DETAILED ACTION
Responsive to Applicant’s reply filed on 01/22/2026, Applicant’s amendments to claims have been entered and respective arguments carefully considered and responded in the following. Claims 2-13, 15-19, and 21-23 are presented for examination in this Office Action, with Claims 3, 4, 16, and 17 being in independent form. Additionally, claims 5, 10, and 18 are made in independent form per the amendments.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Examiner's Instructions for filing Response to this Office Action
When the Applicant submits amendments regarding to the claims in response the Office Action, the Examiner would like Applicant to provide a clean copy of the claims to facilitate the prosecution which otherwise requires extra time in editing the marked-up claims from OCR.
Please submit two sets of claims:
Set #1 as in a typical filing which includes indicators for the status of claim and all marked amendments to the claims; and
Set #2 as an appendix to the Arguments/Remarks for a clean version of the claims which has all the markups removed for entry by the Examiner.
Response to Arguments
The claim amendments and remarks filed by the Applicant on 01/22/2026, have been carefully considered and are responded in the following.
In response to the Applicant arguments, page(s) 10 of the Remarks, regarding claim objections for informality, the amendments have resolved the issues. Accordingly, the objections are withdrawn.
In response to the Applicant arguments, page(s) 10, regarding claim rejections under 35 U.S.C. 112(b) because of each reciting a limitation that lacks sufficient antecedent basis, the amendments have resolved the issues. Therefore, the rejections are withdrawn.
Applicant’s arguments, at page(s) 11-14 of the Remarks, with regards to claim rejections under 35 U.S.C. § 103 have been considered carefully.
First, Applicant argues the cited reference with respect to the amended limitation “remove, from the query or the subsequent query, connection requests to endpoints not within the portion of the tenant network, preventing establishment of a connection to the endpoints not within the portion of the tenant network” of claim 3. Applicant states: “As recited by the claims, the connection requests are removed. As such, the connections to endpoints are never established.” And argued “Loomis makes it clear that Loomis actually teaches establishing connections and subsequently creating a blockage on the connection. See Loomis par. 0041.” See the Remarks at pages 11-13.
In response, the Examiner respectfully disagrees because, at par. 0041, Loomis clearly discloses no VPN is needed between the master node and the tenant node as the tenant node is in the customer's network premises and has connectivity to the required devices to allow the remote workflow to be performed (the step 330 of FIG. 3). At this step, the master node actually allows the remote workflow to be performed because the master node has run queries and after the analyst triggers a workflow for investigation and enrichment of the alert (at block 320) and likely finds no threat. It is the master node allows the tenant node to perform the remote workflow when no threat is present. Otherwise, the connectivity is to be removed to prevent any connection to the remote devices (i.e., the endpoints not within the portion of the tenant network). Loomis further explains: [when analysis indicates any threat], for example, at block 340 of FIG. 3, the parent workflow is set to “Awaiting.” …, the parent workflow at the master node awaits the results while the remote workflow is running. at block 350, the workflow is executed at the tenant node. For example, the tenant node may query the SIM, STEM or IDS on behalf of the master node for additional data, for example, indicative of a security posture compromise, … direct a firewall or other network security device to block certain network traffic. See par. 0042-0044. Evidently, Loomis does not teach a blockage is made on the connectivity that has been established. However, to clarify the Examiner’s position in view of the added limitations, Gujarathi (US 20180159856 A1) is cited in this office action where the new ground(s) of rejection is necessitated by Applicant's amendment.
Secondly, the Applicant argues, at pages 13-14, that, as amended, claim 4 now specifies that the dynamic exception is based upon ambiguity in the query or the subsequent query. When compared, Loomis fails to teach or suggest these features, because Loomis does not teach autonomously adjusting a query based upon ambiguity in the query,
In response, the Examiner respectfully disagrees because, at par. 0041, Loomis discloses analyzing the alert of potential threat, and determine whether the connectivity shoud be removed to prevent any connection to the remote devices (i.e., the endpoints not within the portion of the tenant network). Loomis explains: [when analysis indicates any threat], for example, at block 340 of FIG. 3, the parent workflow is set to “Awaiting.” …, the parent workflow at the master node awaits the results while the remote workflow is running. at block 350, the workflow is executed at the tenant node. For example, the tenant node may query the SIM, STEM or IDS on behalf of the master node for additional data, for example, indicative of a security posture compromise, … direct a firewall or other network security device to block certain network traffic. See par. 0042-0044. Evidently, Loomis makes [adjustments or changes] to the connectivity that has not been established. Nonetheless, to clarify the Examiner’s position in view of the added limitations, Gujarathi (US 20180159856 A1) is cited in this office action where the new ground(s) of rejection is necessitated by Applicant's amendment.
Thirdly, the Applicant argues, at page 14, that the combination of Loomis (US 20200259847 A1) and Satish (US 11902306 B1) does not discloses all the features included in claims 8-9 by relying on the arguments made to claims 3-4
In response, the Examiner respectfully submits that the Applicant argument is moot in view of the new ground of rejection.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claims 2-4, 7, 13, 15-19, and 21-23 rejected under 35 U.S.C. 103 as being unpatentable over Loomis (US 20200259847 A1) in view of Satish (US 11902306 B1), and further in view of Gujarathi (US 20180159856 A1; hereinafter “Guja”).
FIRST,
(Grouping claims 3 and 21-22)
As per claim 3, Loomis teaches:
An assisted and networked threat hunting detection and response system (Loomis, par. 0027-0033: the distributed multi-tenancy MSSP architecture 100), the system comprising:
at least one Security Information, and Event Management (SIEM) server connected to at least one tenant network (Loomis, par. 0034-0040: a Security Information Management (SIM), STEM or IDS associated with a customer premises; see also clms. 5 and 14: SIEM);`
a Security Orchestration, Automation, and Response (SOAR) management server connected to the SIEM servers, the SOAR management server with at least one memory coupled to at least one processor, where the memory is loaded with instructions, the at least one processor coupled to the at least one memory configured to (Loomis, par. 0029-0031: The tenant SOAR nodes 125a-n; par. 0031-0034: workflow execution (e.g., execution of automated responses) and API):
establish data transfer pipelines between the threat-hunting environment and the at least one tenant network, the data transfer pipelines maintaining a connection between the threat-hunting environment and the at least one tenant network during an active session, via the at least one SIEM server, to allow continuous data communication (Loomis, par. 0034 and 0038-0040: workflow execution with a security posture compromise, or run any block action on a firewall or other network security system, that needs to run inside the customer's network infrastructure; the queries and actions can seamlessly be run from the master node. It is noted that Loomis’ workflow is mapped to the pipeline);
receive result data for the query from the at least one tenant network (Loomis, par. 0029 and 0032-0034: receiving result data such as alerts; see par. 00029 for taking a “Phishing Email Alert” as an example);
analyze, the result data for a detected threat in the at least one tenant network (Loomis, par. 0031 and 0039-0040: investigation; the tenant SOAR nodes 125a-n allow administrators 121a-n to define which events, and then the analyst triggers a workflow for investigation and enrichment of the alert. In Loomis, an alter is a sign of threat; see par. 00029 for taking a “Phishing Email Alert” as an example);
based on the analyzed result data, push a subsequent query to the at least one tenant network to respond to detected threat (Loomis, par. 0031: investigations are to be run based on summary information relating to the events and alerts; par. 0034-0036: Alerts can optionally be auto-categorized and auto-enriched at the tenant node itself. Note here the investigations as triggered by the alter is a subsequent query in response to detected threat);
dynamically recognize functions and tables referenced by the query or the subsequent query to autonomously determine a relevant tenant network or portion of a tenant network from the at least one tenant network (Loomis, par. 0034-0036: Alerts can optionally be auto-categorized and auto-enriched at the tenant node itself; par. 0041-0043: triggers a remote workflow to be executed. Note that Loomis discloses the eligible alerts are auto-forwarded to the master node for further investigation from which a relevant tenant network is determined regarding the potential threat); and
However, Loomis does not explicitly disclose an integrated code editor via which a query can be developed for querying the at least one tenant network. This aspect of the claim is identified as a further difference.
In a related art, Satish teaches:
query the at least one tenant network with a query developed via an integrated code editor (Satish, col. 212, lines 5-30: a visual playbook editor for codifying a playbook that searches against events that did not satisfy one or more of the first [condition]);
Loomis and Satish are analogous art to the claimed invention, because they are in the same field of endeavor as the claimed invention in improving cybersecurity and threat detection, or reasonably pertinent to the problem faced by the inventor, which may be in a different field. Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to modify Loomis’ system with Satish’s teachings of “using a editor” for generating queries. For this combination, the motivation would have been to improve the level of automation for Loomis’s query and response mechanism.
While Loomis discloses blocking connections with compromised tenant node; for example, indicative of a security posture compromise, or direct a firewall or other network security device to block certain network traffic (par. 0043-0045), Loomis does not explicitly disclose the connection as requested has not yet been established and is to be prevented from establishing. This aspect of the claim is identified as a further difference.
In a related art, Guja teaches:
remove, from the query or the subsequent query, connection requests to endpoints not within the portion of the tenant network, preventing establishment of a connection to the endpoints not within the portion of the tenant network (Guja, par. 0122-0125: transmitting the connection request. If or when authentication fails, the web relay service 730 may prevent the tenant-specific cloud service 711 from establishing a connection with a web service 751. Alternatively or additionally, web relay service 730 may respond to the connection request with an indication that authentication failed or that access is denied. It is noted that Guja discloses the multi-tenant web relay service 730 may serve as a proxy; In response to the request, the web relay service 730 may establish a connection with a corresponding web relay agent, wherein the connection request requires authentication).
Guja is analogous art to the claimed invention in the same field of endeavor as the claimed invention in improving cybersecurity and threat detection, or reasonably pertinent to the problem faced by the inventor, which may be in a different field. Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify the Loomis-Satish system with Guja’s teachings of connection request that requires authentication and the steps for preventing the tenant-specific cloud service 711 from establishing a connection when the authentication fails. For this combination, the motivation would have been to improve the level of security by including authentications for connection requests.
As per claim 21, the references as combined above teach the system of claim 3, where the threat-hunting environment is further configured to:
save the query or the subsequent query for future use and reference (Loomis, par. 0040-0043: the queries; par. 0054-0055: maintain the sequence of message delivery; maintain a local replicator log).
As per claim 22, the references as combined above teach the system of claim 3, where the threat-hunting environment is further configured to:
add augmenting data to the query or the subsequent query, during runtime of the query or subsequent query, wherein the data may alter a functionality provided query or the subsequent query (Loomis, par. 0040-0043: the queries; par. 0054-0055: maintain the sequence of message delivery; maintain a local replicator log).
SECONDLY,
(Grouping claims 4, 2, 7, and 11-13)
As per claim 4, Loomis teaches:
An assisted and networked threat hunting detection and response system (Loomis, par. 0027-0033: the system 100 as shown in FIG. 1), the system comprising:
at least one Security Information, and Event Management (SIEM) server connected to at least one tenant network (Loomis, par. 0034-0040: a Security Information Management (SIM), STEM or IDS associated with a customer premises; see also clms. 5 and 14: SIEM);
a Security Orchestration, Automation, and Response (SOAR) management server connected to the SIEM servers, the SOAR management server with at least one memory coupled to at least one processor, where the memory is loaded with instructions (Loomis, par. 0029-0031: The tenant SOAR nodes 125a-n), the at least one processor coupled to the at least one memory configured to:
execute a threat-hunting environment that, via a dedicated user interface (Loomis, par. 0031-0034: workflow execution (e.g., execution of automated responses) and API), is configured to:
establish data transfer pipelines between the threat-hunting environment and the at least one tenant network, the data transfer pipelines maintaining a connection between the threat-hunting environment and the at least one tenant network during an active session, via the at least one SIEM server, to allow continuous data communication (Loomis, par. 0034 and 0038-0040: workflow execution with a security posture compromise, or run any block action on a firewall; the queries and actions can seamlessly be run from the master node. It is noted that Loomis’ workflow is mapped to the pipeline);
receive result data for the query from the at least one tenant network (Loomis, par. 0029 and 0032-0034: receiving result data such as alerts; see par. 00029 for taking a “Phishing Email Alert” as an example);
analyze, the result data for a detected threat in the at least one tenant network (Loomis, par. 0031 and 0039-0040: investigation; see par. 00029 for taking a “Phishing Email Alert” as an example);
based on the analyzed result data, push a subsequent query to the at least one tenant network to respond to detected threat (Loomis, par. 0031-0034: define which events and alerts are to be auto-replicated, which is for a subsequent query; the master node can identify what investigations are to be run based on summary information relating to the events and alerts; each tenant node may use separate credentials to connect to the secure router 130; Note here the investigations as triggered by the alter is a subsequent query in response to detected threat).
apply a dynamic exception processing to the query or the subsequent query, wherein the dynamic exception processing comprises autonomously adjusting the query or the subsequent query for the at least one tenant network … (Loomis par. 0031-0032: auto-replicating … events and alerts defined by administrators 121a-n; par. 0034-0036: Alerts can optionally be auto-categorized and auto-enriched at the tenant node itself; par. 0041-0043: triggers a remote workflow to be executed. Note that Loomis discloses the eligible alerts are auto-forwarded to the master node for further investigation from which a relevant tenant network is determined regarding the potential threat).
However, Loomis does not explicitly disclose an integrated code editor via which a query can be developed for querying the at least one tenant network. This aspect of the claim is identified as a further difference.
In a related art, Satish teaches:
query the at least one tenant network with a query developed via an integrated code editor (Satish, col. 212, lines 5-30: a visual playbook editor for codifying a playbook that searches against events that did not satisfy one or more of the first [condition]);
Loomis and Satish are analogous art to the claimed invention, because they are in the same field of endeavor as the claimed invention in improving cybersecurity and threat detection, or reasonably pertinent to the problem faced by the inventor, which may be in a different field. Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to modify Loomis’ system with Satish’s teachings of “using a editor” for generating queries. For this combination, the motivation would have been to improve the level of automation for Loomis’s query and response mechanism.
While Loomis discloses blocking connections with compromised tenant node for certain network traffic (par. 0043-0045), Loomis does not explicitly disclose such blocking or disconnection adjustment is made before connection establishment. This aspect of the claim is identified as a further difference.
In a related art, Guja teaches:
wherein the dynamic exception processing comprises autonomously adjusting the query or the subsequent query for the at least one tenant network to remove the ambiguity (Guja, par. 0122-0125: transmitting the connection request. If or when authentication fails, the web relay service 730 may prevent the tenant-specific cloud service 711 from establishing a connection with a web service 751. Or, web relay service 730 may respond to the connection request with an indication that authentication failed or that access is denied. It is noted that Guja discloses the multi-tenant web relay service 730 may serve as a proxy; In response to the request, the web relay service 730 may establish a connection with a corresponding web relay agent, wherein the connection request requires authentication).
Guja is analogous art to the claimed invention in the same field of endeavor as the claimed invention in improving cybersecurity and threat detection, or reasonably pertinent to the problem faced by the inventor, which may be in a different field. Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify the Loomis-Satish system with Guja’s teachings of connection request that requires authentication and the steps for preventing the tenant-specific cloud service 711 from establishing as an adjustment to the request. For this combination, the motivation would have been to improve the level of security by including authentications for connection requests.
As per claim 2, the references as combined above teach the system of claim [[1]] 4, where the threat-hunting environment is further configured to:
save the query or the subsequent query for future use and reference (Loomis, par. 0040-0043: the queries; par. 0054-0055: maintain the sequence of message delivery; maintain a local replicator log).
As per claim 7, the references as combined above teach the system of claim [[1]] 4, where the user interface allows the user to navigate between interfaces that display running the query or the subsequent query, executed on the at least one SIEM server, the at least one tenant network, and the SOAR management server, or any combination thereof (Loomis, par. 0031-0034: workflow execution and API; Loomis, par. 0029-0031: The tenant SOAR nodes 125a-n; par. 0034-0040: a Security Information Management (SIM), STEM or IDS associated with a customer premises; see also claims. 5 and 14: SIEM).
As per claim 11, the references as combined above teach the system of claim [[1]] 4, where the user interface of the threat- hunting environment includes a display of a history of results, wherein the history of results is interactive (Satish, col. 216, lines 45-65: historical data).
As per claim 12, the references as combined above teach the system of claim [[1]] 4, where the integrated code editor is networked, accessible, and usable by multiple connected users (Satish, col. 216, lines 45-65: editor displays additional options for the corresponding task).
As per claim 13, the references as combined above teach the system of claim [[1]] 4, further comprising networked micro-services, connected to the SOAR management server, and accessible by the threat-hunting environment (Loomis, the Abstract: a master SOAR node of an MSSP receives multiple messages via a secure router coupling a computing environment of the MSSP in communication with respective computing environments of multiple customers of the MSSP; par. 0016 and 0029-0031: secure orchestration and automated response (SOAR)).
THIRDLY,
(Grouping of claims 16 and 23)
Regarding claim 16, it is directed to a method for networked threat-hunting, comprising limitations similar to claim 3, and is therefore rejected using a similar rationale.
Regarding claim 23, it is similar to claim 21, and is therefore rejected using a similar rationale.
FOURTH,
(Grouping of claims 17 and 15)
Regarding claim 17, it is similar to claim 4, and is therefore rejected using a similar rationale.
Regarding claim 15, it is similar to claim 2, and is therefore rejected using a similar rationale.
FIFTH,
Claims 8-9 are rejected under 35 U.S.C. 103 as being unpatentable over Loomis, Satish and Guja, as applied to claim 4, and further in view of Li (US 20190050561 A1).
As per claim 8, the references of Loomis, Satish, and Guja as combined above teach the system of claim 4, but do not explicitly disclose adding augmenting data to the query or the subsequent query, during runtime of the query or subsequent query, wherein the data may alter a functionality provided query or the subsequent query. This aspect of the claim is identified as a further difference.
In a related art, Li teaches:
where the threat-hunting environment is further configured to:
add augmenting data to the query or the subsequent query, during runtime of the query or subsequent query, wherein the data may alter a functionality provided query or the subsequent query (Li, par. 0017 and 0071-0072: update the TDL query 310 and resume execution).
Li is analogous art to the claimed invention in the same field of endeavor as the claimed invention in improving threat detection, or reasonably pertinent to the problem faced by the inventor, which may be in a different field. Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to modify the Loomis-Satish system with Li’s teachings of “data modifications” in query for updates. For this combination, the motivation would have been to improve the level of security with timely updated query for security search.
As per claim 9, the references as applied above teach the system of claim 8, where the adding of the augmenting data comprises:
pausing execution of the query or the subsequent query (Li, par. 0071: pause execution of the TDL query 310);
autonomously adding data to the query or to the subsequent query (Li, par. 0071: automatically update the constraints); and
resuming the execution of the query or subsequent query (Li, par. 0071-0072: resumes the execution).
Claim 9 is combined with Loomis, Satish and Guja using the same rationale as claim 8.
Allowable Subject Matter
Claims 5-6, 10, and 18-19 as amended on 01/22/2026 are allowable over the prior art as discussed in last office action. Specifically, claims 5 and 18 each recite elements or features “autonomously create a function to dynamically insert a correct value associated with the at least one tenant network from a stored mutable list”. These elements and the features thereof in combination with the other limitations in the claims 4 and 17, respectively, are not anticipated by, nor made obvious over the prior art of record. Claims 6 and 19 are allowed by virtue of their dependencies on claims 5 and 18, respectively, as they further limit the scope of the claimed invention.
Claim 10 recites elements of “where the data added includes pagination instructions to only return a certain subset of the results to the at least one SOAR management server”. These elements and the features thereof in combination with the other limitations in the claims 4 and 8, are not anticipated by, nor made obvious over the prior art of record.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Don Zhao whose telephone number is (571)272-9953. The examiner can normally be reached on 9 am to 5 pm Monday thru Friday.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Don G Zhao/
Primary Examiner, Art Unit 2493
02/17/2026