DEVICES, SYSTEMS, AND METHODS FOR STANDARDIZING AND STREAMLINING THE DEPLOYMENT OF SECURITY INFORMATION AND EVENT MANAGEMENT ARTIFACTS FOR MULTIPLE TENANTS

§101 §103

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION Currently pending claims are 1 – 20. Response to Arguments Applicant's arguments with respect to the subject matter of the instant claims have been fully considered but are not persuasive. As per claim 19, Applicant disagrees with the 35 U.S.C. 101 rejection that directed the claimed invention to non-statutory subject matter because claim 19 is directed to an apparatus (Remarks: Page 6 – 7). Examiner respectfully disagrees with the following rationale. (a) a server such as a Security Information, and Event Management (SIEM) provider server could be a functional software entity – especially, according to (SPEC [0019]: the term “server” may refer to one or more computing devices) and thus the server is not limited to being hardware since "may" can be interpreted it as being able to be not exclusively hardware, and (b) the nominal recitation of the machine/device in the preamble with an absence of a hardware element in the body of the claim fails to make the claim statutory under 35 USC 101. See Am. Med. Sys., Inc v. Biolitec, Inc., 618 F.3d 1354, 1358 (Fed. Cir. 2010). See also Ex parte Cohen et al., (Appeal No. 2009-011366) for details. The Examiner respectfully suggests that the claim be further amended to positively recite at least one hardware element within the body of the claim to make the claim directed to statutory subject matter under 35 U.S.C. 101. As such Applicant's arguments are respectfully traversed. As per claim 1, Applicant asserts the prior-art does not teach “wherein the JSON based solution bundle defines at least one of a resource group, a log analytics workspace, a data connector, an alert rule, a playbook. or a workbook for the tenant server” (Remarks: Page 7 – 8). Examiner respectfully disagrees because Cristofi teaches an intake system communicates "data records" from ingestion buffers with JSON messages as a JSON blobs (i.e. a small lump / collection) as a JSON-based bundle and the data record can include, at least, a resource group such as data associated with a particular tenant or a reference to a location (e.g. physical or logical directory, file name, etc.) that stores the data associated with the tenant that is to be processed by the indexing system (Cristofi: Para [0647] / [0258]). As per claim 1, Applicant asserts the prior-art does not teach (i) generating a proposed SIEM protocol, wherein the proposed SIEM protocol is based, at least in part, on the JSON-based solution bundle, and (ii) wherein the proposed SIEM protocol is configured to govern how the data connector controls the flow of data to and from the log source (Remarks: Page 7 – 9). Examiner respectfully disagrees with the following rationale. (a) First of all, the term of "protocol" generally means a set of procedures for what actions to take in a certain situation for specific uses; and (b) In light of that, Milazzo teaches generating / providing / proposing a SIEM rule query that involves evaluation and communication of various "data records" from different sources associated with a specific use of SIEM rule management system along with a SIEM database / data-store (Milazzo: Para [0078] / [0057] & FIG. 1) – this can be construed as one type of "SIEM protocols"; and besides, (b) Cristofi teaches communicating the "data records" from ingestion buffers with JSON messages as a JSON blobs (i.e. a small lump / collection) as a JSON-based bundle and the data record can include, at least, a resource group (Cristofi: Para [0647] / [0258]) and a tunnel bridge (i.e. a data connector) is a cloud-based service configured to transfer data between an IT and security operations application (i.e. a SIEM management application) and various data sources of IT assets (i.e. one type of log sources) via established secure communication channels such as to control a flow of data to and from a target log source accordingly (Cristofi: see above & Para [1051] – [1053] and Para [1090]). Accordingly, in view of (a) & (b), a combination of Cristofi & Milazzo indeed teaches generating a proposed SIEM protocol, wherein the proposed SIEM protocol is based, at least in part, on the JSON-based solution bundle such as to govern how the data connector controls the flow of data to and from the log source (i.e. database or data-store) to meet the claim language. As such Applicant's arguments are respectfully traversed. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claim 19 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter where “A Security Information, and Event Management (SIEM) provider server” as recited in the claim does not fall into any of statutory classes defined in 35 U.S.C 101. It may be merely directed to software per se or the claimed subject matter is drawn to the abstract structure of architecture because (a) a server such as a Security Information, and Event Management (SIEM) provider server could be a functional software entity – especially, according to (SPEC [0019]: the term “server” may refer to one or more computing devices) and thus the server is not limited to being hardware since "may" can be interpreted it as being able to be not exclusively hardware, and (b) a nominal recitation of the machine/device in the preamble with an absence of a hardware element in the body of the claim fails to make the claim statutory under 35 USC 101. See Am. Med. Sys., Inc v. Biolitec, Inc., 618 F.3d 1354, 1358 (Fed. Cir. 2010). See also Ex parte Cohen et al., (Appeal No. 2009-011366) for details. The Examiner respectfully suggests that the claim be further amended to positively recite at least one hardware element within the body of the claim to make the claim directed to statutory subject matter under 35 U.S.C. 101. Any other claims not addressed are rejected by virtue of their dependency. Double Patenting The nonstatutory (or provisional) double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the "right to exclude" granted by a patent and to prevent possible harassment by multiple assignees. See In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent is shown to be commonly owned with this application. See 37 CFR 1.130(b). Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b). Claim(s) 1 – 20 are rejected under the judicially created doctrine of double patenting as being unpatentable over claim 1 – 12 of U.S. Patent No. 12,105,797. Although the conflicting claims are not identical, they are not patentably distinct from each other– accordingly, because the listed claims of U.S. Patent virtually contain(s) every element of the listed claims of the instant application and thus anticipate the claim(s) of the instant application. Claim(s) of the instant application therefore is/are not patently distinct from the earlier patent claim(s) and as such is/are unpatentable over obvious-type double patenting. A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim. In re Longi, 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness type double patenting where a patent application claim to a genus is anticipated by a patent claim to a species within that genus). “ELI LILLY AND COMPANY v BARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit, ON PETITION FOR REHEARING EN BANC (DECIDED: May 30, 2001)”. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the exclaimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 7 – 11 & 17 – 19 are rejected under 35 U.S.C.103 as being unpatentable over Cristofi et al. (U.S. Patent 2021/0117251), in view of Milazzo et al. (U.S. Patent 2020/0186569). As per claim 1 & 19, Cristofi teaches a method of enhancing network security, the method comprising: providing a Security Information, and Event Management (SIEM) management application configured to be hosted by a SIEM provider server (Cristofi: Figure 17, Para [1006] / [1015], and para [1017]: (a) an IT and security operations application ingests data from a SIEM system (Cristofi: Figure 17 & Para [1015]) that constitutes a part of SIEM management application), wherein (b) the SIEM management application is hosted on a provider network comprising various network provider severs (server computing systems) that includes, at least, a SIEM provider server and a tenant (customer) provider server), wherein the SIEM provider server is communicably coupled to a tenant server (Cristofi: see above & Figure 17 / E-1736 and Para [1004] / [1006] / 1023] / [1107] / [1017]: coupling to multi-tenant database servers); coupling, via a data connector, the SIEM management application to a log source hosted by the tenant server (Cristofi: see above & FIG.23 / E-2306, E-1702, FIG.17, Para [1008] / [1015] / [0123] / [1053] and Para [1017]: using a tunnel bridge (i.e. a data connector) to communicate between the SIEM management application (i.e. IT and security operations application) and a data source of IT assets (i.e. one type of log sources) hosted by a tenant server of a tenant network), wherein the data connector is configured the control a flow of data to and from the log source (Cristofi: see above & Para [1051] – [1053] and Para [1090]: the tunnel bridge (i.e. a data connector) is a cloud-based service configured to transfer data between an IT and security operations application (i.e. a SIEM management application) and various data sources of IT assets (i.e. one type of log sources) via established secure communication channels such as to control a flow of data to and from a target log source accordingly); generating, via the SIEM management application, a JavaScript Object Notation (JSON) based solution bundle for the log source (Cristofi: see above & Para [0258] / [0254] / [0647] / [0531] / [0647] and Para [1008]: the SIEM management application, as a part of the data intake and query system (DIQS) intake point, generates data records by an HTTP intake point configured to be formatted as JavaScript Object Notation, or JSON messages (i.e. a JSON based solution bundle), the data records being obtained from various data sources of IT assets (i.e. one type of log sources)), wherein wherein the JSON based solution bundle defines at least one of a resource group, a log analytics workspace, a data connector, an alert rule, a playbook. or a workbook for the tenant server (Cristofi: see above & Para [0647] / [0258]: communicating "data records" from ingestion buffers with JSON messages as a JSON blobs (i.e. a small lump / collection) as a JSON-based bundle and the data record can include, at least, a resource group such as data associated with a particular tenant or a reference to a location (e.g. physical or logical directory, file name, etc.) that stores the data associated with the tenant that is to be processed by the indexing system). However, Cristofi does not disclose expressly generating a proposed SIEM protocol, wherein the proposed SIEM protocol is based, at least in part, on the JSON-based solution bundle. Milazzo (& Cristofi) teaches generating a proposed SIEM protocol, wherein the proposed SIEM protocol is based, at least in part, on the JSON-based solution bundle (Cristofi: see above & Para [0647] / [0258]) || ((Milazzo: Para [0078] / [0057] & FIG. 1): (a) First of all, the term of "protocol" generally means a set of procedures for what actions to take in a certain situation for specific uses; and (b) In light of that, Milazzo teaches generating / providing / proposing a SIEM rule query that involves evaluation and communication of various "data records" from different sources associated with a specific use of SIEM rule management system along with a SIEM database / data-store (Milazzo: Para [0078] / [0057] & FIG. 1) – this can be construed as one type of "SIEM protocols"; and besides, (b) Cristofi teaches communicating the "data records" from ingestion buffers with JSON messages as a JSON blobs (i.e. a small lump / collection) as a JSON-based bundle and the data record can include, at least, a resource group (Cristofi: Para [0647] / [0258]). Accordingly, in view of (a) & (b), a combination of Cristofi & Milazzo indeed teaches generating a proposed SIEM protocol, wherein the proposed SIEM protocol is based, at least in part, on the JSON-based solution bundle such as to govern how the data connector controls the flow of data to and from the log source (i.e. database or data-store) to meet the claim language. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of deploying, via the SIEM management application, a proposed SIEM protocol from the SIEM provider server to the tenant server because Milazzo teaches to alternatively, effectively and securely provide a comprehensive security mechanism by generating and deploying a SIEM rule / protocol (Security Information & Event Management) to be used by security monitoring engines at customer (i.e. tenant) monitored computing environments hosted by various tenant servers to improve security monitoring capability (see above) within the Cristofi’s system of hosting a SIEM management application on a provider network that comprises various network provider severs such as a SIEM provider server and a tenant (customer) provider server (see above). deploying, via the SIEM management application, the proposed SIEM protocol from the SIEM provider server to the tenant server (Cristofi: see above) || (Milazzo: FIG. 1 & Para [0078] / [0057] Line 22 – 25 / Para [0023]: providing (proposing) an automated mechanism for generating and deploying a SIEM rule / protocol (Security Information & Event Management) to be used by security monitoring engines at customer (i.e. tenant) monitored computing environments hosted by various tenant servers to improve security monitoring capability), wherein the proposed SIEM protocol is configured to govern how the data connector controls the flow of data to and from the log source (Cristofi: see above & Para [1051] – [1053] and Para [1090]: a tunnel bridge (i.e. a data connector) is a cloud-based service configured to transfer data between an IT and security operations application (i.e. a SIEM management application) and various data sources of IT assets (i.e. one type of log sources) via established secure communication channels such as to control a flow of data to and from a target log source accordingly) || (Milazzo: Para [0078] / [0057] & FIG. 1: generating / providing / proposing a SIEM rule query that involves evaluation and communication of various "data records" from different sources associated with a specific use of SIEM rule management system along with a SIEM database / data-store). As per claim 11, the claim limitations are met as the same reasons as that set forth in the paragraph above regarding to claim 1 with the exception of the feature(s) of: a Security Information, and Event Management (SIEM) provider server communicably coupled to the tenant server and the display (Cristofi: see above, FIG. 22 & Para [0902] / [1014] and Para [0531] / [0532]: (a) allowing the administrator / user to see a visualization display of related events via a user interface, wherein (b) IT and security operations application (i.e. SIEM management application) displaying information related to an occurrence of an incident (event) in an IT environment such as executable actions for responding to the incident as part of a workbook that is generated based on the identified incident). As per claim 7 & 17, Cristofi as modified teaches wherein the proposed SIEM protocol for the tenant server is a first proposed SIEM protocol of a plurality of proposed SIEM protocols generated based, at least in part, on the JSON-based solution bundle, and wherein the method further comprises visually displaying, via a user interface of the SIEM management application, the plurality of proposed SIEM protocols (Cristofi: see above, FIG. 22 & Para [0902] / [1014] and Para [0531] / [0532]: visually displaying, via a user interface of the SIEM management application, a proposed SIEM protocol for the tenant server based on the JSON-based solution bundle (based on the results represented in JSON format, providing recommendations based on users of the same tenant (a proposed SIEM protocol), allowing the administrator to see a visualization (displaying) of related events via user interface). As per claim 8 & 18, Cristofi as modified teaches deploying the proposed SIEM protocol from the SIEM provider server to the tenant server is based, at least in part, on a user selection of the proposed SIEM protocol from the plurality of proposed SIEM protocols (Milazzo: see above & Para [0023] & [0057] Line 22 – 25: (a) the ingested information that is collected can be based on user-specific (i.e. user-definable / selectable) SIEM rule(s) / protocol(s) and (b) providing an automated mechanism for generating and deploying a SIEM rule / protocol (Security Information & Event Management) to be used by security monitoring engines at customer (i.e. tenant) monitored computing environments hosted by various tenant servers to improve security monitoring capability). As per claim 9, Cristofi as modified teaches aggregating, via the SIEM management application, the plurality of tenant servers into workspaces based, at least in part, on the common solution bundle (Cristofi: see above & Para [0258] / [0531] / [0647] and Para [1008]: formatted as JavaScript Object Notation, or JSON messages (i.e. a JSON based solution bundle), the data records being obtained from various data sources of IT assets (i.e. one type of log sources)) || (Milazzo: see above & Para [0002]: a SIEM system aggregating data from various data sources in order to identify deviations in the operation of the computing devices associated with these data sources from a normal operational state and then take appropriate responsive actions to the identified deviations). As per claim 10, the instant claim is directed to a claimed content having functionality corresponding to the Claims 1, and are rejected by a similar rationale. Claims 2 – 6, 12 – 16 & 20 are rejected under 35 U.S.C.103 as being unpatentable over Cristofi et al. (U.S. Patent 2021/0117251), in view of Milazzo et al. (U.S. Patent 2020/0186569), and in view of Rostami et al. (WO 2017/151515 A1). As per claim 2 – 5, 12 – 15 & 20, Rostami (& Cristofi as modified) teaches generating, via the SIEM management application, at least one of a plurality of SIEM artifacts (Cristofi: see above) || (Rostami: Para [0276] / [0275]: (a) the artifact(s) can be imported into a security information and event management (SIEM) tools to enable the SIEM management application to generate SIEM artifacts, and (b) for example, if the artifact is determined to be associated with malware based on the automated malware analysis, then the artifact can be deemed a high-risk artifact to be informed to the various log sources). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of generating, via the SIEM management application, at least one of a plurality of SIEM artifacts because Rostami teaches to alternatively, effectively and securely provide a comprehensive security mechanism by importing the artifact(s) into a security information and event management (SIEM) tools to enable the SIEM management application to generate SIEM artifacts (see above) within the Cristofi’s system of hosting a SIEM management application on a provider network that comprises various network provider severs such as a SIEM provider server and a tenant (customer) provider server (see above). As per claim 6 & 16, Rostami (& Cristofi as modified) teaches configuring alert rules to govern how the data connector controls the flow of data to and from the log source (Cristofi: see above) || (Rostami: Para [0057]: the alert rule to generate an alert can be (e.g., for a customer/subscriber of the platform) when there is a matching tag, and there is network traffic for that sample in the monitored network (e.g., the subscriber’s enterprise network, or for an alert if the tag is triggered based on a public sample that was detected in another subscriber’s enterprise network, such as another subscriber that is in a same industry category). Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to LONGBIT CHAI whose telephone number is (571)272-3788. The examiner can normally be reached Monday - Friday 9:00am-5:00pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D. Feild can be reached at 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. --------------------------------------------------- /Longbit Chai/ Longbit Chai E.E. Ph.D. Primary Examiner, Art Unit 2431 No. #2554 – 2026 ---------------------------------------------------