DETAILED ACTION
In replay to applicant communication filed on February 24, 2021 and telephonic interview conducted on March 12, 2021, Claims 31-32 and 35-52 have been amended. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on March 03, 2021.

Claims 1-30 and 33-34 have been cancelled.
Claims 31-32 and 35-52 are pending.

Response to Arguments
Applicant’s arguments filed on February 24, 2021 with respect to the rejected claims have been fully considered and withdrawn in view of applicant arguments and amendment. 

Applicant’s arguments filed on February 24, 2021 with respect to the double patenting rejection have been fully considered and withdrawn in view of the terminal disclaimer filed on March 12, 2021.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with applicant representative, Scott Loras Murray (Reg. No. 53,360) on March 12, 2021. 

Please replace the claim set filed on February 24, 2021 with the following amendment. 


1. – 30. (Canceled)
31.	(Previously Presented) A computer-implemented method performed by an advisement system coupled to a computing environment, the computing environment comprising a plurality of computing assets, the method comprising:
identifying a security threat involving the computing environment;
obtaining state information for the security threat, including monitoring incoming connections to the computing environment from external computing systems;
determining, based on the state information, that the security threat comprises a malicious process in a persist state in which the malicious process is attempting to remain active on a computing asset of the plurality of computing assets;
identifying a security action for responding to the security threat based on determining that the security threat comprises a malicious process in a persist state in which the malicious process is attempting to remain active on the computing asset of the plurality of computing assets;
translating the security action into a process implemented on the computing asset of the plurality of computing assets; and

32.	(Previously Presented) The method of claim 31, wherein identifying the security action for responding to the security threat comprises:
identifying a rule set based on enrichment information obtained for the security threat; and
identifying the security action associated with the rule set.
33.	Canceled
34.	Canceled
35.	(Previously Presented) The method of claim 31, further comprising:
identifying a plurality of security actions for responding to the security threat; and
initiating implementation of the plurality of security actions at the plurality of computing assets in the computing environment.
36.	(Previously Presented) The method of claim 31, further comprising:
in response to identifying the security action for responding to the security threat, providing the security action to an administrator of the computing environment; and
after providing the security action to the administrator, receiving input selecting the security action for implementation in the computing environment.
37.	(Previously Presented) The method of claim 36, wherein identifying the security action for responding to the security threat comprises ranking the security action relative to one or more other security actions for responding to the security threat.
38.	(Previously Presented) The method of claim 31, further comprising obtaining enrichment information for the security threat from at least one internal or external database.
39.	(Previously Presented) The method of claim 31, wherein the state information for the security threat further indicates identifiers of assets targeted by communications of the security threat.

41.	(Previously Presented) A non-transitory computer-readable storage medium storing instructions which, when executed by one or more processors, cause performance of operations comprising:
identifying a security threat involving the computing environment;
obtaining state information for the security threat, including monitoring incoming connections to the computing environment from external computing systems;
determining, based on the state information, that the security threat comprises a malicious process in a persist state in which the malicious process is attempting to remain active on a computing asset of the plurality of computing assets;
identifying a security action for responding to the security threat based on determining that the security threat comprises a malicious process in a persist state in which the malicious process is attempting to remain active on the computing asset of the plurality of computing assets;
translating the security action into a process implemented on the computing asset of the plurality of computing assets; and
initiating implementation of the security action at the computing asset of the plurality of computing assets.
42.	(Previously Presented) The non-transitory computer-readable storage medium of claim 41, wherein identifying the security action for responding to the security threat comprises:
identifying a rule set based on enrichment information obtained for the security threat; and
identifying the security action associated with the rule set.
43.	(Previously Presented) The non-transitory computer-readable storage medium of claim 41, wherein the instructions, when executed by the one or more processors, cause performance of further operations comprising obtaining enrichment information for the security threat from at least one internal or external database.

45.	(Previously Presented) The non-transitory computer-readable storage medium of claim 41, wherein identifying the security action for responding to the security threat comprises ranking the security action relative to one or more other security actions for responding to the security threat.
46.	(Previously Presented) An apparatus, comprising:
one or more processors;
a non-transitory computer-readable storage medium storing instructions which, when executed by the one or more processors, cause the apparatus to:
identify a security threat involving a computing environment;
obtain state information for the security threat, including monitoring incoming connections to the computing environment from external computing systems;
determine, based on the state information, that the security threat comprises a malicious process in a persist state in which the malicious process is attempting to remain active on a computing asset of the plurality of computing assets;
identify a security action for responding to the security threat based on determining that the security threat comprises a malicious process in a persist state in which the malicious process is attempting to remain active on a computing asset of the plurality of computing assets;
translate the security action into a process implemented on the computing asset of the plurality of computing assets; and
initiate implementation of the security action at the computing asset of the plurality of computing assets.
47.	(Previously Presented) The apparatus of claim 46, wherein identifying the security action for responding to the security threat comprises:
identifying a rule set based on enrichment information obtained for the security threat; and
identifying the security action associated with the rule set.

49.	(Previously Presented) The apparatus of claim 46, wherein the security threat includes at least one of a virus or a malware attack.
50.	(Previously Presented) The apparatus of claim 46, wherein identifying the security action for responding to the security threat comprises ranking the security action relative to one or more other security actions for responding to the security threat.
51.	(Currently Amended) The method of claim 31, wherein determining, based on the state information, that the security threat comprises a malicious process in a persist state comprises determining, based on the state information, that the malicious process is attempting to install software or execute another process on the computing asset of the plurality of computing assets.
52.	(Currently Amended) The non-transitory computer-readable storage medium of claim 41, wherein determining, based on the state information, that the security threat comprises a malicious process in a persist state comprises determining, based on the state information, that the malicious process is attempting to install software or execute another process on the computing asset of the plurality of computing assets.

Allowable Subject Matter
Claims 31-32 and 35-52 are allowed. No reason for allowance is needed as the record is clear in light of applicant’s arguments filed on February 24, 2021 and examiner amendment above. See MPEP 1302.14(l). 

According to MPEP 1302.14 (I): “In most cases, the examiner’s actions and the applicant’s replies make evident the reasons for allowance, satisfying the “record as a whole” proviso of the rule. This is particularly true when applicant fully complies with 37 CFR 1.111 (b) and (c) and 37 CFR 1.133(b). Thus, where the examiner’s actions clearly point out the reasons for rejection and the applicant’s reply explicitly presents reasons why claims are patentable over the reference, the reasons for allowance are in all probability evident from the record and no statement should be necessary.”


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TESHOME HAILU whose telephone number is (571)270-3159.  The examiner can normally be reached on M-F 8 a.m. - 5 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571) 272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/TESHOME HAILU/Primary Examiner, Art Unit 2434