation and evaluation, making a judgement and/or opinion that the one or more categories includes the second category, and based on the observation and evaluation leading to the judgement and/or opinion that the one or more categories includes the second category, making another judgement and/or opinion to perform the second query based on the second table selected based on the second category. Identify malware based on the returned results; The limitation recites a mental process of observation, evaluation, judgement, and/or opinion capable of being performed by the human mind by observing and evaluating the returned results, and based on the observation and evaluation, making a judgement and/or opinion of specific malware.It is noted that there is no explanation of how or what steps are performed using the returned results when identifying malware, just that the identification of malware is performed “based on the returned results”. STEP 2A Prong Two:Claims 1 and 16 recite that the system comprises “a processor”, “memory”, and “a non-transitory computer readable medium”, which is a high-level recitation of generic computer components and represents mere instructions to apply on a computer as in MPEP 2106.05(f), which does not provide integration into a practical application. The claims recite the following additional elements: Receive a query for a security related data store; The limitation recites an insignificant extra solution activity as sending or receiving data (ie. Mere data gathering) such as ‘obtaining information’ as identified in MPEP 2106.05(g) and does not provide integration into a practical application. Wherein the plurality of categories includes a first category and a second category, The limitation recites an insignificant extra-solution activity as selecting particular categories labeled as “a first category and a second category” being used to represent the “plurality of categories” as identified in MPEP 2106.05(g) and does not provide integration into a practical application. Wherein the plurality of categories include a vulnerability category, an IP category, and/or a date category, The limitation recites an insignificant extra-solution activity as selecting particular categories labeled as “a vulnerability category, an IP category, and/or a date category” being used to represent the “plurality of categories” as identified in MPEP 2106.05(g) and does not provide integration into a practical application. Wherein the IP category includes an IP address, and The limitation recites an insignificant extra-solution activity as selecting particular information being used to represent the “IP category” as identified in MPEP 2106.05(g) and does not provide integration into a practical application. Wherein the vulnerability category includes one or more of the following: Severity, Common Vulnerability Scoring System (CVSS), and/or Industrial Control Systems (ICS) cert; The limitation recites an insignificant extra-solution activity as selecting particular information being used to represent the “vulnerability category” as identified in MPEP 2106.05(g) and does not provide integration into a practical application. Wherein the plurality of tables includes a first table and a second table; The limitation recites an insignificant extra-solution activity as selecting particular tables labeled as “a first table and a second table” being used to represent the “plurality of tables” as identified in MPEP 2106.05(g) and does not provide integration into a practical application. Wherein the first table is different from the second table, The limitation recites an insignificant extra-solution activity as selecting a particular type of content representing the first table and the second table is different, as identified in MPEP 2106.05(g) and does not provide integration into a practical application. Return results for the first query based on the second query of the one or more tables in the security related data store based on the one or more categories; The limitation recites an insignificant extra solution activity as sending or receiving data (ie. Mere data gathering) such as ‘obtaining information’ as identified in MPEP 2106.05(g) and does not provide integration into a practical application. Viewing the additional limitations together and the claim as a whole, nothing provides integration into a practical application. STEP 2B: The conclusions for the mere implementation using a computer are carried over and does not provide significantly more. With respect to “Receive a query for a security related data store;” identified as insignificant extra-solution activity above this is also WURC as court-identified see MPEP 2106.05(d)(II)(i). With respect to “Wherein the plurality of categories includes a first category and a second category;” identified as insignificant extra-solution activity above this is also WURC as court-identified see MPEP 2106.05(d)(II)(iv). With respect to “Wherein the plurality of categories include a vulnerability category, an IP category, and/or a date category,” identified as insignificant extra-solution activity above this is also WURC as court-identified see MPEP 2106.05(d)(II)(iv). With respect to “Wherein the IP category includes an IP address,” identified as insignificant extra-solution activity above this is also WURC as court-identified see MPEP 2106.05(d)(II)(iv). With respect to “Wherein the vulnerability category includes one or more of the following: severity, Common Vulnerability Scoring System (CVSS), and/or Industrial Control Systems (ICS) cert;” identified as insignificant extra-solution activity above this is also WURC as court-identified see MPEP 2106.05(d)(II)(iv). With respect to “Wherein the first table is different from the second table,” identified as insignificant extra-solution activity above this is also WURC as court-identified see MPEP 2106.05(d)(II)(iv). With respect to “Return results for the first query based on the second query of the one or more tables in the security related data store based on the one or more categories;” identified as insignificant extra-solution activity above this is also considered to be WURC as court-identified see MPEP 2106.05(d)(II)(i). Looking at the claim as a whole does not change this conclusion and the claim is ineligible. As per Dependent Claims 2-4, 6-10, 12-14, and 17-19, STEP 1:In accordance with Step 1 of the eligibility inquiry (as explained in MPEP 2106), the claimed system (claims 1-4 and 6-10), method (claims 11-14), and product (claims 16-19) are directed to one of the eligible categories of subject matter and therefore satisfies Step 1. STEP 2A Prong One:The dependent claims 2-10, 12-15, and 17-20 recite the following limitations directed to an abstract idea: The limitation of Dependent Claim 9 includes the step(s) of: Wherein the NLP classifier is periodically trained using an automated or semi-automated collection of user’s searching behaviors to identify one or more categories to search query text. This limitation recites intended use language of “…to identify…” and is thus not being given patentable weight. Therefore, the limitation is understood as reciting “Wherein the NLP classifier is periodically trained using an automated or semi-automated collection of user’s searching behaviors”. However, for the purposes of compact prosecution, the identifying step is being addressed as if it were positively recited. The limitation recites a mathematical concept of executing a mathematical formula in the form of a periodic training formula using user’s searching behaviors as input. The limitation of Dependent Claim 10 includes the step(s) of: Wherein the NLP classifier is periodically retrained using an automated or semi-automated collection of user’s searching behaviors and refreshing of classification models and rules. The limitation recites a mathematical concept of executing a mathematical formula in the form of a periodic retraining formula using user’s searching behaviors as input and outputs refreshed classification models and rules. STEP 2A Prong Two:The claim(s) recite the following additional elements: The limitation of Dependent Claims 2, 12, and 17 include the step(s) of: Wherein the first query for the security related data store is received from a user. The limitation recites an insignificant extra solution activity as retrieval of data (ie. Mere data gathering) such as ‘obtaining information’ as identified in MPEP 2106.05(g) and does not provide integration into a practical application. The limitation of Dependent Claims 3, 13, and 18 include the step(s) of: Wherein the security related data store includes a structured database. The limitation recites an insignificant extra-solution activity as selecting a particular structure being used to represent the security related data as identified in MPEP 2106.05(g) and does not provide integration into a practical application. The limitation of Dependent Claims 4, 14, and 19 include the step(s) of: Wherein the security related data store includes a structured database that includes the one or more categories. The limitation recites an insignificant extra-solution activity as selecting one or more particular categories of data being used to represent the data in the data store as identified in MPEP 2106.05(g) and does not provide integration into a practical application. The limitation of Dependent Claim 6 includes the step(s) of: Wherein the security related data store includes content associated with a plurality of Internet of Things (IoT) devices. The limitation recites an insignificant extra-solution activity as selecting a particular type of content being used to represent data in the data store as identified in MPEP 2106.05(g) and does not provide integration into a practical application. The limitation of Dependent Claim 7 includes the step(s) of: Wherein the security related data store includes content associated with a plurality of Internet of Things (IoT) devices that is stored in a structured database. The limitation recites an insignificant extra-solution activity as selecting a particular structure being used to represent the security related data as identified in MPEP 2106.05(g) and does not provide integration into a practical application. The limitation of Dependent Claim 8 includes the step(s) of: Wherein the security related data store includes content associated with a plurality of Internet of Things (IoT) devices that is stored in a structured database that includes the one or more categories. The limitation recites an insignificant extra-solution activity as selecting one or more particular categories of data being used to represent the data in the data store as identified in MPEP 2106.05(g) and does not provide integration into a practical application. Viewing the additional limitations together and the claim as a whole, nothing provides integration into a practical application. STEP 2B: The conclusions for the mere implementation using a computer are carried over and does not provide significantly more. With respect to Claims 2, 12, and 17 recite “Wherein the first query for the security related data store is received from a user.” identified as insignificant extra-solution activity above this is also WURC when claimed in a merely generic manner as court-identified see MPEP 2106.05(d)(II)(i). With respect to Claims 3, 13, and 18 recite “Wherein the security related data store includes a structured database.” identified as insignificant extra-solution activity above this is also WURC when claimed in a merely generic manner as court-identified see MPEP 2106.05(d)(II)(iv). With respect to Claims 4, 14, and 19 recite “Wherein the security related data store includes a structured database that includes the one or more categories.” identified as insignificant extra-solution activity above this is also WURC as court-identified see MPEP 2106.05(d)(II)(iv). With respect to Claim 6 reciting “Wherein the security related data store includes content associated with a plurality of Internet of Things (IoT) devices.” identified as insignificant extra-solution activity above this is also WURC as court-identified see MPEP 2106.05(d)(II)(iv). With respect to Claim 7 reciting “Wherein the security related data store includes content associated with a plurality of Internet of Things (IoT) devices that is stored in a structured database.” identified as insignificant extra-solution activity above this is also WURC as court-identified see MPEP 2106.05(d)(II)(iv). With respect to Claim 8 reciting “Wherein the security related data store includes content associated with a plurality of Internet of Things (IoT) devices that is stored in a structured database that includes the one or more categories.” identified as insignificant extra-solution activity above this is also WURC as court-identified see MPEP 2106.05(d)(II)(iv). Looking at the claim as a whole does not change this conclusion and the claim is ineligible. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-4, 6-14, and 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over Das et al. (U.S. Pre-Grant Publication No. 2019/0034429, hereinafter referred to as Das), and further in view of Schindel et al. (U.S. Patent No. 12,001,550, hereinafter referred to as Schindel ). Regarding Claim 1: Das teaches a system comprising: A processor configured to (Das - Para. [0354]): Receive a first query for a security related data store; Das teaches “a method 1100 begins at step 1104, where the request processing engine 920 receives the NL request 915 from a user” (Para. [0239]). Das further teaches “the NL system 100 could include any number of relational database management systems, such as MySQL (My Structured Query Language) systems, and any number of NoSQ (non SQL) systems, such as MongoDB. Domain-specific data sources 820 are also referred to herein as data storage systems” (Para. [0197]). Translate the first query using a natural language processing (NLP) classifier to process natural language included in the first query; Das teaches “if the request processing engine 920 determines that the NL request 915 is ambiguous, then the request processing engine 920 may generate an disambiguated NL request 915 based on the disambiguation model 991 and/or the interaction model 992.” (Para. [0220]). Therefore, Das teaches translating the NL request, using natural language processing, to process natural language included in the NL request. Extract, using the NLP classifier, one or more categories of a plurality of categories from the processed natural language, wherein the plurality of categories includes a first category and a second category; Das teaches “a NL data application extracts and curates metadata associated with the different data sources, translates a given NL request to an appropriate DSL request, applies the DSL request to the corresponding domain-specific data source to retrieve the data relevant to the original NL request, performs various operations on the retrieved data, and displays the results” (Para. [0004]).Das teaches the plurality of categories including first and second category by teaching “metadata associated with different data sources” (Para. [0004]) and selecting an “associated domain-specific data source” (Para. [0242]) based on the extracted intent inference(s) for the NL request that are used to select a particular DSL Template and its associated domain-specific data source (Paras. [0239]-[0242] & Fig. 11), each DSL template and domain-specific data source belonging to a particular category/domain. Wherein the plurality of categories include a vulnerability category, an IP category, and/or a date category, Das teaches “While a query can be formulated in many ways, a query can start with a search command and one or more corresponding search terms at the beginning of the pipeline. Such search terms can include any combination of keywords, phrases, times, dates, Boolean expressions, fieldname-field value pairs, etc. that specify which results should be obtained from an index.” (Para. [0188]). Das further teaches “The set of values produced are semantically-related (such as IP address), even though the machine data in each event may be in different formats (e.g., semantically-related values may be in different positions in the events derived from different sources)” (Para. [0045]), “the metadata fields may include separate fields specifying each of a host, a source, and a source type related to the data block. A host field may contain a value identifying a host name or IP address of a device that generated the data” (Para. [0102]), and “all of the inverted indexes 507A . . . 507B, and 509A . . . 509B can include field-value pair entries for the fields host, source, sourcetype. As yet another non-limiting example, the field-value pair entries for the IP address field can be user specified and may only appear in the inverted index 507B based on user-specified criteria” (Para. [0131]).Therefore, Das at least teaches an IP category and a date category. Wherein the IP category includes an IP address, and Das further teaches “The set of values produced are semantically-related (such as IP address), even though the machine data in each event may be in different formats (e.g., semantically-related values may be in different positions in the events derived from different sources)” (Para. [0045]), “the metadata fields may include separate fields specifying each of a host, a source, and a source type related to the data block. A host field may contain a value identifying a host name or IP address of a device that generated the data” (Para. [0102]), and “all of the inverted indexes 507A . . . 507B, and 509A . . . 509B can include field-value pair entries for the fields host, source, sourcetype. As yet another non-limiting example, the field-value pair entries for the IP address field can be user specified and may only appear in the inverted index 507B based on user-specified criteria” (Para. [0131]). Perform a second query of one or more tables of a plurality of tables in the security related data store based on the one or more categories, wherein the plurality of tables includes a first table and a second table, and Das teaches “a NL data application extracts and curates metadata associated with the different data sources, translates a given NL request to an appropriate DSL request, applies the DSL request to the corresponding domain-specific data source to retrieve the data relevant to the original NL request, performs various operations on the retrieved data, and displays the results” (Para. [0004]). Wherein the first table is different from the second table, Das teaches “a NL data application extracts and curates metadata associated with the different data sources, translates a given NL request to an appropriate DSL request, applies the DSL request to the corresponding domain-specific data source to retrieve the data relevant to the original NL request, performs various operations on the retrieved data, and displays the results” (Para. [0004]). Therefore, Das teaches searching different domain-specific data sources (different tables) based on the domain (category) associated with the DSL request. wherein the performing of the second query comprises: Select a table based on the first category or the second category; and Das teaches selecting an “associated domain-specific data source” (Para. [0242]) based on the extracted intent inference(s) for the NL request that are used to select a particular DSL Template and its associated domain-specific data source (Paras. [0239]-[0242] & Fig. 11). Das further teaches an example of a domain-specific data source including “the data intake and query system 108, ‘Oracle/sales’ which refers to an Oracle database table name ‘sales,’ and a REST (Representational State Transfer) endpoint ‘salesforce/sales’ which refers to a Salesforce object named ‘sales.’” (Para. [0213]) thereby teaching selecting domain-specific data sources as being one or more tables. Perform the second query based on the selected table, Wherein in the event that the one or more categories includes the first category, perform the second query based on the first table, and Das teaches “a NL data application extracts and curates metadata associated with the different data sources, translates a given NL request to an appropriate DSL request, applies the DSL request to the corresponding domain-specific data source to retrieve the data relevant to the original NL request, performs various operations on the retrieved data, and displays the results” (Para. [0004]). Das further teaches “a mapping engine 1010 and a property resolution engine 1020. In operation, the mapping engine 1010 selects one of the DSL templates 998 included in the knowledge database 870 based on the intent 935 and the DSL 972. In general, the mapping engine 1010 may select the DSL template 998 in any technically feasible fashion. For instance, in some embodiments, for each supported DSL, the knowledge database 870 includes an intent mapping list (not shown). For each of the predefined intents 935 included in the intent database 988, the intent mapping list for the DSL 972 specifies a corresponding DSL template 998 written in the DSL 972.” (Para. [0233]) thereby teaching in the event that the intent 935 is a first intent, applying a DSL request, using the DSL template, to the corresponding domain-specific data source/table, and in the event that the intent 935 is a second intent, applying a different DSL request, using a different DSL template, to a different corresponding domain-specific data source/table. Wherein in the event that the one or more categories includes the second category, perform the second query based on the second table; Das teaches “a NL data application extracts and curates metadata associated with the different data sources, translates a given NL request to an appropriate DSL request, applies the DSL request to the corresponding domain-specific data source to retrieve the data relevant to the original NL request, performs various operations on the retrieved data, and displays the results” (Para. [0004]). Das further teaches “a mapping engine 1010 and a property resolution engine 1020. In operation, the mapping engine 1010 selects one of the DSL templates 998 included in the knowledge database 870 based on the intent 935 and the DSL 972. In general, the mapping engine 1010 may select the DSL template 998 in any technically feasible fashion. For instance, in some embodiments, for each supported DSL, the knowledge database 870 includes an intent mapping list (not shown). For each of the predefined intents 935 included in the intent database 988, the intent mapping list for the DSL 972 specifies a corresponding DSL template 998 written in the DSL 972.” (Para. [0233]) thereby teaching in the event that the intent 935 is a first intent, applying a DSL request, using the DSL template, to the corresponding domain-specific data source/table, and in the event that the intent 935 is a second intent, applying a different DSL request, using a different DSL template, to a different corresponding domain-specific data source/table. Return results for the first query based on the second query of the one or more tables in the security related data store based on the one or more categories; and Das teaches “a NL data application extracts and curates metadata associated with the different data sources, translates a given NL request to an appropriate DSL request, applies the DSL request to the corresponding domain-specific data source to retrieve the data relevant to the original NL request, performs various operations on the retrieved data, and displays the results” (Para. [0004]). A memory coupled to the processor and configured to provide the processor with instructions (Das - Para. [0353]). Das explicitly teaches all of the elements of the claimed invention as recited above except: Wherein the plurality of categories include a vulnerability category, Wherein the vulnerability category includes one or more of the following: Severity, Common Vulnerability Scoring System (CVSS), and/or Industrial Control Systems (ICS) cert; Identify malware based on the returned results; However, in the related field of endeavor of translating natural language queries to be executed against a security database, Schindel teaches: Wherein the plurality of categories include a vulnerability category, Schindel teaches “generating an instruction which, when executed, initiates inspection for a cybersecurity object, a vulnerability, an exposure, a misconfiguration, a malware, a combination thereof, and the like.” (Col. 5 Lines 40-60) thereby teaching using a vulnerability category to describe data. Wherein the vulnerability category includes one or more of the following: Severity, Common Vulnerability Scoring System (CVSS), and/or Industrial Control Systems (ICS) cert; Schindel teaches “generating a notification, generating an alert, updating an alert, generating a severity score, updating a severity score, generating a ticket, generating a risk score, updating a risk score, initiating a remediation action, initiating an incident response, a combination thereof, and the like.” (Col. 14 Lines 52-58) thereby teaching using severity and risk as part of a vulnerability category to describe data. Identify malware based on the returned results; Schindel teaches “execute the query on a security database, the security database including a representation of the computing environment” (Fig. 6 Element 640) and “initiating a mitigation action based on a result of the executed query” (Fig. 6 Element 650) where “a mitigation action includes generating a notification, generating an alert, updating an alert, generating a severity score, updating a severity score, generating a ticket, generating a risk score, updating a risk score, initiating a remediation action, initiating an incident response, a combination thereof, and the like.” (Col. 14 Lines 52-58) where “in an embodiment, an alert is ‘EC2 virtual machine with ID of i-012abcd34efghi56 infected with malware with SHA1 hash of 3395856ce81f2b7382dee72602f798b642f14141’, which indicates that a virtual machine having an identifier of ‘i-012abcd34efghi56’ is infected with a malware corresponding to a hash ‘3395856ce81f2b7382dee72602f798b642f14141’.” (Col. 13 Lines 18-25). Thus, it would have been obvious to one of ordinary skill in the art, having the teachings of Schindel and Das at the time that the claimed invention was effectively filed, to have combined the querying of security databases and identification of malware, as taught by Schindel, with the systems and methods for translating a natural language request to a domain-specific language request, as taught by Das. One would have been motivated to make such combination because Das teaches “the data intake and query system 108 is associated with the client devices 102 and the host devices 105 and comprises a domain-specific data source 820 through which users can retrieve and analyze data collected from the data sources 202 as described above. In alternate embodiments, the NL system 100 may includes any number of domain-specific data sources 820.” (Para. [0197]) and “the results of the query are indicative of performance or security of the IT environment and may help improve the performance of components in the IT environment” (Para. [0182]) but does not teach examples of any specific domains for the data sources whereas Schindel teaches domains for the data sources including cybersecurity with particular scenarios/domains that also include sub-scenarios/sub-domains for focusing the query (Abstract & Col. 2 Lines 30-65). Regarding Claim 2: Schindel and Das further teach: Wherein the query for the security related data store is received from a user. Das teaches “a method 1100 begins at step 1104, where the request processing engine 920 receives the NL request 915 from a user” (Para. [0239]) Regarding Claim 3: Schindel and Das further teach: Wherein the security related data store includes a structured database. Das further teaches “the NL system 100 could include any number of relational database management systems, such as MySQL (My Structured Query Language) systems, and any number of NoSQ (non SQL) systems, such as MongoDB. Domain-specific data sources 820 are also referred to herein as data storage systems” (Para. [0197]). Regarding Claim 4: Schindel and Das further teach: Wherein the security related data store includes a structured database that includes the one or more categories. Das teaches the structured database including an intent database including categories/intents as well as DSL templates related to an intent (Paras. [0219] & [0222]). Regarding Claim 6: Schindel and Das further teach: Wherein the security related data store includes content associated with a plurality of Internet of Things (IoT) devices. Das teaches “in the data intake and query system, machine data are collected and stored as ‘events’. An event comprises a portion of machine data and is associated with a specific point in time” (Para. [0041]) where “components which may generate machine data from which events can be derived include, but are not limited to…Internet of Things (IoT) devices” (Para. [0043]). Regarding Claim 7: Schindel and Das further teach: Wherein the security related data store includes content associated with a plurality of Internet of Things (IoT) devices that is stored in a structured database. Das teaches “in the data intake and query system, machine data are collected and stored as ‘events’. An event comprises a portion of machine data and is associated with a specific point in time” (Para. [0041]) where “components which may generate machine data from which events can be derived include, but are not limited to…Internet of Things (IoT) devices” (Para. [0043]). Das further teaches “Fig. 5B is a block diagram of a data structure in which time-stamped event data can be stored in a data store” (Para. [0016]) and categorizing the event data into one or more categories (Paras. [0136] & [0146]-[0148]). Regarding Claim 8: Schindel and Das further teach: Wherein the security related data store includes content associated with a plurality of Internet of Things (IoT) devices that is stored in a structured database that includes the one or more categories. Das teaches “in the data intake and query system, machine data are collected and stored as ‘events’. An event comprises a portion of machine data and is associated with a specific point in time” (Para. [0041]) where “components which may generate machine data from which events can be derived include, but are not limited to…Internet of Things (IoT) devices” (Para. [0043]). Das further teaches “Fig. 5B is a block diagram of a data structure in which time-stamped event data can be stored in a data store” (Para. [0016]) and categorizing the event data into one or more categories (Paras. [0136] & [0146]-[0148]). Regarding Claim 9: Schindel and Das further teach: Wherein the NLP classifier is periodically trained using an automated or semi-automated collection of user’s searching behaviors to identify one or more categories to search query text. This limitation recites intended use language of “…to identify…” and is thus not being given patentable weight. Therefore, the limitation is understood as reciting “Wherein the NLP classifier is periodically trained using an automated or semi-automated collection of user’s searching behaviors”. However, for the purposes of compact prosecution, the identifying step is being addressed as if it were positively recited. Das teaches “NL application 840 executes on the processor 812 of the translation server 830 and is stored in the memory 186 of the translation server 830. The NL application 840 performs data interfacing operations based on information stored in a knowledge database 870. The knowledge database 870 is included in the knowledge server 850 and managed by a knowledge application 860. Examples of information stored in the knowledge database 870 include DSL-specific templates, an interaction history database, and a variety of machine-learning (ML) models, to name a few.” where “periodically, any number of ML model generators train corresponding ML learning models based on the knowledge database 870 and then store the trained ML learning models in the knowledge database 870” (Paras. [0205]-[0206]). Regarding Claim 10: Schindel and Das further teach: Wherein the NLP classifier is periodically retrained using an automated or semi-automated collection of user’s searching behaviors and refreshing of classification models and rules. Das teaches “periodically, the model generators retrain the machine learning models based on information included in the knowledge database, including portions of the histories that indicate the effectiveness with previous recommendations” (Para. [0349]). Regarding Claim 11: All of the limitations herein are similar to some or all of the limitations of Claim 1. Regarding Claim 12: All of the limitations herein are similar to some or all of the limitations of Claim 2. Regarding Claim 13: All of the limitations herein are similar to some or all of the limitations of Claim 3. Regarding Claim 14: All of the limitations herein are similar to some or all of the limitations of Claim 4. Regarding Claim 16: Some of the limitations herein are similar to some or all of the limitations of Claim 1. Das further teaches: A non-transitory computer readable medium (Das - Claim 11). Regarding Claim 17: All of the limitations herein are similar to some or all of the limitations of Claim 2. Regarding Claim 18: All of the limitations herein are similar to some or all of the limitations of Claim 3. Regarding Claim 19: All of the limitations herein are similar to some or all of the limitations of Claim 4. Response to Amendment Applicant’s Amendments, filed on 3/30/2026 are acknowledged. Response to Arguments On pages 8-9 of the Remarks filed on 3/30/2026, Applicant argues, based on the amended claims, that “Das and Schindel fail to disclose the recited MAC Address and/or Device ID and the recited severity, Common Vulnerability Scoring System (CVSS), and/or Industrial Control Systems (ICS) cert. Accordingly, the applied references fail to teach or render obvious "the plurality of categories include a vulnerability category, an IP category, and/or a date category, wherein the IP category includes MAC Address and/or Device ID, and wherein the vulnerability category includes one or more of the following: severity, Common Vulnerability Scoring System (CVSS), and/or Industrial Control Systems (ICS) cert," as recited in claims 1, 11, and 16.”.Applicant’s argument is moot based at least in part on the 112(a) and 112(b) rejections given above related to the scope and interpretations of the argued limitations. Further, it is noted that the claims merely recite a Markush group including “and/or” for the plurality of categories and Das in combination with Schindel, upon further time spent considering the references, were found to teach the newly amended categories as is further explained in the rejection above. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Das et al. (U.S. Patent No. 11,670,288) teaches a natural language (NL) application receives a partial NL request associated with a first context, and determining that the partial NL request corresponds to at least a portion of a first next NL request prediction included in one or more next NL request predictions generated based on a first natural language (NL) request, the first context associated with the first NL request, and a first sequence prediction model, where the first sequence prediction model is generated via a machine learning algorithm applied to a first data dependency model and a first request prediction model. In response to determining that the partial NL request corresponds to at least the portion of the first next NL request prediction, the NL application generates a complete NL request based on the first NL request and the partial NL request, and causes the complete NL request to be applied to a data storage system. Schindel et al. (U.S. Patent No. 12,001,550) teaches a system and method for providing cybersecurity incident response utilizing a large language model. The method includes: mapping a received incident input into a scenario of a plurality of scenarios, each scenario including a plurality of sub-scenarios; generating a query based on the received incident input and a selection of a sub-scenario of the plurality of sub-scenarios; executing the query on a security database, the security database including a representation of the computing environment; and initiating a mitigation action based on a result of the executed query. Snyder et al. (U.S. Pre-Grant Publication No. 2019/0130285) teaches in response to a programmatic interaction, respective representations of items of an initial result set are presented to an item consumer. One or more result refinement iterations are then conducted. In a given iteration, one or more feedback indicators with respect to one or more items are identified, a machine learning model is trained using at least the feedback indicators to generate respective result set candidacy metrics for at least some items, and the metrics are then used to transmit additional items for presentation to the item consumer.The reference further teaches “in at least one embodiment in which verbal utterances are potentially used to provide feedback regarding presented items, the process of scoring items may be enhanced using an utterance interpretation based technique. The utterances may be mapped to respective embedding vectors using a natural language understanding (NLU) or natural language processing (NLP) machine learning model, in effect capturing at least some characteristics of the verbal feedback. Such embedding information 930 may also be provided as input to the score generator machine learning model 950, and may be used to shift the target region of the item features embedding space from within which additional items are selected for inclusion in result sets in some embodiments. In effect, a composite feature vector which includes embedding values associated with the utterances (if any) as well embedding values obtained from images and/or other attributes may be used in such embodiments.” (Para. [0079]). DeLuca et al. (U.S. Pre-Grant Publication No. 2018/0330011) teaches generating domain language detection models respective to a plurality of domains. A query is mapped to a domain language detection model and intent of the query is determined by use of classification labels of the domain language detection model. Based on the classification labels that may be identified as the intent of the query, alternative queries are formed to be meaningful valid and are produced to a user.The reference further teaches “automated construction of domain language detection models by use of natural language analysis and natural language classification technologies. A query is semantically validated according to one of the domain language detection models selected for the query. The intent of the query is determined by selecting a plurality of classification labels of the selected domain language detection models based on terms appearing in the query. Each selected classification labels is associated with a corresponding confidence value which represents a probability of the query being about the topics represented by the respective classification labels.” (Para. [0028]). Sharma et al. (U.S. Pre-Grant Publication No. 2018/0173808) teaches intent and bot based query guidance may include receiving a query associated with a domain, and identifying, based on an analysis of the query, an intent of the query by extracting an action associated with the query and an entity associated with the query. An intent model associated with the query may be generated based on a mapping of the action and the entity with a domain model of the domain. An intent domain specific language representation of the intent model associated with the query may be generated. Based on an analysis of the intent domain specific language representation, a plurality of bots may be identified, and a parameterized bot chain may be generated to respond to the query. A runtime binding of bots of the parameterized bot chain may be performed, and invoked to generate the response to the query.The reference further teaches “The intent identifier 102 may analyze the query 104 (or a set of aggregated queries from the guidance query aggregator 108) to identify an intent 110 of the query 104. In order to identify the intent 110 of the query 104, the intent identifier 102 may apply natural language processing to the query 104 to ascertain a context of the query 104. Context, as disclosed herein, may be described as keywords or parameters that may be used to relate a query to queries processed in the past. Thus, context may be used to categorize a new query as either similar (i.e., similar to an existing processed query), a follow-up (i.e., a follow-up query to an existing processed query based upon the query context), or novel (i.e., a completely different query that cannot be mapped to any existing contexts, hence needs to be processed as a new query). In this regard, the intent identifier 102 may compare the query 104 to previously processed queries from a query thread repository 112 to categorize a new query as either similar, a follow-up, or novel.” (Para. [0048]). DeLuca et al. (U.S. Pre-Grant Publication No. 2018/0089332) a method and system for improving a search query process is provided. The method includes analyzing via a natural language classifier (NLC) circuit of a hardware device, a partial search phase entered in a search field of a graphical user interface with respect to a search query for specified subject matter. A subject based intent classification associated with the search query is determined and compared to intent based data of an intent data repository. In response, an autocomplete phrase associated with the subject based intent classification and the partial search phrase is generated and presented to a user via the graphical user interface. Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT F MAY whose telephone number is (571)272-3195. The examiner can normally be reached Monday-Friday 9:30am to 6pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Boris Gorney can be reached on 571-270-5626. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /ROBERT F MAY/Examiner, Art Unit 2154 5/28/2026 /BORIS GORNEY/Supervisory Patent Examiner, Art Unit 2154
Read full office action

Prosecution Timeline

Show 11 earlier events
Jul 30, 2025
Response after Non-Final Action
Dec 09, 2025
Response Filed
Jan 07, 2026
Final Rejection mailed — §101, §103, §112
Feb 03, 2026
Examiner Interview Summary
Feb 03, 2026
Applicant Interview (Telephonic)
Mar 30, 2026
Request for Continued Examination
Apr 02, 2026
Response after Non-Final Action
Jun 04, 2026
Non-Final Rejection mailed — §101, §103, §112 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12586145
METHOD AND APPARATUS FOR EDITING VIDEO IN ELECTRONIC DEVICE
3y 1m to grant Granted Mar 24, 2026
Patent 12468740
CATEGORY RECOMMENDATION WITH IMPLICIT ITEM FEEDBACK
2y 11m to grant Granted Nov 11, 2025
Patent 12367197
Pipelining a binary search algorithm of a sorted table
1y 7m to grant Granted Jul 22, 2025
Patent 12360955
Data Compression and Decompression Facilitated By Machine Learning
2y 4m to grant Granted Jul 15, 2025
Patent 12347550
IMAGING DISCOVERY UTILITY FOR AUGMENTING CLINICAL IMAGE MANAGEMENT
1y 9m to grant Granted Jul 01, 2025
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

5-6
Expected OA Rounds
75%
Grant Probability
99%
With Interview (+30.5%)
3y 0m (~5m remaining)
Median Time to Grant
High
PTA Risk
Based on 295 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month