DEVICES, SYSTEMS, AND METHODS FOR ENHANCING SECURITY INFORMATION & EVENT MANAGEMENT UPDATES FOR MULTIPLE TENANTS BASED ON CORRELATED, AND SYNERGISTIC DEPLOYMENT NEEDS

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Amendments This final office action is in response to the amendments filed 11/21/2025. In which, claims 1-3, 5-9, and 13-18 have been amended, no claims have been cancelled, and claims 1-18 remain pending in the application. Response to Amendment The amendment filed on 11/21/2025 has been entered. See response to amendments. Response to Arguments Applicant’s amendments and arguments are fully considered and are persuasive, however arguments are moot in view of new ground of rejection below. With respect to applicant’s argument to the remaining dependent claims 2-14, and 16 - 18 on pages 10 of the remark, the applicant is relying on the newly added amendments of the independent claims 1, and 15. Please see examiner’s response above and the detail of the rejection below. Claim Objections Claims 1 and 15 are object to because of the following informalities: claims 1 and 15 recite “plurality of tenants”, it should be “the plurality of tenant networks” consistent with the recitation in the different parts of the claims. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 1-3, 5, 8, and 13-16 are rejected under 35 U.S.C. 103 as being unpatentable over Murphy et al. (US-20190379680-A1 hereafter Murphy), in view of Parekh et al. (US-20220210195-A1 hereafter Parekh). Regarding claim 1 Murphy teaches a method for simultaneously monitoring and enhancing network security across a plurality of tenant networks configured to host a plurality of client applications, (see Murphy par.0089 “the monitored computing platform (e.g., computing platform 60) utilized by business today may be a highly complex, multi-location computing system/network that may span multiple buildings/locations/countries. For this illustrative example, the monitored computing platform (e.g., computing platform 60) is shown to include many discrete computing devices, examples of which may include but are not limited to: server computers (e.g., server computers 200, 202), desktop computers (e.g., desktop computer 204), and laptop computers (e.g., laptop computer 206), all of which may be coupled together via a network (e.g., network 208), such as an Ethernet network. Computing platform 60 may be coupled to an external network (e.g., Internet 210) through WAF (i.e., Web Application Firewall) 212. A wireless access point (e.g., WAP 214) may be configured to allow wireless devices (e.g., smartphone 216) to access computing platform 60. Computing platform 60 may include various connectivity devices that enable the coupling of devices within computing platform 60, examples of which may include but are not limited to: switch 216, router 218 and gateway 220. Computing platform 60 may also include various storage devices (e.g., NAS 222), as well as functionality (e.g., API Gateway 224) that allows software applications to gain access to one or more resources within computing platform 60”), the method comprising: providing a Security Information, and Event Management (SIEM) management application configured to be hosted by a SIEM provider server, wherein the SIEM provider server is communicably coupled to the plurality of tenant networks, wherein each tenant network of the plurality of tenant networks comprises its own architecture (see Murphy Fig.1, Fig 3, and par.089: “the monitored computing platform (e.g., computing platform 60) (tenant networks) utilized by business today may be a highly complex, multi-location computing system/network that may span multiple buildings/locations/countries. For this illustrative example, the monitored computing platform (e.g., computing platform 60) is shown to include many discrete computing devices, examples of which may include but are not limited to: server computers (e.g., server computers 200, 202), desktop computers (e.g., desktop computer 204), and laptop computers (e.g., laptop computer 206), all of which may be coupled together via a network (e.g., network 208), such as an Ethernet network.”, par.0092: “SEIM (i.e., Security Information and Event Management) system 230 may be deployed within computing platform 60. As is known in the art, STEM system 230 is an approach to security management that combines SIM (security information management) functionality and SEM (security event management) functionality into one security management system. The underlying principles of a STEM system is to aggregate relevant data from multiple sources, identify deviations from the norm and take appropriate action. For example, when a security event is detected, STEM system 230 might log additional information, generate an alert and instruct other security controls to mitigate the security event. Accordingly, STEM system 230 may be configured to monitor and log the activity of security-relevant subsystems 226 (e.g., CDN (i.e., Content Delivery Network) systems; DAM (i.e., Database Activity Monitoring) systems; UBA (i.e., User Behavior Analytics) systems; MDM (i.e., Mobile Device Management) systems; IAM (i.e., Identity and Access Management) systems; DNS (i.e., Domain Name Server) systems, antivirus systems, operating systems, data lakes; data logs; security-relevant software applications; security-relevant hardware systems; and resources external to the computing platform).”); receiving, via the SIEM provider server, a SIEM status from the plurality of tenant networks (see Murphy par.0095: “threat mitigation process 10 may be configured to obtain and combine information from multiple security-relevant subsystem to generate a security profile for computing platform 60. For example, threat mitigation process 10 may obtain 300 first system-defined platform information (e.g., system-defined platform information 232) concerning a first security-relevant subsystem (e.g., the number of operating systems deployed) within computing platform 60 and may obtain 302 at least a second system-defined platform information (e.g., system-defined platform information 234) concerning at least a second security-relevant subsystem (e.g., the number of antivirus systems deployed) within computing platform 60.”, par.0097: “system-defined platform information 232 and/or system-defined platform information 234 may be obtained from STEM system 230, wherein (and as discussed above) SIEM system 230 may be configured to monitor and log the activity of security-relevant subsystems 226”); integrating, via the SIEM management application, the SIEM status of each of the plurality of tenants (see Murphy par.0148: “Threat mitigation process 10 may obtain 804 application performance information 248 concerning one or more applications (e.g., operating systems, user applications, security application, and utility application) deployed within computing platform 60. Application performance information 248 may concern the operation and/or functionality of one or more software applications (e.g., operating systems, user applications, security application, and utility application) deployed within computing platform 60.”, par.0167: “threat mitigation process 10 may be configured to e.g., aggregate data sets and allow for unified search of those data sets”, par.0170: “threat mitigation process 10 may combine 956 plurality of security-relevant information sets 258 to form an aggregated security-relevant information set 260 for computing platform 60.”); Murphy does not explicitly teach however Parekh teaches visualizing, via a graphical user interface of the SIEM management application, the SIEM status (see Parekh par.0038: “The trust platform 102 implements the trust platform GUI 112 to provide users with a “single pane of glass” for managing cloud assets on any combination of the CSPs 110. To do so, the trust platform 102 utilizes the trust platform APIs 114 to interact with the various CSPs 110 (e.g., to collect data from the various CSPs 110 which may be aggregated and formatted for view in a dashboard of the trust platform GUI 112, to deploy controls and manage accounts for cloud assets, etc.).”); filtering, via the SIEM management application, the SIEM status based, at least in part, on a user input received via the graphical user interface (see Parekh par.0097: “FIG. 6 shows a view of a log analytics dashboard 601 of the trust platform GUI 112 of the trust platform 102. More specifically, the log analytics dashboard 601 shows a search pane 603 where a log search query may be entered, and a pane 605 where results of the log search query are presented. The pane 605 may be further filtered based on any of a set of log attributes (e.g., computer name, event time, facility, host IP address, hostname, process ID, process name, security level, source system, syslog message, tenant ID, time generated, type, etc.).”, further in par. 0388); visualizing, via the graphical user interface, the filtered SIEM status (see Parekh par.0097: “FIG. 6 shows a view of a log analytics dashboard 601 of the trust platform GUI 112 of the trust platform 102. More specifically, the log analytics dashboard 601 shows a search pane 603 where a log search query may be entered, and a pane 605 where results of the log search query are presented. The pane 605 may be further filtered based on any of a set of log attributes (e.g., computer name, event time, facility, host IP address, hostname, process ID, process name, security level, source system, syslog message, tenant ID, time generated, type, etc.)”); determining a change in status of at least one of the plurality of tenants, wherein the change in status comprises an update to an artifact (see Parekh par.0130: “a determination is made as to whether there are one or more discrepancies (status) between the specified one or more security and compliance controls and the deployed security and compliance controls. In step 1608, the one or more trust platform APIs 114 are utilized to modify one or more of the deployed security and compliance controls (artifact) for the subset of the plurality of cloud assets operating in the clouds of the CSPs 110 on which the one or more workloads of the given entity run responsive to determining that there are one or more discrepancies between the specified one or more security and compliance controls and the deployed security and compliance controls”); selecting, via the graphical user interface, at least one client application of the plurality of clients applications hosted by a subset of the plurality of tenant network to update based, at least in part, on the filtered SIEM status and based on applicable tenants; (see Parekh par.0101: “The asset management dashboard 901 includes a pane 903 listing the various cloud assets (e.g., VMs, containers, etc.) that an end-user is running across the various CSPs 110. The pane 903 includes columns indicating whether an asset is powered on, its associated CSP, the asset type (e.g., VM, container, etc.), asset name, hostname, IP address, OS, whether that asset has host security enabled, whether the asset has data-at-rest encryption enabled, etc. The asset management dashboard 901 may be filtered, such as to show all assets without host security or data-at-rest encryption enabled (or any other desired cloud asset attribute). This may be used to generate reports that may be downloaded by the user. The pane 903 also includes in the table a column of “actions” (update) that includes user interface features (e.g., buttons, links, etc.) that enable a user to perform various actions with respect to the cloud assets, such as editing or deleting such cloud assets, as well as accessing such assets.”, par.0130: “a determination is made as to whether there are one or more discrepancies between the specified one or more security and compliance controls and the deployed security and compliance controls. In step 1608, the one or more trust platform APIs 114 (GUI) are utilized to modify one or more of the deployed security and compliance controls for the subset of the plurality of cloud assets (applicable tenants) operating in the clouds of the CSPs 110 on which the one or more workloads of the given entity run responsive to determining that there are one or more discrepancies between the specified one or more security and compliance controls and the deployed security and compliance controls”); generating, via the SIEM management application, a client application update, and an update alert based, at least in part, on the selection and change of status (see Parekh par.0137: “one or more application and data security and compliance policies, with 1706 including generating one or more application and data security and compliance controls that are deployed in step 1706 on ones of the monitoring tools in the first plurality of monitoring tools and the second plurality of monitoring tools that provide at least one of data encryption, vulnerability scanning, patch management, virus scanning and malware scanning for the subset of the plurality of cloud assets operating in the clouds of the CSPs 110 on which the one or more workloads of the given entity run. The one or more security and compliance policies for the given entity may further or alternatively comprise one or more monitoring and reporting (alert) security and compliance policies, with step 1704 including generating one or more monitoring and reporting security and compliance controls that are deployed in step 1706 on ones of the monitoring tools in the first plurality of monitoring tools and the second plurality of monitoring tools that provide at least one of security information and event management, security intelligence and operations, log management, alerting, and incident handling for the subset of the plurality of cloud assets operating in the clouds of the CSPs 110 on which the one or more workloads of the given entity run.”); transmitting, via the SIEM management application, the update alert to the subset of the plurality of tenant networks; (see Parekh par.0137: “The one or more security and compliance policies for the given entity may further or alternatively comprise one or more monitoring and reporting security and compliance policies, with step 1704 including generating one or more monitoring and reporting security and compliance controls that are deployed in step 1706 on ones of the monitoring tools in the first plurality of monitoring tools and the second plurality of monitoring tools that provide at least one of security information and event management, security intelligence and operations, log management, alerting, and incident handling for the subset of the plurality of cloud assets operating in the clouds of the CSPs 110 on which the one or more workloads of the given entity run.”); and updating, via the subset of the plurality of tenant networks, the at least one client application based, at least in part, on the update alert (see Parekh par.00138: “providing, at the trust platform GUI 112 of the trust platform 102, a unified view of the one or more security and compliance policies for the given entity running the one or more workloads on the subset of the plurality of cloud assets operating in the clouds of the CSPs 110. Step 1708 may include providing user interface features indicating whether individual ones of a set of security and compliance policies are to be utilized for the subset of the plurality of cloud assets operating in the clouds of the two or more cloud service providers on which the one or more workloads of the given entity run. Step 1708 may also or alternatively comprise providing user interface features for modifying one or more previously-specified security and compliance policies for the given entity.”), wherein updating the at least one client application enhances the network security for the subset of the plurality of tenant networks. (See Parekh par.0139: “the unified view of security and compliance for the one or more workloads of the given entity comprises a policy management dashboard (e.g., 701), the policy management dashboard comprising a pane (e.g., 703) with a set of user interface features for inputting the specification of the one or more security and compliance policies for the given entity. The one or more security and compliance policies for the given entity may comprise one or more vulnerability management policies, and the set of user interface features may comprise user interface features for specifying remediation timelines for two or more different categories of vulnerabilities. The one or more security and compliance policies for the given entity may also or alternatively comprise one or more log management policies, such as a log forwarding policy where the set of user interface features comprises user interface features for specifying a destination address information for a destination to which logs generated by the subset of the plurality of cloud assets operating in the clouds of the CSPs 110 on which the one or more workloads of the given entity run are to be forwarded to.”). It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Murphy teaching “The plurality of security-relevant information sets may be combined to form an aggregated security-relevant information set for the computing platform based, at least in part, upon the one or more commonalities identified. Combining the plurality of security-relevant information sets to form an aggregated security-relevant information set for the computing platform based, at least in part, upon the one or more commonalities identified may include: homogenizing the plurality of security-relevant information sets to form the aggregated security-relevant information set. Establishing connectivity with a plurality of security-relevant subsystems may include: utilizing at least one application program interface to access at least one of the plurality of security-relevant subsystems. Processing the plurality of security-relevant information sets using artificial learning/machine learning to identify one or more commonalities amongst the plurality of security-relevant information sets”, (see Murphy par.0005) with Parekh teaching “The trust platform 102 implements the trust platform GUI 112 to provide users with a “single pane of glass” for managing cloud assets on any combination of the CSPs 110. To do so, the trust platform 102 utilizes the trust platform APIs 114 to interact with the various CSPs 110 (e.g., to collect data from the various CSPs 110 which may be aggregated and formatted for view in a dashboard of the trust platform GUI 112, to deploy controls and manage accounts for cloud assets, etc.). Data collected from the various cloud assets by the trust platform APIs 114 may be stored in the trust platform data store 108. The trust platform GUI 112 includes various interface features that facilitate automated management of the cloud assets through use of the trust platform APIs 114 and the functionality of the modules 116 through 122.”, (see Parekh par.0038). The motivation to combine would have been “The telemetry data management module 116 advantageously brings together such security and compliance telemetry data to provide a unified view (e.g., via the “single pane of glass” of the trust platform GUI 112) for characterizing security, compliance and business risk across multi-cloud and hybrid workloads.”, (see Parekh par.0041). Regarding claim 15 is a system claim that recites similar limitations as the method claim 1 and is being rejected based on the same rational as claim 1. a Security Information, and Event Management (SIEM) provider server communicably coupled to the plurality of tenant networks, wherein the SIEM provider server comprises a processor, and a memory, wherein the memory is configured to store a SIEM management application that, when executed by the processor, causes the processor to: (see par.0031: “The instruction sets and subroutines of threat mitigation process 10s, which may be stored on storage device 16 coupled to computing device 12, may be executed by one or more processors (not shown) and one or more memory architectures (not shown) included within computing device 12. Examples of storage device 16 may include but are not limited to: a hard disk drive; a RAID device; a random access memory (RAM); a read-only memory (ROM); and all forms of flash memory storage devices.”). Regarding claim 2 Murphy in view of Parekh disclose the method of claim 1, Parekh further discloses wherein the SIEM status comprises at least one of a tenant name, a client name, and a client application version for each tenant of the plurality of tenant networks, or combinations thereof. (See Parekh par.0097: “The pane 605 may be further filtered based on any of a set of log attributes (e.g., computer name, event time, facility, host IP address, hostname, process ID, process name, security level, source system, syslog message, tenant ID, time generated, type, etc.). It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Murphy in view of Parekh teaching of claim 1 with Parekh teaching “Log management and analytics views of the trust platform GUI 112 of the trust platform 102, for example, may give end-users the power and flexibility to perform ad-hoc queries against the logs collected for security and compliance, as well as the capability to export filtered or full data for archiving, analysis and reporting purposes. User management views of the trust platform GUI 112 of the trust platform 102 provide an entitlements management interface for the trust platform 102. Asset management views of the trust platform GUI 112 of the trust platform 102 catalog all tenant assets with key information and the status of security services. Compliance reporting views of the trust platform GUI 112 of the trust platform 102 offer one place to download the latest compliance reports, and may support various standards such as Type 2 SOC 2 and HITRUST with Cloud Security Alliance (CSA) Cloud Controls Matrix, Type 2 Attestation (AT-C 105 and AT-C 205) HIPAA/HITECH.”, (see Parekh par.0091). Regarding claim 3 Murphy in view of Parekh disclose the method of claim 2, Parekh further discloses wherein the user input comprises at least one of the tenant name, the client name, and the client application version for each tenant of the plurality of tenant networks, or combinations thereof. (See Parekh par.0097: “the log analytics dashboard 601 shows a search pane 603 where a log search query may be entered, and a pane 605 where results of the log search query are presented. The pane 605 may be further filtered based on any of a set of log attributes (e.g., computer name, event time, facility, host IP address, hostname, process ID, process name, security level, source system, syslog message, tenant ID, time generated, type, etc.). It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Murphy in view of Parekh teaching of claim 1 with Parekh teaching “The trust platform 102, via the trust platform GUI 112, may provide various interfaces for: log management trend analysis; cybersecurity management, including but not limited to management of firewalls, anti-virus, anti-malware, intrusion detection and prevention, etc.; searching, monitoring and analyzing “big data”; identity and access management; compliance services; viewing security alerts; viewing intrusion attempts”, (see Parekh par.0080). Regarding claim 5 Murphy in view of Parekh disclose the method of claim 1, Parekh further discloses wherein the SIEM provider server comprises a memory configured to store a plurality of rules associated with a deployment need for each tenant of the plurality of tenant networks (see Parekh par.0036: “Each such processing device generally comprises at least one processor and an associated memory, and implements one or more functional modules for controlling certain features of the trust platform 102, such as the trust platform GUI 112 and trust platform application programming interfaces (APIs) 114. In the FIG. 1 embodiment, the trust platform 102 implements a telemetry data management module 116, a security and compliance control management module 118,”), and wherein generating the update alert is based, at least in part, on at least one rule of the plurality of rules that is associated with the subset of the plurality of tenant networks. (See Parekh par.0099: “the policy dashboard 701 may include a tab or other page or view that permits selection of policy settings for alerts (e.g., thresholds for triggering alerts, classification of alerts into different alerts categories such as low, medium, high, critical, etc.), access keys or other credential management (e.g., the types of users and number of users that may be granted ephemeral just in time access credentials for cloud assets of the CSPs 110). Policy settings may also be used for generation of security and compliance (rules) controls for monitoring tools deployed on the CSPs 110, in addition to security and compliance controls for cloud assets themselves. Such policy settings may relate to perimeter security (e.g., firewall, network IDS (NIDS), network IPS (NIPS), penetration testing), network security (NIDS, NIPS, vulnerability scanning, network segregation, network segmentation), host security (host firewall, host IDS (HIDS), anti-malware, anti-virus, file integrity monitoring (FIM), OS patch management, vulnerability scanning), application and data security (transparent data encryption, vulnerability scanning, patch management, virus and malware scanning), monitoring and reporting (security information and event management (SIEM), security intelligence and operations, log management, alerting, incident handling, eyes on glass)”). It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Murphy in view of Parekh teaching of claim 1 with Parekh teaching “The at least one processing device is further configured to perform the steps of determining whether there are one or more discrepancies between the specified one or more security and compliance controls and the deployed security and compliance controls, and modifying, utilizing the one or more application programming interfaces of the trust platform, one or more of the deployed security and compliance controls for the subset of the plurality of cloud assets operating in the clouds of the two or more cloud service providers on which the one or more workloads of the given entity run responsive to determining that there are one or more discrepancies between the specified one or more security and compliance controls and the deployed security and compliance controls.”, (see Parekh par.0004). Regarding claim 16 is a system claim that recites similar limitations as the method claim 5 and is being rejected based on the same rational as claim 5. Regarding claim 8 Murphy in view of Parekh, Roberts disclose the method of claim 6, Parekh further teaches wherein a deployment need for the subset of the plurality of tenant networks comprises a firewall monitoring protocol. (See Parekh par.0126: “he unified view of security and compliance for the one or more workloads of the given entity may further or alternatively comprise one or more security and compliance report generation dashboards. The one or more security and compliance report generation dashboards may comprise a firewall auditing dashboard (e.g., 1001) comprising a pane (e.g., 1003) listing one or more firewall auditing reports for the subset of the plurality of cloud assets operating in the clouds of the two or more cloud service providers on which the one or more workloads of the given entity run, and one or more interface features for at least one of viewing and downloading respective ones of the one or more firewall auditing reports.”). It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Murphy in view of Parekh, and Roberts teaching of claim 6 with Parekh teaching “The one or more security and compliance policies for the given entity may further or alternatively comprise one or more host security and compliance policies, with step 1704 including generating one or more host security and compliance controls that are deployed in 1706 on ones of the monitoring tools in the first plurality of monitoring tools and the second plurality of monitoring tools that provide at least one of host firewall, host instruction detection, host intrusion prevention, anti-virus, anti-malware, file integrity monitoring, operating system patch management and vulnerability scanning for the subset of the plurality of cloud assets operating in the clouds of the CSPs 110 on which the one or more workloads of the given entity run.”, (see Parekh par.0136). Regarding claim 13 Murphy in view of Parekh discloses the method of claim 1, Parekh further discloses wherein the SIEM status comprises a number of deployed client applications, a number of deprecated client applications, and a number disabled client applications for each tenant of the plurality of tenant networks, or combinations thereof. (See Parekh par.0101: “an asset management dashboard 901 of the trust platform GUI 112 of the trust platform 102. The asset management dashboard 901 includes a pane 903 listing the various cloud assets (e.g., VMs, containers, etc.) that an end-user is running across the various CSPs 110. The pane 903 includes columns indicating whether an asset is powered on, its associated CSP, the asset type (e.g., VM, container, etc.), asset name, hostname, IP address, OS, whether that asset has host security enabled, whether the asset has data-at-rest encryption enabled, etc.”). It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Murphy in view of Parekh teaching of claim 1 with Parekh teaching “The asset management dashboard 901 may be filtered, such as to show all assets without host security or data-at-rest encryption enabled (or any other desired cloud asset attribute). This may be used to generate reports that may be downloaded by the user. The pane 903 also includes in the table a column of “actions” that includes user interface features (e.g., buttons, links, etc.) that enable a user to perform various actions with respect to the cloud assets, such as editing or deleting such cloud assets, as well as accessing such assets.”, (see Parekh par.0101). Regarding claim 14 Murphy in view of Parekh discloses the method of claim 1, Murphy further discloses wherein the plurality of tenant networks are remotely located relative to the SIEM provider server. (See Murphy par.0089: “the monitored computing platform (e.g., computing platform 60) utilized by business today may be a highly complex, multi-location computing system/network that may span multiple buildings/locations/countries. For this illustrative example, the monitored computing platform (e.g., computing platform 60) is shown to include many discrete computing devices, examples of which may include but are not limited to: server computers (e.g., server computers 200, 202), desktop computers (e.g., desktop computer 204), and laptop computers (e.g., laptop computer 206), all of which may be coupled together via a network (e.g., network 208), such as an Ethernet network. Computing platform 60 may be coupled to an external network (e.g., Internet 210) through WAF (i.e., Web Application Firewall) 212. A wireless access point (e.g., WAP 214) may be configured to allow wireless devices (e.g., smartphone 216) to access computing platform 60.”, 0092: “SEIM (i.e., Security Information and Event Management) system 230 may be deployed within computing platform 60. As is known in the art, STEM system 230 is an approach to security management that combines SIM (security information management) functionality and SEM (security event management) functionality into one security management system.”). Claims 4, 9, 10, and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Murphy et al. (US-20190379680-A1 hereafter Murphy), in view of Parekh et al. (US-20220210195-A1 hereafter Parekh), in further view of Cristofi et al. (US 20210117251 A1hereafter Cristofi). Regarding claim 4 Murphy in view of Parekh disclose the method of claim 2, Murphy in view of Parekh do not explicitly teach however Cristofi teaches wherein selecting the at least one client application is further based on a second user input received via the graphical user interface, (see Cristofi par.907: “If a user searches for a keyword that has not been indexed by the indexing system 212, the data intake and query system 108 may nevertheless be able to retrieve the events by searching the event data for the keyword in the raw record data store directly… if a user searches for the keyword "frank", and the name "frank" has not been indexed at search time, the query system 214 can search the event data directly and return the first event 1312. Note that whether the keyword has been indexed at index time or search time or not, in both cases the raw data with the events 1311 is accessed from the raw data record store to service the keyword search.”) and wherein the second user input comprises at least one of a tenant name associated with the at least one client application, a client name associated with the at least one client application, and a client application version associated with the at least one client application, or combinations thereof. (See Cristofi par.908: “a user's search will also include fields. The term "field" refers to a location in the event data containing one or more values for a specific data item. Often, a field is a value with a fixed, delimited position on a line, or a name and value pair, where there is a single value to each field name. A field can also be multivalued, that is, it can appear more than once in an event and have a different value for each appearance, e.g., email address fields. Fields are searchable by the field name or field name-value pairs. Some examples of fields are "client ip" for IP addresses accessing a web server, or the "From" and "To" fields in email addresses.”). It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Murphy in view of Parekh teaching of claim 1 with Cristofi teaching “one or more components of the indexing system can be shared between multiple tenants. For example, in certain cases, the embodiment of the indexing system 212 illustrated in FIG. 4B can be configured for use by tenants. In some such cases, an ingest manager 406, partition manager 408, and/or indexing node 404 may concurrently receive and process data from multiple tenants.”, (see Cristofi par.0279). Regarding claim 9 Murphy in view of Parekh disclose the method of claim 5, Murphy in view of Parekh do not explicitly teach however Cristofi teaches further comprising storing the generated client application update in the memory (see Cristofi par.1040: “Once a user has codified a playbook using a visual playbook editor or other interface, the playbook can be saved (for example, in a multi-tenant database 1736 and in association with one or more user accounts)”, par.1096: “Computer system 1600 also includes a main memory 1606, such as a random access memory (RAM) or other dynamic or volatile storage device, coupled to bus1602 for storing information and instructions to be executed by processor 1604. Main memory 1606 also may be used for storing temporary variables or other intermediate information during execution of instructions to be executed by processor 1604.”, further in [1026] “…a last time the playbook was updated”), wherein updating the at least one client application further comprises retrieving, via the subset of the plurality of tenant networks, the generated client application update from the memory. (See Cristofi par.1040: “run by the IT and security operations application 1702 on-demand. As illustrated in the example playbooks above, a playbook includes a "start" block that is associated with source code that begins execution of the play book. More particularly, the IT and security operations application 1702 executes the function represented by the start block for a playbook with container context comprising data about the incident against which the playbook is executed, where the container context may be derived from input data from one or more configured data sources.”, par.1096: “Computer system 1600 also includes a main memory 1606, such as a random access memory (RAM) or other dynamic or volatile storage device, coupled to bus1602 for storing information and instructions to be executed by processor 1604. Main memory 1606 also may be used for storing temporary variables or other intermediate information during execution of instructions to be executed by processor 1604.”, further in [1026] “…a last time the playbook was updated”). It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Murphy in view of Parekh teaching of claim 1 with Cristofi teaching “, an incident management service 1728 is responsible for obtaining incidents, either directly from various data sources in tenant networks or directly based on data ingested by the data intake and query system 108 via the gateway 215. In some embodiments, the mission control service 1708 provides user interfaces to users of the application, among other processes described herein. Using these user interfaces, users of the IT and security operations application 1702 can perform various application-related operations, view displays of incident-related information, and can configure administrative settings, license management, content management settings, and so forth. In some embodiments, an artifact information service 1732 manages artifacts associated with incidents received by the application, where incident artifacts can include information such as IP addresses, user names, file hashes, and so forth.”, (see Cristofi par.1013). Regarding claim 10 Murphy in view of Parekh discloses the method of claim 5, Murphy in view of Parekh do not explicitly teach however Cristofi teaches wherein the memory is further configured to store an artifact template (see Cristofi par.1096: “Computer system 1600 also includes a main memory 1606, such as a random access memory (RAM) or other dynamic or volatile storage device, coupled to bus1602 for storing information and instructions to be executed by processor 1604. Main memory 1606 also may be used for storing temporary variables or other intermediate information during execution of instructions to be executed by processor 1604.”, par.1013: “an incident management service 1728 is responsible for obtaining incidents, either directly from various data sources in tenant networks or directly based on data ingested by the data intake and query system 108 via the gateway 215. In some embodiments, the mission control service 1708 provides user interfaces to users of the application, among other processes described herein. Using these user interfaces, users of the IT and security operations application 1702 can perform various application-related operations, view displays of incident related information, and can configure administrative settings, license management, content management settings, and so forth. In some embodiments, an artifact information service 1732 manages artifacts associated with incidents received by the application, where incident artifacts can include information such as IP addresses, user names, file hashes, and so forth.”), and wherein generating the update alert is further based on the stored artifact template. (See Cristofi par.1017: “IT and security operations application 1702 can be configured to create and recognize different types of incidents depending on the corresponding type of data ingested, such as "IT incidents" for IT operations-related incidents, "security incidents" for security-related incidents, and so forth. An incident can be further include any number of events and "artifacts," where each event and artifact represents an item of data associated with the incident. As a non-limiting example, an incident used to represent data ingested from an anti-virus service and representing a security-related incident might include an event indicating the occurrence of the incident and associated artifacts indicating a name of the virus, a hash value of a file associated with the virus, a file path on the infected endpoint, and so forth.”, par.1041: “IT and security operations applications 1702, such as the SPLUNK PHANTOMTM application, include the ability for users to create, customize, and use "workbooks." At a high level, a workbook enables users to codify an organization's standard operating procedures (SO Ps) and other defined processes for responding to incidents (for example, security threats, operational issues, etc.) within an IT environment into reusable templates… Different workbook templates can be defined for responding to different types of incidents-for example, one workbook template might be created to help analysts investigate and respond to computer security incidents, while another workbook template can be created to help analysts recover from and report significant hardware failures, and so forth.”). It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Murphy in view of Parekh teaching of claim 1 with Cristofi teaching “the IT and security operations application 1702 further generates and stores data related to its operation and use by various tenants including, for example, playbook data, workbook data, user account settings, configuration data, and historical data (such as, for example, data indicating actions taken by various users relative to particular incidents or artifacts, data indicating responses from IT assets based on action executions, and so forth), in one or more multi-tenant databases 1736. In other embodiments, some or all of the data above is stored in storage managed by the data intake and query system 108 and accessed via the gateway 215. These multi-tenant database(s) 1736 may operate on a same computer system as the IT and security operations application 1702”, (see Cristofi par.1019). Regarding claim 12 Murphy in view of Parekh discloses the method of claim 10, Murphy in view of Parekh do not explicitly teach however Cristofi teaches further comprising: generating a new template comprising at least one of a new rule, a new workbook, and a new playbook, or combinations thereof, based on the SIEM status; and storing the new template in the memory. (See Cristofi par.1042: “if a workbook includes a task of obtaining a particular log file at one or more endpoint devices associated with an incident, that task can be associated with an automated action or playbook for obtaining the relevant log files without additional manual user involvement. A user may specify a set of one or more executable actions, playbooks, or a combination thereof, in association with some or all of a workbook's tasks as part of the workbook template configuration process. In some embodiments, the IT and security operations application 1702 can additionally or alternatively automatically associate actions and playbooks with particular tasks, for example, by matching tasks to possible actions/playbooks based on an analysis of the text or other attributes associated with phase/task definitions.”, par.1045: “an IT and security operations application 1702 may include various GUis that can be used to define workbook templates and to interact with workbook instances. FIG. 20 illustrates an example workbook template configuration interface used to create a workbook template according to some embodiments. As illustrated in FIG. 20, a workbook template configuration interface 2000 includes interface elements for specifying information about a workbook template generally, and additional interface elements used to define the phases and tasks associated with the workbook.”). It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Murphy in view of Parekh teaching of claim 1 with Cristofi teaching “when an action associated with a task is executed, the IT and security operations application 1702 can monitor the action's execution and determine whether the action executed successfully (for example, if an action is configured to terminate a process running on an endpoint device, the IT and security operations application 1702 can determine whether the action was actually able to successfully connect to the endpoint device and terminate the process). This information can be collected over time and used, for example, to display actions/playbooks associated with various tasks in an order that reflects how successful each action/playbook historically has been in completing the task so that analysts can be guided to those actions/playbooks most likely to successfully complete a task. In some embodiments, this data can be collected and analyzed on a per-tenant basis and, in some embodiments, collected and analyzed across some or all tenants of the IT and security operations application 1702.”, (see Cristofi par.1044). Claims 6, 7, 17, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Murphy et al. (US-20190379680-A1 hereafter Murphy), in view of Parekh et al. (US-20220210195-A1 hereafter Parekh), in further view of Roberts et al. (US-11714683-B1 hereafter Roberts). Regarding claim 6 Murphy in view of Parekh disclose the method of claim 5, Murphy in view of Parekh do not explicitly teach however Roberts teaches further comprising correlating, via the SIEM management application, the plurality of rules into a plurality of playbooks based, at least in part, on the deployment need for each tenant of the plurality of tenant networks. (See Roberts Col.44 lines 33-45: “the IT and security operations application 502 also generates and stores data related to its operation and activity conducted by various tenant users including, for example, playbook data, workbook data, user account settings, configuration data, and historical data (such as, for example, data indicating actions taken by various users relative to particular incidents or artifacts, data indicating responses from IT assets based on action executions, and so forth), in one or more multi-tenant databases 536. In other embodiments, some or all of the data above is stored in storage managed by the data intake and query system 102 and accessed via the gateway 546. These multi-tenant database(s) 536 may operate on a same computer system as the IT and security operations application 502”, Col.49 lines 65-67 – Col.50 lines1-15: “Once a user has codified a playbook using a visual playbook editor or other interface, the playbook can be saved (for example, in a multi-tenant database 536 and in association with one or more user accounts) and run by the IT and security operations application 502 on-demand. As illustrated in the example playbooks above, a playbook includes a “start” block that is associated with source code that begins execution of the playbook. More particularly, the IT and security operations application 502 executes the function represented by the start block for a playbook with container context comprising data about the incident against which the playbook is executed, where the container context may be derived from input data from one or more configured data sources. A playbook can be executed manually in response to a user providing input requesting execution of the playbook, or playbooks can be executed automatically in response to the IT and security operations application 502 obtaining input events matching certain criteria.”). It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Murphy in view of Parekh teaching of claim 5 with Roberts teaching “, one or more IT assets 514 can be configured as a source of incident information that is ingested by an IT and security operations application 502. The types of IT assets 514 that can be configured in the IT and security operations application 502 may be determined in some cases based on which connectors 522 are installed for a particular user. In some embodiments, automated actions can be configured with respect to various IT assets 514 using playbooks, described in more detail elsewhere herein. Each IT asset 514 may be hosted in an on-premises tenant network, a cloud-based provider network, or any other network or combination thereof.”, (see Roberts Col.45 lines:56-67). Regarding claim 17 is a system claim that recites similar limitations as the method claim 6 and is being rejected based on the same rational as claim 6. Regarding claim 7 Murphy in view of Parekh, and Roberts disclose the method of claim 6, Roberts further teaches wherein the graphical user interface comprises a playbook widget, wherein selecting the at least one client application is further based on a user interaction with the playbook widget via the graphical user interface (see Roberts Col.47 lines 18-30: “Using the playbook management interface 600, for example, a user can select the “create new playbook” interface element from interface elements 604. Once a user has provided input requesting the creation of a new playbook, the IT and security operations application 502 causes display of a visual playbook editor interface including a graphical canvas on which users can add nodes representing operations to be performed during execution of the playbook, where the operations are implemented by associated source code that can be automatically generated by the visual playbook editor, and add connections or edges among the nodes defining an order in which the represented operations are to be performed upon execution.”), and wherein generating the update alert is based, at least in part, on at least one playbook of the plurality of playbooks that is associated with the subset of the plurality of tenant networks. (See Roberts Col.54 lines 17-51: “the playbook execution engine 1108 (e.g., which may be part of the OAR service 516 or any other component of an IT and security operations application 502) executes various playbooks from time to time (e.g., including playbook 1102A, . . . , playbook 1102N). As described in more detail hereinafter, execution of a playbook generally involves the playbook execution engine 1108 executing the function blocks of the playbook in an order defined by a control flow associated with the playbook (and possibly further based on a container context comprising data about an incident associated with the execution of the playbook). For example, a playbook 1102A includes any number of function blocks 1104A, . . . , through function block 1104N and a playbook 1102A includes functions block 1106A, . . . , 1106N. Some of the function blocks of playbook 1102A and playbook 1102N may be a same, reusable function block that can be used across any number of playbooks (e.g., template function blocks provided by the IT and security operations application 502), while other function blocks may represent custom code function blocks developed by individual users of the IT and security operations application… a playbook can be executed automatically responsive to an IT and security operations application 502 identifying one or more incidents matching certain triggering criteria associated with the playbook. In general, each playbook can include any number and combination of function blocks depending on the desired functionality to be implemented by the playbook. While only two playbooks are illustrated in FIG. 10, in general, an IT and security operations application 502 can be associated with any number of distinct playbooks associated with any number of separate users or tenants of the application.”). It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Murphy in view of Parekh, and Roberts teaching of claim 6 with Roberts teaching “one aspect of an IT and security operations application is the execution of playbooks used to automate the performance of actions within users' IT environments. A playbook, for example, generally comprises a collection of function blocks, where at least some of the function blocks are defined by executable program code that performs specified functionality when the function blocks are encountered during execution of a playbook containing the function blocks (e.g., to configure firewall settings, obtain enrichment data for an incident, restart a server, etc.). Playbooks can be executed automatically, for example, responsive to the identification of incidents matching certain criteria”, (see Roberts Col.53 lines:15-26). Regarding claim 18 is a system claim that recites similar limitations as the method claim 7 and is being rejected based on the same rational as claim 7. Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Murphy et al. (US-20190379680-A1 hereafter Murphy), in view of Parekh et al. (US-20220210195-A1 hereafter Parekh), in view of Cristofi et al. (US 20210117251 A1hereafter Cristofi)., in further view of Sridhar et al. (US-10999164-B1 hereafter Sridhar). Regarding claim 11 Murphy in view of Parekh, and Cristofi disclose the method of claim 10, Murphy in view of Parekh, and Cristofi appear to be silence on wherein the stored artifact template comprises a writable json file. However, Sridhar teaches wherein the stored artifact template comprises a writable json file. (See Sridhar Col.208 lines51-63: “upon saving a playbook that does not include custom code, a client application 2704 may send data representing the play book ( e.g., source code, XML, JSON, JavaScript, another structured way in which to describe the codeblocks and connections between codeblocks, and/or a combination of the preceding) to the IT and security operations application 1602 executing within a provider network 1604. In this scenario, the IT and security operations application 1602 may save the playbook data in association with the user's account at storage resources provisioned in the provider network 1604, and may further execute the playbook on demand using compute resources provisioned within the provider network 1604.”). It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Murphy in view of Parekh, and Cristofi teaching of claim 10 with Sridhar teaching “a playbook 2710 is represented using a JSON-formatted description that includes metadata related to the playbook, identifies the codeblocks comprising the playbook, and further includes any custom code included in the playbook.”, (see Sridhar Col. 211 lines:3-7). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: Beals et al. (US-11182163-B1) customization of courses of action for responding to incidents in information technology (IT) environments. An incident management service executes incident response monitoring, identification and remediation across an IT environment for one or more entities that may have their own configuration of computing assets (computing environment) within the IT environment. A course of action outlines remediation actions for responding to specific types of incidents within an IT environment. customization of courses of action for responding to incidents in information technology (IT) environments. An incident management service executes incident response monitoring, identification and remediation across an IT environment for one or more entities that may have their own configuration of computing assets (computing environment) within the IT environment. A course of action outlines remediation actions for responding to specific types of incidents within an IT environment. improving analyst interaction with an incident management service including provision of an improved graphical user interface (GUI) for incident response processing; improving interaction between tenants and analysts of an incident management service; and improving scalability of an incident management service where an IT environment comprises multiple different entity-specific computing environments, among other technical advantages. Gruss et al. (US-9601000-B1) prioritized alerts can be consolidated based on attributes in common to enable specific investigators to focus on similar and/or related alerts. Such a technique is well suited for adaptive authentication (AA) and Security Information and Event Management (SIEM) systems among other alert-based systems such as chum analysis systems, malfunction detection systems. Liang et al. (US-20150264011-A1) methods are described for conducting work flow by an SIEM device to carry out a complex task. For example, an SIEM device may create a work flow or work flow template for conducting a complex function that may be made up of multiple tasks that are executed by multiple security devices. The tasks may be conducted automatically and the results of previous tasks in the work flow may be transferred to subsequent tasks.an SIEM device 113 is connected to headquarters network 110. SIEM device 113 may schedule vulnerability scanner 114 of headquarters network 110 and other vulnerability scanners of branch office networks 121-124 to scan computing/networking devices of the networks for vulnerabilities. Vulnerability scanner 114 may be any kind of vulnerability management devices that may be used for identifying and mitigating vulnerabilities that exist in computers or other network appliances. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to DUILIO MUNGUIA whose telephone number is (571)270-5277. The examiner can normally be reached M-F 9:30AM - 5:00Pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A Shiferaw can be reached at (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /DUILIO MUNGUIA/Examiner, Art Unit 2497 /ELENI A SHIFERAW/Supervisory Patent Examiner, Art Unit 2497