Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Office Action is in response to the amendment filed on 11/29/2021 
In the instant Amendment, claims 1, 3-4, 6-7, 9-14 and 16-20 were amended; claims 1, 7 and 14 are independent claims, claims 2, 5, 8 and 15 were cancelled. Claims 1, 3-4, 6-7, 9-14 and 16-24 are pending in this application. 

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 12/09/2021 has been entered.
 
Response to Arguments
Applicant’s arguments in the instant Amendment filed 11/29/2021 with respect to the limitations below, have been fully considered but they are not persuasive. 
Applicant argues on (pages 9-10): that the cited prior art fails to disclose or suggest “providing a user interface (UI) by way of the remote computing resource system, the UI identifying a plurality of tenant resource modules provisioned in the remote computing resource system for a tenant of the remote computing resource system to provide resources for the tenant’, “receiving a selection by way of the UI of one or more of the plurality of tenant resource modules to be configured for intrusion detection”, or performing the claimed allocating, deploying, and creating operations “responsive to receiving the selection by way of the UI.”
The Examiner respectfully disagrees with the Applicants. Dulce discloses in FIG 6 a user interface where a checkmark is used to select a plurality of tenant resource modules such as email, meeting, contact, note/file, browser history, credential store, favorites in a cloud computing system for a remote computing resource system for a user [tenant]. This system works for detecting compromised devices during an attack [intrusion detection]. A cloud storage application providing users the ability to store data at and/or retrieve data from one or more remote servers (e.g. Google Drive, Dropbox, iCloud, OneDrive, Box). A mapping between user data types, or some token types, credentials, database metadata (e.g. table/DB name), resource identifier (URL, PATH, SPN) and email address that identifies the tenant. Other tenant resource modules include application service (e.g. data, voice, video); application programming interface (API). Credential store all refer to tenant resource modules). A credential store provides data entries providing a mapping between the tenant, the corresponding access credentials and the identified tenant resource modules in which the corresponding access credentials were deployed. 
Applicant argues on (page 10): the cited prior art fails to disclose or suggest “allocating provisioned resources having corresponding access credentials, deploying the corresponding access credentials in respective tenant resource modules, and creating one or more data entries in a token mapping store, the data entries providing a mapping between the tenant, the corresponding access credentials and the identified tenant resource modules in which the corresponding access credentials were deployed”.
The Examiner respectfully disagrees with the Applicants. Dulce discloses in FIG 6 allocating provisioned resource having corresponding access credentials, deploying the access credentials in the respective tenant resource modules such email message, meeting, contact, note/file, browser history, credential store and favorites and assigning credentials to those modules. 
Applicant argues on (pages 10-11): the cited prior art fails to disclose or suggest “scanning one or more access logs for the remote computing resource system to detect one or more resource access attempts, each access attempt including an access credential for the access attempt; and for each resource access attempt, searching the token mapping store for a matching data entry where the access credential of the data entry matches the access credential for the access attempt, and if the matching data entry is found, generating an alert that identifies the identified resource module of the matching data entry.” 
The Examiner respectfully disagrees with the Applicants. Catlett discloses an attempt to access an organization resource using the honeytoken data is identified. A fraudulent user may attempt to logon to an online banking site of a financial institution using credentials matching one of honeytoken data entries generated by the institution using credentials matching one of the honeytoken data entries generated by the institution. The fraudulent access attempt may be denied by the bank’s web server and may be subsequently flagged by a scheduled process that process that scans the network access logs of the web server to search for login credentials matching honeytoken data (See Catlett, Col. 6, Lines 55-64). 
Applicant argues on (page 12): the cited prior art fails to disclose or suggest “searching the token mapping store for a matching data entry where the access credential of the data entry matches the access credential for the access attempt, and if the matching data entry is found, generating an alert that identifies the identified resource module of the matching data entry.” 
The Examiner respectfully disagrees with the Applicants. Catlett discloses an attempt to access an organization resource using the honeytoken data is identified. A fraudulent user may attempt to logon to an online banking site of a financial institution using credentials matching one of honeytoken data entries generated by the institution using credentials matching one of the honeytoken data entries generated by the institution. The fraudulent access attempt may be denied by the bank’s web server and may be subsequently flagged by a scheduled process that process that scans the network access logs of the web server to search for login credentials matching honeytoken data (See Catlett, Col. 6, Lines 55-64).
Applicant argues on (page 12): the cited prior art fails to disclose or suggest “wherein the provisioned resources comprise at least one of an unused resource allocated for the tenant.”
The Examiner respectfully disagrees with the Applicants. Ahmadzadeh discloses honeypot system may then provision new resources and continue monitoring to determine whether or not the applications begin acting maliciously (see Ahmadzadeh paragraph [0022]). 
Applicant argues on (page 13): the cited prior art fails to disclose or suggest “wherein the unused resource allocated for the tenant comprises a container with restricted access permissions.”
The Examiner respectfully disagrees with the Applicants. Dargude discloses a determination module that may determine a number of containers of the organization on which the member has read and/or write permissions (Dargrude, Col. 17, Line 65; Col. 11, Lines 15-18). 
Applicant argues on (page 13-14): the cited prior art fails to disclose or suggest “wherein the unused resource allocated for the tenant comprises one of a container with restricted access permissions and a fictitious user account in a domain corresponding to the tenant.”
The Examiner respectfully disagrees with the Applicants. Dargude discloses a determination module that may determine a number of containers of the organization on which the member has read and/or write permissions (Dargrude, Col. 17, Line 65; Col. 11, Lines 15-18). Johnson discloses a fictitious account may also be previously generated prior to the login attempt in order to act as a honeypot type security measure and may be identified and accessed (Johnson, [0056]). 
Applicant's arguments (page 12): Additionally, as to the dependent claims 6, 9, 12-13, 16 and 19-20 the Applicant argues that the claims are dependent directly or indirectly from a respective one of claims of independent claims 1, 7 and 14 are therefore distinguished from the cited art at least by virtue OR allowable at least based on of their additionally recited patentable subject matter.
The Examiner disagrees with the Applicants. Applicant’s specification states in The Examiner disagrees with the Applicants. The Examiner respectfully submits that the dependent claims 6, 9, 12-13, 16 and 19-20 are rejected at least based on the rationale and response presented to the argument for their respective base claims, and the reference applied to the claims 6, 9, 12-13, 16 and 19-20.

Claim Rejections - 35 USC § 103
6.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



7.	Claims 1, 6-7, 9, 12-14, 16, 19-20 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Dulce et al (“Dulce,” US 20160381023) and further in view of Catlett et al (“Catlett,” US 8,880,435). 

Regarding claim 1, Dulce discloses a computer-implemented method for intrusion detection in a remote computing resource system, the method comprising:
providing a user interface (UI) by way of the remote computing resource system, the UI identifying a plurality of tenant resource modules provisioned in the remote computing resource system for a tenant of the remote computing resource system to provide resources for the tenant; (Dulce, FIG 6 describes a user interface where a checkmark is provided for a plurality of tenant resource modules such as email, meeting, contact, note/file, browser history, credential store, favorites; [0032] describes a cloud computing system; [0081], describes a remote computing resource system for a user [tenant]; also see [0090] and [0094])
receiving a selection by way of the UI of one or more of the plurality of tenant resource modules to be configured for intrusion detection; (Dulce, FIG 6, [0032], [0034], shows selecting by way of a UI of one or more of the plurality of tenant resource modules in a cloud computing system to be configured for detect compromised devices [intrusion detection]; also see [0090] and [0094]). 
responsive to receiving the selection by way of the UI, for the tenant resource modules selected in the UI, (Dulce, FIG 6, [0032] & [0034], shows selecting and receiving the selection by way of a UI of one or more of the plurality of tenant resource modules in a cloud computing system to be configured for detect compromised devices [intrusion detection]; also see [0090] and [0094]).
allocating provisioned resources having corresponding access credentials, (Dulce, FIG 6 shows allocated provisioned resources having corresponding access credentials as shown in 654; [0003] & [0030], user account; [0081], cloud storage application 326E providing users the ability to store data at and/or retrieve data from one or more remote servers (e.g., Google Drive™, Dropbox™, iCloud™, OneDrive™, Box™, etc; also see [0090] and [0094]). 
deploying the corresponding access credentials respective tenant resource modules, (Dulce, [0003] & [0030], user account; [0081], cloud storage application 326E providing users the ability to store data at and/or retrieve data from one or more remote servers (6.9., Google Drive™, Dropbox™, iCloud™, OneDrive™, Box™); FIG 6 shows a mapping between user data types or some token types, credentials, database metadata, resource identifiers and email address of tenant, 602, User Data types such as email message, meeting, contact, note/file, browser history, credential store and favorites for example; 656, Database metadata (e.g. Table/DB name); 658, resource identifier (e.g. URL, PATH, SPN) and 660, Email address that identifies the tenant; [0134], application service (e.g. data, voice, video); [0151], application programming interface (API); 329F, FIG 3, credential store all refer to tenant resource modules)
and creating one or more data entries in a token mapping store, identifier (Dulce, [0003] & [0030], user account; [0081], cloud storage application 326E providing users the ability to store data at and/or retrieve data from one or more remote servers (é6.g., Google Drive™, Dropbox™, iCloud™, OneDrive™, Box™); FIG 6 shows a mapping between user data types or some token types, credentials, database metadata, resource identifiers and email address of tenant, 602, User Data types such as email message, meeting, contact, note/file, browser history, credential store and favorites for example; 656, Database metadata (e.g. Table/DB name); 658, resource identifier (e.g. URL, PATH, SPN) and 660, Email address that identifies the tenant; [0134], application service (e.g. data, voice, video); [0151], application programming interface (API); 329F, FIG 3, credential store all refer to tenant resource modules) the data entries providing a mapping between the tenant, the corresponding access credentials  and the identified tenant resource modules in which the corresponding access credentials were deployed). 
Dulce fails to explicitly disclose scanning one or more access logs for the remote computing resource system to detect one or more resource access attempts, each access attempt including an access credential for the access attempt; and for each resource access attempt, searching a token mapping store for a matching data entry where the access credential of the data entry matches the access credential for the access attempt, and if the matching data entry is found, generating an alert that identifies the identified resource module of the matching data entry. 
	However, in an analogous art, Catlett discloses scanning one or more access logs for the remote computing resource system to detect one or more resource access attempts, each access attempt including an access credential for the access attempt; (Caitlett, Col. 6, Lines 55-64, In step 203, an attempt to access an organization resource using the honeytoken data is identified. For example, a fraudulent user may attempt to logon to the online banking site of a financial institution using credentials matching one of the honeytoken data entries generated by the institution in step 201. In this example, the fraudulent access attempt may be denied by the bank's web server 101, and may be
subsequenily flagged by a scheduled process that scans the network access logs of the
web server 101 to search for login credentials matching honeytoken data)
and for each resource access attempt, searching a token mapping store for a matching data entry where the access credential of the data entry matches the access credential for the access attempt, and if the matching data entry is found, generating an alert that identifies the identified resource module of the matching data entry, (Caitlett, Col. 6, Lines 55-64, In step 203, an attempt to access an organization resource using the honeytoken data is identified. For example, a fraudulent user may attempt to logon to the online banking site of a financial institution using credentials matching one of the honeytoken data entries generated by the institution in step 201. In this example, the fraudulent access attempt may be denied by the bank's web server 101, and may be subsequently flagged [alert] by a scheduled process that scans the network access logs of the web server 101 to search for login credentials matching honeytoken data)
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine Catlett with the method and
system of Dulce to include scanning one or more access logs for the remote computing resource system to detect one or more resource access attempts, each access attempt including an access credential for the access attempt; and for each resource access attempt, searching a token mapping store for a matching data entry where the access credential of the data entry matches the access credential for the access attempt, and if the matching data entry is found, generating an alert that identifies the identified resource module of the matching data entry. One would have been motivated to detect fraudulent activities via a computing network (Catlett, Col. 1, Lines 7-8). 


Regarding claim 6, Dulce and Catlett disclose the computer-implemented method of claim 1. 
Dulce further discloses wherein the tenant resource modules provisioned for the tenant of the remote computer resource system comprise 
one or more of 
a key vault, 
a data store, 
a virtual machine, 
an application service, (Dulce, [0134], application service (e.g. data, voice and video)
an application programming interface, (Dulce, [0151], Application Programming Interface (API) control)
a communications store, 
a domain directory, 
and a credential data store (Dulce, 329F, FIG 3, credential store)

Regarding claim 7, Dulce discloses an intrusion detection system for detecting intrusion in a remote computing resource system, the system comprising: 
one or more processors; (Dulce, [0023], processor) and 
one or more memory devices in communication with the one or more processors, the memory devices having computer-readable instructions stored thereupon that, when executed by the processors, cause the processors to perform operations comprising: (Dulce, [0023], describes one or more memory devices in communication with the one or more processors, the memory devices having computer-readable instructions stored thereupon that when executed by the processors, cause the processors to perform operations)
providing a user interface (UI) by way of the remote computing resource system, the UI identifying a plurality of tenant resource modules provisioned in the remote computing resource system for a tenant of the remote computing resource system to provide resources for the tenant; (Dulce, FIG 6 describes a user interface where a checkmark is provided for a plurality of tenant resource modules such as email, meeting, contact, note/file, browser history, credential store, favorites; [0032] describes a cloud computing system; [0081], describes a remote computing resource system for a user [tenant])
receiving a selection by way of the UI of one or more of the plurality of resource modules to be configured for intrusion detection; (Dulce, FIG 6, [0032], [0034], shows selecting by way of a UI of one or more of the plurality of tenant resource modules in a cloud computing system to be configured for detect compromised devices [intrusion detection]).
responsive to receiving the selection by way of the UI, for the tenant resource modules selected in the UI, (Dulce, FIG 6, [0032] & [0034], shows selecting and receiving the selection by way of a UI of one or more of the plurality of tenant resource modules in a cloud computing system to be configured for detect compromised devices [intrusion detection]).
allocating provisioned resources having corresponding access credentials, (Dulce, FIG 6 shows allocated provisioned resources having corresponding access credentials as shown in 654; [0003] & [0030], user account; [0081], cloud storage application 326E providing users the ability to store data at and/or retrieve data from one or more remote servers (e.g., Google Drive™, Dropbox™, iCloud™, OneDrive™, Box™, etc).
deploying the corresponding access credentials in respective tenant resource modules, (Dulce, [0003] & [0030], user account; [0081], cloud storage application 326E providing users the ability to store data at and/or retrieve data from one or more remote servers (6.9., Google Drive™, Dropbox™, iCloud™, OneDrive™, Box™); FIG 6 shows a mapping between user data types or some token types, credentials, database metadata, resource identifiers and email address of tenant, 602, User Data types such as email message, meeting, contact, note/file, browser history, credential store and favorites for example; 656, Database metadata (e.g. Table/DB name); 658, resource identifier (e.g. URL, PATH, SPN) and 660, Email address that identifies the tenant; [0134], application service (e.g. data, voice, video); [0151], application programming interface (API); 329F, FIG 3, credential store all refer to tenant resource modules)
and creating one or more data entries in a token mapping store, the data entries providing a mapping between the tenant, (Dulce, [0003] & [0030], user account; [0081], cloud storage application 326E providing users the ability to store data at and/or retrieve data from one or more remote servers (é6.g., Google Drive™, Dropbox™, iCloud™, OneDrive™, Box™); FIG 6 shows a mapping between user data types or some token types, credentials, database metadata, resource identifiers and email address of tenant, 602, User Data types such as email message, meeting, contact, note/file, browser history, credential store and favorites for example; 656, Database metadata (e.g. Table/DB name); 658, resource identifier (e.g. URL, PATH, SPN) and 660, Email address that identifies the tenant; [0134], application service (e.g. data, voice, video); [0151], application programming interface (API); 329F, FIG 3, credential store all refer to tenant resource modules) the data entries providing a mapping between the tenant, the corresponding access credentials  and the identified tenant resource modules in which the corresponding access credentials were deployed).
the corresponding access credentials, and the identified tenant resource modules in which the corresponding access credentials were deployed, (Dulce, [0003] & [0030], user account; [0081], cloud storage application 326E providing users the ability to store data at and/or retrieve data from one or more remote servers (é6.g., Google Drive™, Dropbox™, iCloud™, OneDrive™, Box™); FIG 6 shows a mapping between user data types or some token types, credentials, database metadata, resource identifiers and email address of tenant, 602, User Data types such as email message, meeting, contact, note/file, browser history, credential store and favorites for example; 656, Database metadata (e.g. Table/DB name); 658, resource identifier (e.g. URL, PATH, SPN) and 660, Email address that identifies the tenant; [0134], application service (e.g. data, voice, video); [0151], application programming interface (API); 329F, FIG 3, credential store all refer to tenant resource modules) the data entries providing a mapping between the tenant, the corresponding access credentials  and the identified tenant resource modules in which the corresponding access credentials were deployed).
Dulce fails to explicitly disclose scanning one or more access logs for the remote computing resource system to detect one or more resource access attempts, each access attempt including an access credential for the access attempt; and for each resource access attempt:  searching the token mapping store for a matching data entry where the access credential of the data entry matches the access credential for the access attempt, and  if the matching data entry is found, generating an alert that identifies the identified resource module of the matching data entry. 
However, in an analogous art, Catlett discloses scanning one or more access logs for the remote computing resource system to detect one or more resource access attempts, each access attempt including an access credential for the access attempt; (Catlett, Col. 6, Lines 55-64, In step 203, an attempt to access an organization resource using the honeytoken data is identified. For example, a fraudulent user may attempt to logon to the online banking site of a financial institution using credentials matching one of the honeytoken data entries generated by the institution in step 201. In this example, the fraudulent access attempt may be denied by the bank's web server 101, and may be subsequenily flagged by a scheduled process that scans the network access logs of the web server 101 to search for login credentials matching honeytoken data)
and for each resource access attempt:  searching the token mapping store for a matching data entry where the access credential of the data entry matches the access credential for the access attempt, and  if the matching data entry is found, generating an alert that identifies the identified resource module of the matching data entry, (Catlett, Col. 6, Lines 55-64, In step 203, an attempt to access an organization resource using the honeytoken data is identified. For example, a fraudulent user may attempt to logon to the online banking site of a financial institution using credentials matching one of the honeytoken data entries generated by the institution in step 201. In this example, the fraudulent access attempt may be denied by the bank's web server 101, and may be subsequently flagged [alert] by a scheduled process that scans the network access logs of the web server 101 to search for login credentials matching honeytoken data)
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine Catlett with the method and
system of Dulce to include scanning one or more access logs for the remote computing resource system to detect one or more resource access attempts, each access attempt including an access credential for the access attempt; and for each resource access attempt:  searching the token mapping store for a matching data entry where the access credential of the data entry matches the access credential for the access attempt, and  if the matching data entry is found, generating an alert that identifies the identified resource module of the matching data entry. One would have been motivated to detect fraudulent activities via a computing network (Catlett, Col. 1, Lines 7-8). 

Regarding claim 9, Dulce and Catlett disclose the system of claim 7. 
Dulce further discloses wherein: allocating at least one of the provisioned resources comprises generating a storage account; (Dulce, [0003] & [0030], user account; [0081], cloud storage application 326E providing users the ability to store data at and/or retrieve data from one or more remote servers (e.g., Google Drive™, Dropbox™, iCloud™, OneDrive™, Box™, etc.)  and
the corresponding access credential comprises a key to the storage account,  (Dulce, [0003] & [0030], user account; [0081], cloud storage application 326E providing users the ability to store data at and/or retrieve data from one or more remote servers (e.g., Google Drive™, Dropbox™, iCloud™, OneDrive™, Box™, etc; FIG 6 shows a record with 654 credentials for access; [0058] & [0099] describes the credentials can be a key to provide access)



Regarding claim 12, Dulce and Catlett disclose the system of claim 7. 
Dulce further discloses wherein at least one of the corresponding access credentials for the provisioned resource comprises 
one of a 
connection string, 
an access key, (Dulce, FIG 6 shows a record with 654 credentials for access; [0058] & [0099] describes the credentials can be a key to provide access)
a certificate, 
a service key, 
a management key, 
a storage key, 
or an access token. 

Regarding claim 13, Dulce and Catlett disclose the system of claim 7. 
Dulce further discloses wherein the one or more resource modules provisioned for the tenant of the remote computing resource system comprise one or more of 
a key vault, 
a data store, 
a virtual machine, 
an application service, (Dulce, [0134], application service (e.g. data, voice and video)
an application programming interface, (Dulce, [0151], Application Programming Interface (API) control)
a communications store, 
a domain directory, 
and a credential data store, (Dulce, 329F, FIG 3, credential store)

Regarding claim 14, claim 14 is directed to one or more computer storage media. Claim 14 is similar in scope to claim 7 and is therefore rejected under similar rationale.

Regarding claim 16, Dulce and Catlett disclose the one or more computer storage media of claim 14. 
Dulce further discloses wherein: allocating at least one of the provisioned resources comprises generating a storage account (Dulce, [0003] & [0030], user account; [0081], cloud storage application 326E providing users the ability to store data at and/or retrieve data from one or more remote servers (e.g., Google Drive™, Dropbox™, iCloud™, OneDrive™, Box™, etc; FIG 6 shows a record with 654 credentials for access; [0058] & [0099] describes the credentials can be a key)
and the corresponding access credential comprises a key to the storage account, (Dulce, [0003] & [0030], user account; [0081], cloud storage application 326E providing users the ability to store data at and/or retrieve data from one or more remote servers (e.g., Google Drive™, Dropbox™, iCloud™, OneDrive™, Box™, etc; FIG 6 shows a record with 654 credentials for access; [0058] & [0099] describes the credentials can be a key)

Regarding claim 19, Dulce and Catlett disclose the one or more computer storage media of claim 14. 
Dulce further discloses wherein at least one of the corresponding access credentials for the provisioned resources comprises 
one of a 
connection string, 
an access key, (Dulce, FIG 6 shows a record with 654 credentials for access; [0058] & [0099] describes the credentials can be a key to provide access)
a certificate, 
a service key, 
a management key, 
a storage key, 
or an access token

Regarding claim 20, claim 20 is directed to the one or more computer storage media of claim 14. Claim 20 is similar in scope to claim 13 and is therefore rejected under similar rationale.

Regarding claim 24, Dulce and Cortlett disclose the computer-implemented method of claim 1. 
Dulce further discloses wherein the UI further comprises selectable fields identifying the plurality of tenant resource modules provisioned in the remote computing resource system for the tenant of the remote computing resource system (Dulce, FIG 7 shows selectable fields with a check mark that can identify a plurality of tenant resource modules such as meeting, contact, credential store provisioned in the remote computing resource system for the tenant of the remote computing resource system; [0081], cloud storage application 326E providing users the ability to store data at and/or retrieve data from one or more remote servers (e.g., Google Drive™, Dropbox™, iCloud™, OneDrive™, Box™, etc; FIG 6 shows a record with 654 credentials for access; [0058] & [0099] describes the credentials can be a key). 

8.	Claims 3, 10 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Dulce et al (“Dulce,” US 20160381023) in view of Catlett et al (“Catlett,” US 8,880,435) and further in view of Ahmadzadeh et al (“Ahmadzedeh,” US 20170134405). 

Regarding claim 3, Dulce and Catlett fail to explicitly disclose the computer-implemented method of claim 1. 
Dulce further discloses a resource allocated for the tenant (Dulce, FIG 6 shows a resource allocated for the tenant).
Dulce and Catlett fail to explicitly disclose wherein the provisioned resources comprises at least one of an unused resource. 
However, in an analogous art, Ahmadzadeh discloses wherein the provisioned resource comprises at least one of an unused resource (Ahmadzadeh, [0022], The honeypot system may then provision new resources and continue monitoring to determine whether or not the applications begin acting maliciously; [0022] users [tenant]; [0040]-[0041], resources with remote servers)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Ahmadzadeh with the method and system of Dulce and Catlett to include wherein the provisioned resources comprise at least one of an unused resource. One would have been motivated to trigger malicious activities by the application (Ahmadzadeh, [0002]). 

 Regarding claim 10, Dulce and Catlett disclose the system of claim 7. 
Dulce further discloses a resource allocated for the tenant (Dulce, FIG 6 shows a resource allocated for a cloud computing system for the user [tenant]).
Dulce and Catlett fail to explicitly disclose wherein at least one of the provisioned resources comprises an unused resource allocated for the tenant. 
However, in an analogous art, Ahmadzadeh discloses wherein at least one of the provisioned resources comprises an unused resource allocated for the tenant (Ahmadzadeh, [0022], The honeypot system may then provision new resources and continue monitoring to determine whether or not the applications begin acting maliciously; [0022] users [tenant]; [0040]-[0041], resources with remote servers)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Ahmadzadeh with the method and system of Dulce and Catlett to include wherein at least one of the provisioned resources comprises an unused resource allocated for the tenant. One would have been motivated to trigger malicious activities by the application (Ahmadzadeh, [0002]).  

Regarding claim 17, Dulce and Catlett disclose the one or more computer storage media of claim 14. 
Dulce further discloses a resource allocated for the tenant (Dulce, FIG 6 shows a resource allocated for a cloud computing system for the user [tenant]).
Dulce and Catlett fail to explicitly disclose wherein at least one of the provisioned resources comprises an unused resource. 
However, in an analogous art, Ahmadzadeh discloses wherein at least one of the provisioned resources comprises an unused resource (Ahmadzadeh, [0022], The honeypot system may then provision new resources and continue monitoring to determine whether or not the applications begin acting maliciously; [0022] users [tenant]; [0040]-[0041], resources with remote servers)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Ahmadzadeh with the method and system of Dulce and Catlett to include wherein at least one of the provisioned resources comprises an unused resource. One would have been motivated to trigger malicious activities by the application (Ahmadzadeh, [0002]).  

9.	Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Dulce et al (“Dulce,” US 20160381023), Catlett et al (“Catlett,” US 8,880,435), in view of Ahmadzadeh et al (“Ahmadzedeh,” US 20170134405) and further in view of Dargude et al (“Dargude,” US 9900330). 

Regarding claim 4, Dulce, Catlett and Ahmadzedeh and disclose the computer-implemented method of claim 3. 
Dulce further discloses a resource allocated for the tenant (Dulce, FIG 6 shows a resource allocated for a cloud computing system for the user [tenant]).
Dulce, Catlett and Ahmadzedeh fail to explicitly disclose wherein the unused resource comprises a container with restricted access permissions. 
However, in an analogous art, Dargude discloses wherein the unused resource comprises a container with restricted access permissions (Dargude, Col. 17, Line 65, tenants; Col. 11, Lines 15-18, determination module 110 may determine the number of shared data containers, folders, and/or files of the organization on which the member has read and/or write permissions).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Dargude with the method and system of Dulce and Ahmadzedeh to include wherein the unused resource comprises a container with restricted access permissions. One would have been motivated to identify potentially risky data users within organizations (Dargude, Col. 1, Lines 23-24). 

10.	Claims 11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Dulce et al (“Dulce,” US 20160381023), in view of Catlett et al (“Catlett,” US 8,880,435),  Ahmadzadeh et al (“Ahmadzedeh,” US 20170134405) in view of Dargude et al (“Dargude,” US 9900330) and further in view of Johnson et al (“Johnson,” US 20200153836). 

Regarding claim 11, Dulce, Catlett and Ahmadzedeh discloses the system of claim 10. 
Dulce further discloses a resource allocated for the tenant (Dulce, FIG 6 shows a resource allocated to the user of cloud computing system for a user [tenant]).
Dulce, Catlett and Ahmadzedeh fail to explicitly disclose wherein the unused resource comprises one of a container with restricted access permissions. 
However, in an analogous art, Dargude discloses wherein the unused resource comprises one of a container with restricted access permissions (Dargude, Col. 17, Line 65, tenants; Col. 11, Lines 15-18, determination module 110 may determine the number of shared data containers, folders, and/or files of the organization on which the member has read and/or write permissions).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Dargude with the method and system of Dulce, Catlett and Ahmadzedeh to include wherein the unused resource comprises one of a container with restricted access permissions. One would have been motivated to identify potentially risky data users within organizations (Dargude, Col. 1, Lines 23-24). 
Dulce further disclose in a domain corresponding to the tenant (Dulce, [0064], [0101] and [0141] describes a domain in a cloud computer system with a user [tenant] as described in [0032])
Dulce, Catlett, Ahmadzedeh and Dargude fail to explicitly disclose or a fictitious user account. 
However, in an analogous art, Johnson discloses and a fictitious user account, (Johnson, [0056], The fictitious account may also be previously generated prior to the login attempt in order to act as a " honeypot" type security measure and may be identified and accessed at operation 440). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Johnson with the method and system of Dulce, Catlett, Ahmadzedeh and Dargude to include and a fictitious user account. One would have been motivated to track account usage data during an attempted account takeover (Johnson, [0004]). 

Regarding claim 18, Dulce, Cortlett and Ahmadzedeh discloses the one or more computer storage media of claim 17. 
Dulce further discloses a resource allocated for the tenant (Dulce, FIG 6 shows a resource allocated to the user of cloud computing system for a user [tenant]).
Dulce, Cortlett and Ahmadzedeh fail to explicitly disclose wherein the unused resource comprises one of a container with restricted access permissions. 
However, in an analogous art, Dargude discloses wherein the unused resource comprises one of a container with restricted access permissions (Dargude, Col. 17, Line 65, tenants; Col. 11, Lines 15-18, determination module 110 may determine the number of shared data containers, folders, and/or files of the organization on which the member has read and/or write permissions).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Dargude with the method and system of Dulce, Cortlett and Ahmadzedeh to include wherein the unused resource comprises one of a container with restricted access permissions. One would have been motivated to identify potentially risky data users within organizations (Dargude, Col. 1, Lines 23-24). 
Dulce further disclose in a domain corresponding to the tenant (Dulce, [0064], [0101] and [0141] describes a domain in a cloud computer system with a user [tenant] as described in [0032])
Dulce, Cortlett, Ahmadzedeh and Dargude fail to explicitly disclose or a fictitious user account. 
However, in an analogous art, Johnson discloses or a fictitious user account, (Johnson, [0056], The fictitious account may also be previously generated prior to the login attempt in order to act as a " honeypot" type security measure and may be identified and accessed at operation 440). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Johnson with the method and system of Dulce, Cortlett, Ahmadzedeh and Dargude to include and a fictitious user account. One would have been motivated to track account usage data during an attempted account takeover (Johnson, [0004]). 

11.	Claims 21-23 are rejected under 35 U.S.C. 103 as being unpatentable over Dulce et al (“Dulce,” US 20160381023), in view of Catlett et al (“Catlett,” US 8,880,435) and further in view of Sharifi Mehr et al (“Mehr,” 10,904,277). 

Regarding claim 21, Dulce and Cortlett disclose the computer-implemented method of claim 1. 
Dulce and Cortlett fail to explicitly disclose wherein the UI further comprises a UI control which, when selected, will cause threat intelligence data to be generated and sent to one or more entities.
However, in an analogous art, Mehr discloses wherein the UI further comprises a UI control which, when selected, will cause threat intelligence data to be generated and sent to one or more entities, (Mehr, FIG 1A, Col. 6, Lines 3-11, Col. 11, Lines 32-67; Col. 12, Lines 1-3, describe wherein the user interface comprising a UI control which when selected will cause threat intelligence data to be generated; Col. 16, Lines 49-58; Col. 20, Lines 50-67; Col. 21, Lines 1-29 describe sending to one or more entities)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Mehr with the method and system of Dulce and Cortlett to include wherein the UI further comprises a UI control which, when selected, will cause threat intelligence data to be generated and sent to one or more entities. One would have been motivated to provide network activity monitoring and threat level quantification (Mehr, Col. 2, Lines 45-49). 

Regarding claim 22, Dulce and Cortlett disclose the system of claim 7. 
Dulce and Cortlett fail to explicitly disclose wherein the UI further comprises a UI control which, when selected, will cause threat intelligence data to be generated and sent to one or more entities.
However, in an analogous art, Mehr discloses wherein the UI further comprises a UI control which, when selected, will cause threat intelligence data to be generated and sent to one or more entities, (Mehr, FIG 1A, Col. 6, Lines 3-11, Col. 11, Lines 32-67; Col. 12, Lines 1-3, describe wherein the user interface comprising a UI control which when selected will cause threat intelligence data to be generated; Col. 16, Lines 49-58; Col. 20, Lines 50-67; Col. 21, Lines 1-29 describe sending to one or more entities)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Mehr with the method and system of Dulce and Cortlett to include wherein the UI further comprises a UI control which, when selected, will cause threat intelligence data to be generated and sent to one or more entities. One would have been motivated to provide network activity monitoring and threat level quantification (Mehr, Col. 2, Lines 45-49). 

Regarding claim 23, Dulce and Cortlett disclose the one or more computer storage media of claim 14. 
Dulce and Cortlett fail to explicitly disclose wherein the UI further comprises a UI control which, when selected, will cause threat intelligence data to be generated and sent to one or more entities.
However, in an analogous art, Mehr discloses wherein the UI further comprises a UI control which, when selected, will cause threat intelligence data to be generated and sent to one or more entities, (Mehr, FIG 1A, Col. 6, Lines 3-11, Col. 11, Lines 32-67; Col. 12, Lines 1-3, describe wherein the user interface comprising a UI control which when selected will cause threat intelligence data to be generated; Col. 16, Lines 49-58; Col. 20, Lines 50-67; Col. 21, Lines 1-29 describe sending to one or more entities)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Mehr with the method and system of Dulce and Cortlett to include wherein the UI further comprises a UI control which, when selected, will cause threat intelligence data to be generated and sent to one or more entities. One would have been motivated to provide network activity monitoring and threat level quantification (Mehr, Col. 2, Lines 45-49). 




Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES J WILCOX whose telephone number is (571)270-3774. The examiner can normally be reached M-F: 8 A.M. to 5 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T. Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/JAMES J WILCOX/           Examiner, Art Unit 2439 


/LUU T PHAM/           Supervisory Patent Examiner, Art Unit 2439