&#xfeff;<html>
  <head>
    <META http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel="stylesheet" type="text/css" href="html_style_eog.css"/>
<script type="text/javascript">
			function printpage()
			{
			window.print()
			}
			</script>
<script type="text/javascript" src="https://components.uspto.gov/js/ais/40-patentsgazette.js"></script></head>
  <body bgcolor='#FFFFFF' onload='javascript: if ((navigator.appName.indexOf("Netscape")!=-1) && parent.leftFrame!=null) parent.leftFrame.location.reload();'>
    <basefont face="Times New Roman, Times New Roman, Times New Roman " size="2">
      <div style="margin-left: +10pt">
        <table width="90%" border="0" rules="none" align="center">
          <tr align="center">
            <td width="20%" colspan="1" rowspan="2" align="left" valign="top"><a href="https://ppubs.uspto.gov/pubwebapp/external.html?q=11750626.pn.&amp;db=USPAT" target="popup"><input type="button" class="button" value="   Full Text   "></a></td>
            <td class="table_data"><b>US 11,750,626 B2</b></td>
            <td width="20%" colspan="1" rowspan="2" align="right" valign="top">
              <form><input type="button" value="Print this page" onclick="printpage()"></form>
            </td>
          </tr>
          <tr align="center">
            <td colspan="1" class="table_data" style="text-transform: uppercase"><b>Systems and techniques for guiding a response to a cybersecurity incident</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b> Christopher Lord,  Natick, MA (US);  Benjamin Johnson,  Newport Beach, CA (US);  Doran Smestad,  Corinna, ME (US); and  Joshua Hartley,  Rutland, MA (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Assigned to  Carbon Black, Inc.,  Palo Alto, CA (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Filed by  Carbon Black, Inc.,  Palo Alto, CA (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Filed on Mar.  1, 2021, as Appl. No. 17/188,526.</b></td>
          </tr>
          <tr>
            <td colspan="3" class="table_data" align="center"><b>Application 17/188,526 is a continuation of application No. 16/434,969, filed on Jun.  7, 2019, granted, now 10,938,842.</b></td>
          </tr>
          <tr>
            <td colspan="3" class="table_data" align="center"><b>Application 16/434,969 is a continuation of application No. 15/468,942, filed on Mar.  24, 2017, granted, now 10,320,820, issued on Jun.  11, 2019.</b></td>
          </tr>
          <tr>
            <td colspan="3" class="table_data" align="center"><b>Claims priority of provisional application 62/312,797, filed on Mar.  24, 2016.</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Prior Publication US 2021/0185065 A1, Jun.  17, 2021</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>This patent is subject to a terminal disclaimer.</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Int. Cl. </b><i><b>H04L 9/40</b></i> (2022.01); <i><b>G06N 5/04</b></i> (2023.01)</td>
          </tr>
        </table>
        <table width="90%" border="0" rules="none" align="center">
          <colgroup>
            <col width="75%">
            <col width="15%">
          </colgroup>
          <tr align="left">
            <td class="table_data" align="left"><b>CPC </b><i><b>H04L 63/1416</b></i> (2013.01)&#xa0;[<i><b>G06N 5/04</b></i> (2013.01); <i><b>H04L 63/145</b></i> (2013.01); <i><b>H04L 63/1408</b></i> (2013.01); <i><b>H04L 63/1433</b></i> (2013.01); <i>H04L 63/0227</i> (2013.01)]</td>
            <td class="table_data" align="right"><b>20 Claims</b></td>
          </tr>
        </table>
        <center><img src="US11750626-20230905-D00000.gif" alt="OG exemplary drawing"></center>
        <table width="90%" border="0" rules="none" align="center">
          <colgroup>
            <col width="90%">
          </colgroup>
          <tr>
            <td class="table_data" align="center">&#xa0;</td>
          </tr>
          <tr>
            <td valign="top" class="para_text">
              <div class="claim_text_root">1. A method for guiding a response to a security incident, comprising:<div class="claim_text">monitoring a plurality of occurrences in a computer system, wherein the plurality of occurrences includes (1) a first occurrence whereby a first file instantiates a first process that creates or registers a second file, and (2) a second occurrence whereby the computer system instantiates a second process from the second file;</div>
                <div class="claim_text">determining, based on adjacency data, that at least a subset of the plurality of occurrences is relevant to the second process, wherein the subset includes the first occurrence and the second occurrence, wherein the adjacency data includes data indicating relevance of the first occurrence to the second occurrence;</div>
                <div class="claim_text">estimating a respective utility of investigating each occurrence in the subset;</div>
                <div class="claim_text">selecting two or more occurrences from the subset based, at least in part, on the estimated utilities, the selected occurrences including the first occurrence and the second occurrence; and</div>
                <div class="claim_text">guiding the response to the security incident at least by presenting, to a user, data corresponding to the selected occurrences.</div>
              </div>
            </td>
          </tr>
        </table>
      </div>
    
  </body>
</html>