Detailed Action
This action is in response to Applicant's communications filed 20 June 2022.
Claim(s) 1-3, 6, 15, 20-21 and 25-28 was/were amended.  No claims was/were cancelled.  No claims were withdrawn.  Claims 29-32 were added.  Therefore, claims 1-3, 6, 15-17, and 20-32 are pending in this Application.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 20 June 2022 has been entered.
 
Response to Amendments/Arguments
Applicant's arguments, filed 20 June 2022, regarding the rejections of claims 1-3, 6, 15-17, and 20-32 under 35 USC 103 have been fully considered but are moot because the arguments do not apply to any of the references being used in the current rejection.
Applicant’s arguments, filed 20 June 2022, with respect to the rejections of claims 1-3, 6, 15-17, and 20-32 under 35 USC 103 are regarding newly amended claims and are addressed in the current rejection. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-3, 6, 15-17, 20-23, 25-26, and 29-32 is/are rejected under 35 U.S.C. 103 as being unpatentable over Srivastava (US10380520B2) in view of Porras et al. (A Mission-Impact-Based Approach to INFOSEC Alarm Correlation, hereinafter "Porras") and Jantti et al. (Improving Service Level Management Practices: A Case Study in an IT Service Provider Organization, hereinafter "Jantti").

Regarding claims 1 and 15,
Srivastava teaches a computer-implemented method of handling events gathered from an information technology (IT) infrastructure, comprising:
 a computer program product stored on a computer readable storage medium (“Storage component 340 stores information and/or software related to the operation and use of device 300. For example, storage component 340 may include a hard disk (e.g., a magnetic disk, an optical disk, a magneto-optic disk, and/or a solid state disk), a compact disc (CD), a digital versatile disc (DVD), a floppy disk, a cartridge, a magnetic tape, and/or another type of non-transitory computer-readable medium, along with a corresponding drive.” Col 12, lns 13-20)
which when executed by a computing system, provides handling events gathered from an information technology (IT) infrastructure (“A ticket management system may resolve issues indicated by ticket data.” Col 2, lns 42-43; In this case, a ticket management system that may resolve issues is being considered to be the same as an IT infrastructure that provides handling events.)
	receiving an event ("In some implementations, cloud platform 220 may receive the ticket data based on processing a document (e.g., a design document, a requirements document, etc.). In this case, cloud platform 220 may apply a natural language processing technique, a machine learning technique, or the like, to process the document." Col 13, lns 60-65; In this case, the ticket data, processed from the natural language in the document, is being considered the same as an event in the form of a human readable message.)
	processing, using a machine learning model that includes a passage retrieval algorithm, the event relative to a knowledgebase of previously captured events ("Additionally, the cloud platform may use the ticket data model to select a particular resolution, from the set of recommended resolutions. For example, the cloud platform may apply a machine learning or a natural language processing technique to determine the particular resolution to select. As an example, the cloud platform may apply a machine learning technique or a natural language processing technique to analyze the set of recommended resolutions, which may include one or more particular resolutions that involve assigning a developer to resolve the issue." Col 4, lns 39 – 48; Passage retrieval algorithms are a combination of NLP and information retrieval, therefore the reference is being considered to include this limitation.) 
	identifying a set of matching events and associated solutions based on the processing ("By classifying the ticket data into a ticket type, cloud platform 220 may analyze a subset of the historical ticket data to resolve the issue (e.g., a subset with a matching ticket type), thereby reducing utilization of computing resources relative to resolving the issue by analyzing all historical ticket data." Col 16, lns 16-19; In this case, the classification of ticket data in the reference is being considered to be the same as processing);
ranking the set of matching events and associated solutions using a learn to rank algorithm, wherein the ranking is based, in part, on relevancy of each matching event and each associated solution to the event ("For example, resolution selection module 276 may use a resolution scoring submodule to rank resolutions included in the set of recommended resolutions, and may utilize a resolution analysis submodule to determine whether one or more resolutions associated with the set of recommended resolutions satisfy a threshold." Col 9, lns 34 – 40; “The one or more instructions, when executed by the one or more processors, may cause the one or more processors to determine, by applying a machine learning technique, a particular resolution for the issue associated with the project, based on the classification of the ticket data.” Col 1, lns 48 – 53; the resolution selection module applies a machine learning algorithm to the set of possible resolutions.  A learning to rank algorithm is simply the use of a machine learning model to rank data, typically in an information retrieval system.)
determining whether there is at least one matching event in a ranked set of matching events ("By classifying the ticket data into a ticket type, cloud platform 220 may analyze a subset of the historical ticket data to resolve the issue (e.g., a subset with a matching ticket type)." Col 16, lns 16-19; In this case, the classification of ticket data in the reference is being considered to be the same as processing) having a solution confidence with a predefined relationship with respect to a predetermined threshold ("In some implementations, cloud platform 220 may use the ticket data model to select a particular resolution that satisfies a threshold (or that satisfies multiple thresholds). The threshold(s) may indicate an effectiveness level of resolving an issue, an amount of resources to resolve an issue, an amount of time to resolve an issue, a percentage chance of resolving the issue, and/or the like." c.17,l.63-c.18,l.2; "resolution selection module 276 may use a resolution scoring submodule to rank resolutions included in the set of recommended resolutions, and may utilize a resolution analysis submodule to determine whether one or more resolutions associated with the set of recommended resolutions satisfy a threshold" c.9, l.35-40);
notifying based on no matching events in the ranked set of matching events having the solution confidence with the predefined relationship with respect to the predetermined threshold, a selected administrator responsible for determining an appropriate solution ("In some implementations, cloud platform 220 cloud platform 220 may implement a particular resolution by assigning a developer to resolve the issue. For example, assume cloud platform 220 generates data that identifies a set of developers capable of resolving the issue, and applies a natural language processing technique to the data to select data that identifies a developer, from the set of developers, to resolve the issue. In this case, cloud platform 220 may assign the developer to resolve the issue. Additionally, or alternatively, based on failing to classify a particular issue, cloud platform 220 may perform a determination of a group of other related incidents (e.g., one or more other tickets determined to be similar based on a natural language processing analysis), and may assign the group of other related issues and the particular issue to a particular developer to resolve or to further classify for resolution. In this way, cloud platform 220 may ensure that tickets that cloud platform 220 is unable to automatically resolve are resolved, while reducing effort relative to manual resolution of each ticket." c.19,l.64–c.20,l.16) to obtain a resolution to the event, wherein a solution from the set of matching events and associated solutions is not automatically applied absent approval of the selected administrator ("failing to satisfy a threshold may indicate that a project has an issue" c.6,l.38-39; "based on failing to classify a particular issue, cloud platform 220 may perform a determination of a group of other related incidents (e.g., one or more other tickets determined to be similar based on a natural language processing analysis), and may assign the group of other related issues and the particular issue to a particular developer to resolve or to further classify for resolution. In this way, cloud platform 220 may ensure that tickets that cloud platform 220 is unable to automatically resolve are resolved, while reducing effort relative to manual resolution of each ticket." c.19,l.64–c.20,l.16);
obtaining an indication of the resolution to the event ("cloud platform 220 may automatically provide information identifying the particular resolution of the issue associated with the project (ticket resolution information)" c.21, l. 26-35) based on the selected administrator determining the appropriate solution ("In some implementations, ticket resolution module 282 may include information associated with results of identifying a resolution to an issue in ticket data that is to be provided to a developer for manual resolution" c.10,l.16-20; "based on failing to classify a particular issue, cloud platform 220 may perform a determination of a group of other related incidents (e.g., one or more other tickets determined to be similar based on a natural language processing analysis), and may assign the group of other related issues and the particular issue to a particular developer to resolve or to further classify for resolution. In this way, cloud platform 220 may ensure that tickets that cloud platform 220 is unable to automatically resolve are resolved, while reducing effort relative to manual resolution of each ticket." c. 20, l. 6-16); and
updating the machine learning model based on the resolution ("The cloud platform may update the ticket data archive based on the particular resolution. For example, the cloud platform may transmit information indicating the particular resolution, and the ticket data, for storage by the ticket data archive. This may allow subsequent requests for historical ticket data (e.g., to update the ticket data model) to access the ticket and the particular resolution associated with the ticket." Col 5, lns 6 - 11).

Srivasta does not explicitly teach the event being based on a consolidation of alerts, the consolidation of alerts including an alert and one or more dependency alerts that are related to the alert, the alert being of a component of the information technology infrastructure and the one or more dependency alerts being alerts of one or more other components of the information technology infrastructure different than the component of the information technology infrastructure;
setting a timer to track response time of the selected administrator;
determining whether the timer has a predetermined relationship with respect to a timer threshold; and
providing to an app of the selected administrator one status based on the timer having the predetermined relationship with respect to the timer threshold and another status with respect to the timer having another predetermined relationship with respect to the timer threshold.

Porras teaches the event being based on a consolidation of alerts ("M-Correlator employs an alert clustering algorithm, which is used to consolidate both network and host-based INFOSEC alerts that occur in close (dynamically adjustable) temporal proximity into correlated security-incident reports" sec. 3, p. 103), the consolidation of alerts including an alert and one or more dependency alerts that are related to the alert ("M-Correlator next attempts to combine related alerts with an attribute-based alert clustering algorithm (Section 3).  The resulting correlated incident stream represents a filtered, lower-volume, content rich security-incident stream, with an incident-ranking scheme that allows analysts to identify those incidents that pose the greatest risk to the currently specified mission objectives of the monitored network." sec. 2, p. 97; "As each alert is processed by M-Correlator, the associated known dependencies for that alert, as indicated within the incident handling fact base, are compared against the configuration of the target machine." sec. 2.2, p. 98), the alert being of a component of the information technology infrastructure and the one or more dependency alerts being alerts of one or more other components of the information technology infrastructure different than the component of the information technology infrastructure ("M-Correlator employs an alert clustering algorithm, which is used to consolidate both network and host-based INFOSEC alerts that occur in close (dynamically adjustable) temporal proximity into correlated security-incident reports.  INFOSEC alerts regarding network communications are merged through an analysis of common network session, as defined by port and IP address matches, and common observer, alert type, or, more liberally, by common alert classification as defined in the incident handling fact base.   INFOSEC alerts regarding host activity are merged through an analysis of common session, as defined through user session attributes such as process ID or user ID, common observer, alert type, or more liberally by common alert classification. Figure 3, shows an example M-Correlator clustering policy." sec. 3, p. 103).
Srivastava and Porras are analogous art because both are directed to information technology. It would have been obvious to one of ordinary skill in the art before the effective filing date to combine the Automated and Manual Ticket Resolution of Srivastava with the merged alerts of Porras.  The modification would have been obvious because one of ordinary skill in the art would be motivated to filter and combine related incident alarms to allow an analyst to identify the risk of incidents, as suggested by Porras ("Once ranked, the M-Correlator attempts to combine related incident alarms with an attribute-based alert clustering algorithm. The resulting correlated incident stream represents a filtered, lower-volume, content-rich security-incident stream, with an incident-ranking scheme that allows the analyst to identify those incidents that pose the greatest risk to the monitored network." sec. 6, p. 112-113).

Jantti teaches setting a timer to track response time of the selected administrator ("Completed reaction and resolution rules were formed from following elements: Name of the rule, state, view, working hour settings and alerts. State: In this context, a state means one or more states which are covered by the rule (reaction or resolution time). In other words, while a case/ticket is in one of these chosen states, reaction or resolution time will pass and while a case is in a state which is not covered by the rule, reaction or resolution time shall be on hold, for example, waiting for customers actions." sec. 3.4, p. 142);
determining whether the timer has a predetermined relationship with respect to a timer threshold ("Alerts: an alert is an email message which will be sent to chosen parties in speciﬁc time (example when resolution time is expired). A user has full control to choose alarm times, persons who will get the alert message and what will be the content of the alert message." sec. 3.4, p. 142); and
providing to an app of the selected administrator one status based on the timer having the predetermined relationship with respect to the timer threshold and another status with respect to the timer having another predetermined relationship with respect to the timer threshold (Figure 2; "State: In this context, a state means one or more states which are covered by the rule (reaction or resolution time). In other words, while a case/ticket is in one of these chosen states, reaction or resolution time will pass and while a case is in a state which is not covered by the rule, reaction or resolution time shall be on hold, for example, waiting for customers actions." sec. 3.4, p. 142; "Lesson 5: ... 1) an SLA time rule has been exceeded and 2) user makes changes to the incident. ... Lesson 6: The number of SLA rules increases rapidly (O), Identify knowledge. Even in a simple SLA case (6 products used by one customer) that we had, the number of SLA rules started to increase fast. There were 4 priority levels and for each priority level we needed to conﬁgure a response time rule and a resolution time rule. Both a response time rule and a resolution time rule required SLA warning alert and SLA breach alert. Thus, organizations should be careful in offering customized SLAs to customers." sec. 4, p. 143; this teaches providing time limits for actions, statuses of the timer running or being put on hold or alerts of a time rule being exceeded).
Srivastava and Jantti are analogous art because both are directed to IT service resolution. It would have been obvious to one of ordinary skill in the art before the effective filing date to combine the Automated and Manual Ticket Resolution of the Srivastava/Porras combination with the service metrics of Jantti.  The modification would have been obvious because one of ordinary skill in the art would be motivated to provide clear knowledge management information to all parties, as suggested by Jantti ("Knowledge management aims to ensure that the right information is delivered to appropriate persons at the right time. There are three main beneﬁts why SLAs provide valuable knowledge in IT service management. First, SLAs provide both an IT organization and a customer with clear information of the service level... Second, SLA documents the knowledge on the roles and responsibilities and deﬁnes the rules what happens after service targets do not meet expectations... Third, service monitoring provides the organization with the knowledge of weak areas in the services or products which is an important input to Continual Service Improvement." sec. 1, p. 139).

Regarding Claim 21, 
Srivastava teaches a system comprising a processor; and a computer-readable storage medium communicatively coupled to the processor and storing program instructions which, when executed by the processor, cause the processor to perform a method comprising (“According to some implementations, a non-transitory computer-readable medium may store instructions. The one or more instructions, when executed by one or more processors, may cause the one or more processors to receive, from a client device, ticket data for automated resolution.” Col 1, lns 39 – 43) 
receiving an event ("In some implementations, cloud platform 220 may receive the ticket data based on processing a document (e.g., a design document, a requirements document, etc.). In this case, cloud platform 220 may apply a natural language processing technique, a machine learning technique, or the like, to process the document." Col 13, lns 60-65; In this case, the ticket data, processed from the natural language in the document, is being considered the same as an event in the form of a human readable message.)
processing, using a machine learning model that includes a passage retrieval algorithm, the event relative to a knowledgebase of previously captured events ("Additionally, the cloud platform may use the ticket data model to select a particular resolution, from the set of recommended resolutions. For example, the cloud platform may apply a machine learning or a natural language processing technique to determine the particular resolution to select. As an example, the cloud platform may apply a machine learning technique or a natural language processing technique to analyze the set of recommended resolutions, which may include one or more particular resolutions that involve assigning a developer to resolve the issue." Col 4, lns 39 – 48; Passage retrieval algorithms are a combination of NLP and information retrieval, therefore the reference is being considered to include this limitation.) 
 identifying a set of matching events and associated solutions based on the processing ("By classifying the ticket data into a ticket type, cloud platform 220 may analyze a subset of the historical ticket data to resolve the issue (e.g., a subset with a matching ticket type), thereby reducing utilization of computing resources relative to resolving the issue by analyzing all historical ticket data." Col 16, lns 16-19; In this case, the classification of ticket data in the reference is being considered to be the same as processing.)
ranking the set of matching events and associated solutions using a learn to rank algorithm, wherein the ranking is based, in part, on relevancy of each matching event and each associated solution to the event ("For example, resolution selection module 276 may use a resolution scoring submodule to rank resolutions included in the set of recommended resolutions, and may utilize a resolution analysis submodule to determine whether one or more resolutions associated with the set of recommended resolutions satisfy a threshold." Col 9, lns 34 – 40; “The one or more instructions, when executed by the one or more processors, may cause the one or more processors to determine, by applying a machine learning technique, a particular resolution for the issue associated with the project, based on the classification of the ticket data.” Col 1, lns 48 – 53; The resolution selection module applies a machine learning algorithm to the set of possible resolutions.  A learning to rank algorithm is simply the use of a machine learning model to rank data, typically in an information retrieval system.)
determining whether there is at least one matching event in a ranked set of matching events ("By classifying the ticket data into a ticket type, cloud platform 220 may analyze a subset of the historical ticket data to resolve the issue (e.g., a subset with a matching ticket type)." Col 16, lns 16-19; In this case, the classification of ticket data in the reference is being considered to be the same as processing) having a solution confidence with a predefined relationship with respect to a predetermined threshold ("In some implementations, cloud platform 220 may use the ticket data model to select a particular resolution that satisfies a threshold (or that satisfies multiple thresholds). The threshold(s) may indicate an effectiveness level of resolving an issue, an amount of resources to resolve an issue, an amount of time to resolve an issue, a percentage chance of resolving the issue, and/or the like." c.17,l.63-c.18,l.2; "resolution selection module 276 may use a resolution scoring submodule to rank resolutions included in the set of recommended resolutions, and may utilize a resolution analysis submodule to determine whether one or more resolutions associated with the set of recommended resolutions satisfy a threshold" c.9, l.35-40);
notifying  based on no matching events in the ranked set of matching events having the solution confidence with the predefined relationship with respect to the predetermined threshold, a selected administrator responsible for determining an appropriate solution ("In some implementations, cloud platform 220 cloud platform 220 may implement a particular resolution by assigning a developer to resolve the issue. For example, assume cloud platform 220 generates data that identifies a set of developers capable of resolving the issue, and applies a natural language processing technique to the data to select data that identifies a developer, from the set of developers, to resolve the issue. In this case, cloud platform 220 may assign the developer to resolve the issue. Additionally, or alternatively, based on failing to classify a particular issue, cloud platform 220 may perform a determination of a group of other related incidents (e.g., one or more other tickets determined to be similar based on a natural language processing analysis), and may assign the group of other related issues and the particular issue to a particular developer to resolve or to further classify for resolution. In this way, cloud platform 220 may ensure that tickets that cloud platform 220 is unable to automatically resolve are resolved, while reducing effort relative to manual resolution of each ticket." c.19,l.64–c.20,l.16) to obtain a resolution to the event, wherein a solution from the set of matching events and associated solutions is not automatically applied absent approval of the selected administrator ("failing to satisfy a threshold may indicate that a project has an issue" c.6,l.38-39; "based on failing to classify a particular issue, cloud platform 220 may perform a determination of a group of other related incidents (e.g., one or more other tickets determined to be similar based on a natural language processing analysis), and may assign the group of other related issues and the particular issue to a particular developer to resolve or to further classify for resolution. In this way, cloud platform 220 may ensure that tickets that cloud platform 220 is unable to automatically resolve are resolved, while reducing effort relative to manual resolution of each ticket." c.19,l.64–c.20,l.16);
obtaining an indication of the resolution to the event ("cloud platform 220 may automatically provide information identifying the particular resolution of the issue associated with the project (ticket resolution information)" c.21, l. 26-35) based on the selected administrator determining the appropriate solution ("In some implementations, ticket resolution module 282 may include information associated with results of identifying a resolution to an issue in ticket data that is to be provided to a developer for manual resolution" c.10,l.16-20; "based on failing to classify a particular issue, cloud platform 220 may perform a determination of a group of other related incidents (e.g., one or more other tickets determined to be similar based on a natural language processing analysis), and may assign the group of other related issues and the particular issue to a particular developer to resolve or to further classify for resolution. In this way, cloud platform 220 may ensure that tickets that cloud platform 220 is unable to automatically resolve are resolved, while reducing effort relative to manual resolution of each ticket." c. 20, l. 6-16); and
updating the machine learning model based on the resolution. (Col 5, lns 6 - 11; "The cloud platform may update the ticket data archive based on the particular resolution. For example, the cloud platform may transmit information indicating the particular resolution, and the ticket data, for storage by the ticket data archive. This may allow subsequent requests for historical ticket data (e.g., to update the ticket data model) to access the ticket and the particular resolution associated with the ticket.")

Srivasta does not explicitly teach the event being based on a consolidation of alerts, the consolidation of alerts including an alert and one or more dependency alerts that are related to the alert, the alert being of a component of the information technology infrastructure and the one or more dependency alerts being alerts of one or more other components of the information technology infrastructure different than the component of the information technology infrastructure;
setting a timer to track response time of the selected administrator;
determining whether the timer has a predetermined relationship with respect to a timer threshold; and
providing to an app of the selected administrator one status based on the timer having the predetermined relationship with respect to the timer threshold and another status with respect to the timer having another predetermined relationship with respect to the timer threshold.

Porras teaches the event being based on a consolidation of alerts ("M-Correlator employs an alert clustering algorithm, which is used to consolidate both network and host-based INFOSEC alerts that occur in close (dynamically adjustable) temporal proximity into correlated security-incident reports" sec. 3, p. 103), the consolidation of alerts including an alert and one or more dependency alerts that are related to the alert ("M-Correlator next attempts to combine related alerts with an attribute-based alert clustering algorithm (Section 3).  The resulting correlated incident stream represents a filtered, lower-volume, content rich security-incident stream, with an incident-ranking scheme that allows analysts to identify those incidents that pose the greatest risk to the currently specified mission objectives of the monitored network." sec. 2, p. 97; "As each alert is processed by M-Correlator, the associated known dependencies for that alert, as indicated within the incident handling fact base, are compared against the configuration of the target machine." sec. 2.2, p. 98), the alert being of a component of the information technology infrastructure and the one or more dependency alerts being alerts of one or more other components of the information technology infrastructure different than the component of the information technology infrastructure ("M-Correlator employs an alert clustering algorithm, which is used to consolidate both network and host-based INFOSEC alerts that occur in close (dynamically adjustable) temporal proximity into correlated security-incident reports.  INFOSEC alerts regarding network communications are merged through an analysis of common network session, as defined by port and IP address matches, and common observer, alert type, or, more liberally, by common alert classification as defined in the incident handling fact base.   INFOSEC alerts regarding host activity are merged through an analysis of common session, as defined through user session attributes such as process ID or user ID, common observer, alert type, or more liberally by common alert classification. Figure 3, shows an example M-Correlator clustering policy." sec. 3, p. 103).
Srivastava and Porras are analogous art because both are directed to information technology. It would have been obvious to one of ordinary skill in the art before the effective filing date to combine the Automated and Manual Ticket Resolution of Srivastava with the merged alerts of Porras.  The modification would have been obvious because one of ordinary skill in the art would be motivated to filter and combine related incident alarms to allow an analyst to identify the risk of incidents, as suggested by Porras ("Once ranked, the M-Correlator attempts to combine related incident alarms with an attribute-based alert clustering algorithm. The resulting correlated incident stream represents a filtered, lower-volume, content-rich security-incident stream, with an incident-ranking scheme that allows the analyst to identify those incidents that pose the greatest risk to the monitored network." sec. 6, p. 112-113).

Jantti teaches setting a timer to track response time of the selected administrator ("Completed reaction and resolution rules were formed from following elements: Name of the rule, state, view, working hour settings and alerts. State: In this context, a state means one or more states which are covered by the rule (reaction or resolution time). In other words, while a case/ticket is in one of these chosen states, reaction or resolution time will pass and while a case is in a state which is not covered by the rule, reaction or resolution time shall be on hold, for example, waiting for customers actions." sec. 3.4, p. 142);
determining whether the timer has a predetermined relationship with respect to a timer threshold ("Alerts: an alert is an email message which will be sent to chosen parties in speciﬁc time (example when resolution time is expired). A user has full control to choose alarm times, persons who will get the alert message and what will be the content of the alert message." sec. 3.4, p. 142); and
providing to an app of the selected administrator one status based on the timer having the predetermined relationship with respect to the timer threshold and another status with respect to the timer having another predetermined relationship with respect to the timer threshold (Figure 2; "State: In this context, a state means one or more states which are covered by the rule (reaction or resolution time). In other words, while a case/ticket is in one of these chosen states, reaction or resolution time will pass and while a case is in a state which is not covered by the rule, reaction or resolution time shall be on hold, for example, waiting for customers actions." sec. 3.4, p. 142; "Lesson 5: ... 1) an SLA time rule has been exceeded and 2) user makes changes to the incident. ... Lesson 6: The number of SLA rules increases rapidly (O), Identify knowledge. Even in a simple SLA case (6 products used by one customer) that we had, the number of SLA rules started to increase fast. There were 4 priority levels and for each priority level we needed to conﬁgure a response time rule and a resolution time rule. Both a response time rule and a resolution time rule required SLA warning alert and SLA breach alert. Thus, organizations should be careful in offering customized SLAs to customers." sec. 4, p. 143; this teaches providing time limits for actions, statuses of the timer running or being put on hold or alerts of a time rule being exceeded).
Srivastava and Jantti are analogous art because both are directed to IT service resolution. It would have been obvious to one of ordinary skill in the art before the effective filing date to combine the Automated and Manual Ticket Resolution of the Srivastava/Porras combination with the service metrics of Jantti.  The modification would have been obvious because one of ordinary skill in the art would be motivated to provide clear knowledge management information to all parties, as suggested by Jantti ("Knowledge management aims to ensure that the right information is delivered to appropriate persons at the right time. There are three main beneﬁts why SLAs provide valuable knowledge in IT service management. First, SLAs provide both an IT organization and a customer with clear information of the service level... Second, SLA documents the knowledge on the roles and responsibilities and deﬁnes the rules what happens after service targets do not meet expectations... Third, service monitoring provides the organization with the knowledge of weak areas in the services or products which is an important input to Continual Service Improvement." sec. 1, p. 139).

Regarding Claims 2, 16, and 22, 
The Srivastava/Porras/Jantti combination teaches the computer-implemented method and computer program product of Claims 1, 15, and 21 respectively, and Srivastava further teaches:
	wherein the event is obtained from an event scanner that probes the IT infrastructure (Col 3, lns 46-51; " the cloud platform may receive, from the client device, ticket data. For example, the cloud platform may cause a user interface associated with the client device to display information indicating ticket data. The ticket data may include one or more fields for describing an issue associated with a project.")
	
Regarding Claims 3, 17, and 23,
The Srivastava/Porras/Jantti combination teaches the computer-implemented method and computer program product of Claims 1, 15, and 21 respectively, and Srivastava further teaches:
	wherein the event is obtained from natural language inputs of an end user (Col 3, lns 50-55; “The ticket data may include one or more fields for describing an issue associated with a project. In this case, a user may interact with the user interface (e.g., to input information into the one or more fields), which may cause the client device to transmit the ticket data to the cloud platform.” Col 4, lns 2-6; "In some implementations, the cloud platform may use the ticket data model to analyze the information included in the ticket data by applying a natural language processing technique and/or a machine learning technique.")

Regarding Claim 6 and 20, 
The Srivastava/Porras/Jantti combination teaches the computer-implemented method and computer program product of Claims 1 and 15 respectively, and Srivastava further teaches:
	further comprising: storing the event in the knowledge base along with the appropriate solution in a human readable format (Col 5, lns 5 - 8; "For example, the cloud platform may transmit information indicating the particular resolution, and the ticket data, for storage by the ticket data archive. ", Col 15, lns 31 - 36; "For example, cloud platform 220 may apply a natural language processing technique to parse information included in the ticket data, and may compare the information included in the ticket data and information included in the ticket data model (e.g., the information included in the historical ticket data). ")
	and updating the solution confidence based on the resolution (Col 5, lns 8 - 11; "This may allow subsequent requests for historical ticket data (e.g., to update the ticket data model) to access the ticket and the particular resolution associated with the ticket.", Col 21, lns 50-55 “In this way, ticket data archive 260 maintains updated information regarding the effectiveness levels of resolutions, and cloud platform 220 may access this information to make subsequent determinations regarding a resolution to implement.”)
	
Regarding Claim 25, 
The Srivastava/Porras/Jantti combination teaches the method of Claim 1, and Srivastava further teaches: 
the appropriate solution (Abstract; "The device may automatically perform one or more actions to implement the particular resolution to resolve the issue associated with the project.") was determined from a natural language chat launched by the selected administrator to obtain the resolution to the event ("In some implementations, cloud platform 220 may automatically implement the particular resolution to a project that is external to cloud platform 220. For example, cloud platform 220 may use one or more APIs to gain permission to implement the particular resolution to the project." c.18,l.33-37; "In some implementations, cloud platform 220 cloud platform 220 may implement a particular resolution by assigning a developer to resolve the issue. For example, assume cloud platform 220 generates data that identifies a set of developers capable of resolving the issue, and applies a natural language processing technique to the data to select data that identifies a developer, from the set of developers, to resolve the issue." c.19,l.64-c.20,l.16; "In some implementations, cloud platform 220 may utilize a natural language technique, such as a virtual agent, to communicate with a user using natural language to obtain ticket data, such as to query the user regarding an issue." c. 14, l. 5-8; "Additionally, or alternatively, the cloud platform may monitor the project and/or receive feedback about the particular resolution to determine an effectiveness level of the resolution." c. 4, l. 67 – c. 5, l. 3)

Regarding Claim 26, 
The Srivastava/Porras/Jantti combination teaches the method of Claim 1.  Srivastava further teaches providing a status of the event using a visual indicator on a user interface (Col 10, lns 28 - 32; "Additionally, or alternatively, output module 284 may provide a user interface that displays status updates on a particular resolution that is being implemented by ticket resolution module 282.")

Regarding Claim 29 and 32, 
The Srivastava/Porras/Jantti combination teaches the computer-implemented method and computer program product of Claims 1 and 15 respectively, and Porras further teaches:
wherein the alert corresponds to an application and the one or more dependency alerts correspond to one or more subsystems of the information technology infrastructure and a network of the information technology infrastructure ("M-Correlator next attempts to combine related alerts with an attribute-based alert clustering algorithm (Section 3).  The resulting correlated incident stream represents a filtered, lower-volume, content rich security-incident stream, with an incident-ranking scheme that allows analysts to identify those incidents that pose the greatest risk to the currently specified mission objectives of the monitored network." sec. 2, p. 97; "As each alert is processed by M-Correlator, the associated known dependencies for that alert, as indicated within the incident handling fact base, are compared against the configuration of the target machine." sec. 2.2, p. 98; "M-Correlator employs an alert clustering algorithm, which is used to consolidate both network and host-based INFOSEC alerts that occur in close (dynamically adjustable) temporal proximity into correlated security-incident reports.  INFOSEC alerts regarding network communications are merged through an analysis of common network session, as defined by port and IP address matches, and common observer, alert type, or, more liberally, by common alert classification as defined in the incident handling fact base.   INFOSEC alerts regarding host activity are merged through an analysis of common session, as defined through user session attributes such as process ID or user ID, common observer, alert type, or more liberally by common alert classification. Figure 3, shows an example M-Correlator clustering policy." sec. 3, p. 103).
Srivastava and Porras are analogous art because both are directed to information technology. It would have been obvious to one of ordinary skill in the art before the effective filing date to combine the Automated and Manual Ticket Resolution of Srivastava with the merged alerts of Porras.  The modification would have been obvious because one of ordinary skill in the art would be motivated to filter and combine related incident alarms to allow an analyst to identify the risk of incidents, as suggested by Porras ("Once ranked, the M-Correlator attempts to combine related incident alarms with an attribute-based alert clustering algorithm. The resulting correlated incident stream represents a filtered, lower-volume, content-rich security-incident stream, with an incident-ranking scheme that allows the analyst to identify those incidents that pose the greatest risk to the monitored network." sec. 6, p. 112-113).


Regarding Claim 30, 
The Srivastava/Porras/Jantti combination teaches the method of Claim 1.  Srivastava further teaches wherein the response time of the selected administrator being tracked is a time it takes for the selected administrator responsible for determining the appropriate solution to acknowledge the event ("information indicating a time in which the issue was resolved, whether an issue was resolved manually or automatically, informa­tion indicating an amount of resources used to resolve the 65 issue ( e.g., computing resources, human resources, such as time spent by a technician or a developer, etc.), and/or the like." c. 14, l.61-67).

Regarding Claim 31, 
The Srivastava/Porras/Jantti combination teaches the method of Claim 1.  Srivastava further teaches automatically applying the solution from the set of matching events and associated solutions to obtain the resolution to the event ("In some implementations, cloud platform 220 may automatically implement the particular resolution to a project that is external to cloud platform 220. For example, cloud platform 220 may use one or more APIs to gain permission to implement the particular resolution to the project." c.18,l.33-37), based on determining that there is at least one matching event in the ranked set of matching events having the solution confidence with the predefined relationship with respect to the predetermined threshold ("In some implementations, cloud platform 220 may use the ticket data model to select a particular resolution that satisfies a threshold (or that satisfies multiple thresholds). The threshold(s) may indicate an effectiveness level of resolving an issue, an amount of resources to resolve an issue, an amount of time to resolve an issue, a percentage chance of resolving the issue, and/or the like." c.17,l.63-c.18,l.2).


Claims 24, 27, and 28 is/are rejected under 35 U.S.C. 103 as being unpatentable over Srivastava (US10380520B2) in view of Porras et al. (A Mission-Impact-Based Approach to INFOSEC Alarm Correlation, hereinafter "Porras"), Jantti et al. (Improving Service Level Management Practices: A Case Study in an IT Service Provider Organization, hereinafter "Jantti"), and Peterson (US 20140019853 A1).

Regarding Claim 24, 
The Srivastava/Porras/Jantti combination teaches the system of Claim 21.  
Srivastava further teaches wherein the method performed by the processor further comprises providing a status of the event using a visual indicator on a user interface (Col 10, lns 28 - 32; "Additionally, or alternatively, output module 284 may provide a user interface that displays status updates on a particular resolution that is being implemented by ticket resolution module 282.")

Srivastava does not explicitly teach wherein the visual indicator includes a set of color indicators configured to indicate the status of the event.
Peterson teaches wherein the visual indicator includes a set of color indicators configured to indicate the status of the event. Peterson ([0032]; "Indeed, as shown in FIG. 3A information related to the symptoms can be copied to a "symptoms" pane 26 illustratively color coded red, as shown in FIG. 3B information related to details can be copied to a "details" pane 26 illustratively color coded yellow and, as shown in FIG. 3C, information related to the problem resolution can be copied to a "resolution" pane 26, illustratively color coded green.")
Peterson and Srivastava are analogous art as they are in the same field of help desk ticket handling.  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the system and method disclosed by the Srivastava/Porras/Jantti combination with Peterson to include color coded indicators in order to have better user interactions (Peterson [0016]). One of ordinary skill in the art would have been motivated to make this modification in order to make an automated ticket handling system with clear, color coded status indicators. “The display fields of the editing applet 56 are illustratively color coded in the same fashion as the authoring applet 24 to improve user navigation and understanding.” (Peterson [0034]). 

Regarding Claim 27, 
The Srivastava/Porras/Jantti combination teaches the system of Claim 26. The Srivastava/Porras/Jantti combination does not explicitly teach wherein the visual indicator includes a set of color indicators configured to indicate the status of the event.
Peterson teaches wherein the visual indicator includes a set of color indicators configured to indicate the status of the event. Peterson ([0032]; "Indeed, as shown in FIG. 3A information related to the symptoms can be copied to a "symptoms" pane 26 illustratively color coded red, as shown in FIG. 3B information related to details can be copied to a "details" pane 26 illustratively color coded yellow and, as shown in FIG. 3C, information related to the problem resolution can be copied to a "resolution" pane 26, illustratively color coded green.")
Peterson and Srivastava are analogous art as they are in the same field of help desk ticket handling.  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the system and method disclosed by the Srivastava/Porras/Jantti combination with Peterson to include color coded indicators in order to have better user interactions (Peterson [0016]). One of ordinary skill in the art would have been motivated to make this modification in order to make an automated ticket handling system with clear, color coded status indicators. “The display fields of the editing applet 56 are illustratively color coded in the same fashion as the authoring applet 24 to improve user navigation and understanding.” (Peterson [0034]).

Regarding Claim 28, 
The Srivastava/Porras/Jantti/Peterson combination teaches the method of Claim 27. 
Peterson further teaches wherein each of the set of color indicators are used to indicate one of the statuses selected from a group consisting of: the event has been resolved; the event is waiting to be addressed; the event is currently being addressed; and the event has not been addressed for greater than a predetermined amount of time. Peterson ([0032]; "Indeed, as shown in FIG. 3A information related to the symptoms can be copied to a "symptoms" pane 26 illustratively color coded red, as shown in FIG. 3B information related to details can be copied to a "details" pane 26 illustratively color coded yellow and, as shown in FIG. 3C, information related to the problem resolution can be copied to a "resolution" pane 26, illustratively color coded green." In this case, the colored details of the event in the application (waiting to be addressed, currently being addressed, not been addressed for greater than a predetermined amount of time) is being considered to fit within the “details” pane of the reference. Each status of the reference has a specific associated color, and this is being considered to be the same as a visual color indicator)
Peterson and Srivastava are analogous art as they are in the same field of help desk ticket handling.  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the system and method disclosed by the Srivastava/Porras/Jantti combination with Peterson to include color coded indicators in order to have better user interactions (Peterson [0016]). One of ordinary skill in the art would have been motivated to make this modification in order to make an automated ticket handling system with clear, color coded status indicators. “The display fields of the editing applet 56 are illustratively color coded in the same fashion as the authoring applet 24 to improve user navigation and understanding.” (Peterson [0034]).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHARLES C KUO whose telephone number is (571)270-7477.  The examiner can normally be reached on M-F: 9:00 a.m. - 6:00 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ann Lo can be reached on (571) 272-9767.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/CHARLES C KUO/Examiner, Art Unit 2126  
/ANN J LO/Supervisory Patent Examiner, Art Unit 2126