DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Summary
This action is a responsive to the amendment filed on 7/19/2022.
Claims 1-20 are pending and have been examined.
Claims 1-20 are rejected.

Response to Arguments
Drawings
Applicant’s Response:
	Drawings are objected to allegedly because they include reference characters 234, 308, 324, and 508 not mentioned in the description. 
Applicant submits that the reference character '308' as mentioned in sheet 3/10 of the drawings has been corrected to read 218. A replacement sheet containing the correction is attached with this response. No new matter has been added. 
Further, reference characters 234, 324, and 508 have been added in the Specification at appropriate paragraphs of the Specification, as given above. 
Accordingly, it is respectfully requested that the objection to the drawings be withdrawn.

Examiner’s Response:
Applicant’s arguments, see remarks, filed 7/19/22, with respect to the drawings have been fully considered and are persuasive.  The objection of 4/19/22 has been withdrawn. 

Objection to Claim 7
Applicant’s Response:
	Applicant submits that claim 7 has been appropriately amended to address the objection to claim 7. Accordingly, it is requested that objection to claim 7 be withdrawn.

Examiner’s Response:
Applicant’s arguments, see remarks, filed 7/19/22, with respect to claim 7 have been fully considered and are persuasive.  The objection of 4/19/22 has been withdrawn. 

Rejection of Claims under 35 USC 102 and 103
Applicant’s Response:
	Applicant submits that the cited references fail to teach the newly added limitations of:
•	“and create, by an update component, a set of labeled incident tickets associated with the issue, the set of labeled incident tickets including data that provides a solution to the issue”

Examiner’s Response:
Applicant’s arguments with respect to claims 1, 8 and 15 have been considered but are moot because the arguments are directed to amended subject matter properly addressed with the newly cited reference of Scachan et al. (US 20200293946 A1).
The combination of Balasubramanian et al. (US 20200285697 A1) and further in view of Chen et al. (US 20180324062 A1) and Scachan et al. (US 20200293946 A1) teaches the language of independent claims 1 and 8.
The combination of Balasubramanian et al. (US 20200285697 A1) and further in view of Chen et al. (US 20180324062 A1) and Margalit et al. (US 20190036797 A1) and Scachan et al. (US 20200293946 A1) teaches the language of the independent claim 15.

All remaining arguments are now moot in regards to the new rejection.

	
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1, 3-6, 8, 10-12 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Balasubramanian et al. (US 20200285697 A1) and further in view of Chen et al. (US 20180324062 A1) and Scachan et al. (US 20200293946 A1).

As to claim 1, Balasubramanian et al. teaches a system predicting impact on infrastructure elements based on incident ticket data, the system comprising: at least one processor; and at least one memory comprising computer program code, the at least one memory and the computer program code configured to, with the at least one processor, implement a ticket manager component (See ¶¶ [0075], [0023], Teaches that incident avoidance system 120 includes one or more processors 800, memory 802, a network interface 810, and a database 812. Incident alert system 106 may be an information technology help desk or other resource for assisting users and troubleshooting system, software, and/or hardware problems within the enterprise network.), 
to cause the at least one processor to: identify, by an extraction component, impact data associated with at least one issue based on incident-related data obtained from a selected incident ticket, the impact data including an impact time-period (See ¶¶ [0038], [0041], [0044], Teaches that community extractor 302 uses the number of communities identified by corpus sigma calculator 300 and further extracts additional communities present in the data (e.g., from historical incident alert data 110). In some embodiments, determining an affinity score may also include determining parent and child relationships between sources of incident alerts. An incident alert submitted for a child node or network element may be caused by a problem associated with a parent node or network element. attribute strapping 308 includes attaching attributes obtained in the previous stages, including attributes from corpus sigma calculator 300, community extractor 302, semantic analyzer 304, and/or dynamic clustering 306, as well as additional attributes obtained from historical incident alert data 110 to each cluster. For example, attribute strapping 308 may include attaching information about time ranges, affinity score delta, number of sources (e.g., nodes or network elements), parent-child relationship factors, and/or resolution/close notes associated with incident alerts to each of the clusters obtained or generated by dynamic clustering 306);
generate, by a prediction component, predicted impact data including additional data describing a set of potentially impacted infrastructure elements, the set of potentially impacted infrastructure elements comprising a set of potentially impacted infrastructure components based on analysis of the impact data with infrastructure data and monitor data associated with a set of infrastructure components (See ¶¶ [0057], [0066], Teaches that a sequencer 312 is configured to identify the relationship sequence between cause and effect for incident alerts to predict which incident alert has to be acted upon before another incident alert. For example, a single cause of a problem in the infrastructure space of an enterprise environment can lead to many effects and, therefore, many incident alerts. Sequencer 312 may use information associated with incident alerts, including, but not limited to: category, time, source of the incident, incident location, description, parent/child relationship, assignment groups, etc., to determine an order for acting upon incident alerts). 
However, it does not expressly teach the set of potentially impacted infrastructure elements comprising at least one of a set of potential impacted users; and create, by an update component, a set of labeled incident tickets associated with the issue, the set of labeled incident tickets including data that provides a solution to the issue.
Chen et al., from analogous art, teaches the set of potentially impacted infrastructure elements comprising at least one of a set of potential impacted users (See ¶¶ [0035], [0031], Teaches that all impacted entities (e.g., users, admins, technicians, etc.) are determined based on relationship maps 36 at S7, and at S8 the impacted entities are notified. Cloud users can be linked to components in the cloud 40, and different components can be linked).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Chen et al. into Balasubramanian et al. to efficiently identify and notify relevant users and responsible administrators of cloud-based incidents.
One of ordinary skill in the art would have been motivated because it allows one  to efficiently identify and notify relevant users and responsible administrators of cloud-based incidents (See Chen et al. ¶ [0001]).
However, it does not expressly teach create, by an update component, a set of labeled incident tickets associated with the issue, the set of labeled incident tickets including data that provides a solution to the issue.
Scachan et al., from analogous art, teaches create, by an update component, a set of labeled incident tickets associated with the issue, the set of labeled incident tickets including data that provides a solution to the issue (See ¶¶ [0097]-[0104] and Fig. 6, Teaches that matching historical incident data may be obtained from the data store using the key phrases (for the incident under analysis) obtained at block 600. At block 604, a determination may be made as to whether historical incidents are found. At block 606, a hyperlink may be created for an incident number to browse the incident. At block 608, a confidence score of high, medium, and low may be created based on incident match percentage, for example, to the incident under analysis. At block 610, an individual incident response may be generated using the incident hyperlink, confidence score, short description, and closing notes. At block 612, the individual incident response may be added to the final incident resolution recommendation 126 response. At block 614, a determination may be made as to whether additional matching historical incidents are present. At block 616, the incident resolution recommendation 126 may be provided back to the caller (e.g., the user or another entity that requested this information). The incident resolution recommendation 126 may include relevant historical incidents determined at blocks 606-612.).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Scachan et al. into the combination of Balasubramanian et al. and Chen et al. to generate an incident ticket associated with the incident, and determine support personnel selected from a plurality of support personnel to resolve the incident ticket and provide recommendations that include an incident nature recommendation, an incident resolution recommendation, and an incident knowledge base article recommendation for the selected support personnel.
One of ordinary skill in the art would have been motivated because it allows one  to generate an incident ticket associated with the incident, and determine support personnel selected from a plurality of support personnel to resolve the incident ticket and provide recommendations that include an incident nature recommendation, an incident resolution recommendation, and an incident knowledge base article recommendation for the selected support personnel (See Scachan et al. ¶ [0023]).

As to claim 3, the combination of Balasubramanian et al. and Chen et al. and Scachan et al. teaches the system according to claim 1 above. Balasubramanian et al. further teaches wherein the ticket manager component further comprises an impact model utilizing machine learning, wherein the at least one memory and the computer program code is configured to, with the at least one processor, further cause the at least one processor to: train the impact model using training data, including the set of labeled incident tickets (See ¶ [0033], Teaches that after the rules knowledge base has been initially populated as part of training phase 200, incident avoidance system 120 may implement a reinforcement learning phase 210. Reinforcement learning phase 210 includes use of a machine learning algorithm that enables refinement and adjustment of the rules in the rules knowledge base through trial and error with feedback. For example, as described above, in some embodiments, a second subset of historical incident alert data 110 may be used by reinforcement engine module 124 to obtain positive and/or negative feedback on the rules in the rules knowledge base during reinforcement learning phase 210. In some cases, user input 212 may be received during reinforcement learning phase 210 to assist reinforcement engine module 124 with refining the rules in the rules knowledge base. User input 212 may be in the form of positive or negative feedback, as well as confirming or denying whether or not a particular incident alert is a dead-end ticket). 

As to claim 4, the combination of Balasubramanian et al. and Chen et al. and Scachan et al. teaches the system according to claim 1 above. However, it does not expressly teach wherein the selected incident ticket comprises an incident ticket received from a user currently facing the at least one issue.
Scachan et al., from analogous art, wherein the selected incident ticket comprises an incident ticket received from a user currently facing the at least one issue (See ¶¶ [0056]-[057], and [0101]-[104], Teaches that the incident ticket router 112 may generate a new incident ticket. At block 210, new incidents may be analyzed, and at block 212, each time an incident ticket is created on a problem management tool, for example, Service NOW, this information may be stored in a relational database. At block 610, an individual incident response may be generated using the incident hyperlink, confidence score, short description, and closing notes. At block 612, the individual incident response may be added to the final incident resolution recommendation 126 response. At block 614, a determination may be made as to whether additional matching historical incidents are present. At block 616, the incident resolution recommendation 126 may be provided back to the caller (e.g., the user or another entity that requested this information). The incident resolution recommendation 126 may include relevant historical incidents determined at blocks 606-612.).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Scachan et al. into the combination of Balasubramanian et al. and Chen et al. and Scachan et al. to generate an incident ticket associated with the incident, and determine support personnel selected from a plurality of support personnel to resolve the incident ticket and provide recommendations that include an incident nature recommendation, an incident resolution recommendation, and an incident knowledge base article recommendation for the selected support personnel.
One of ordinary skill in the art would have been motivated because it allows one  to generate an incident ticket associated with the incident, and determine support personnel selected from a plurality of support personnel to resolve the incident ticket and provide recommendations that include an incident nature recommendation, an incident resolution recommendation, and an incident knowledge base article recommendation for the selected support personnel (See Scachan et al. ¶ [0023]).

As to claim 5, the combination of Balasubramanian et al. and Chen et al. and Scachan et al. teaches the system according to claim 1 above. Balasubramanian et al. further teaches wherein the at least one memory and the computer program code is configured to, with the at least one processor, further cause the at least one processor to: analyze the infrastructure data, including a set of known infrastructure components identifying at least one of hardware components and software components from the set of potentially impacted infrastructure elements; and identify a list of potentially impacted infrastructure components from the set of known infrastructure components and the predicted impact data, wherein the set of potentially impacted infrastructure components comprises at least one component unidentified in the incident ticket associated with the issue (See ¶¶ [0041], [0057], [0066], Teaches that determining an affinity score may also include determining parent and child relationships between sources of incident alerts. An incident alert submitted for a child node or network element may be caused by a problem associated with a parent node or network element. For example, in an enterprise network, multiple incident alerts about problems with wireless network access submitted for different devices (i.e., child nodes) may be related to an incident alert about a problem with a wireless access point (i.e., parent node) serving those devices. In such cases, incident alerts for one or more child nodes are related to the incident alert for the parent node. As a result, a resolution of the problem associated with the incident alert for the parent node may be sufficient to resolve the problems detailed in the incident alerts for the child node or nodes. In some embodiments, determining a parent and child relationship between two or more nodes in the enterprise environment may be obtained by analyzing the relationships between the sources (i.e., nodes) included in the incident alerts in historical incident alert data 110. These parent-child relationships may then be used as part of the rules for the prescriptive avoidance rule set. A sequencer 312 is configured to identify the relationship sequence between cause and effect for incident alerts to predict which incident alert has to be acted upon before another incident alert. For example, a single cause of a problem in the infrastructure space of an enterprise environment can lead to many effects and, therefore, many incident alerts. Sequencer 312 may use information associated with incident alerts, including, but not limited to: category, time, source of the incident, incident location, description, parent/child relationship, assignment groups, etc., to determine an order for acting upon incident alerts). 

As to claim 6, the combination of Balasubramanian et al. and Chen et al. and Scachan et al. teaches the system according to claim 1 above. However, it does not expressly teach wherein the at least one memory and the computer program code is configured to, with the at least one processor, further cause the at least one processor to: analyze the infrastructure data, including a set of known users associated with at least one infrastructure component from the set of potentially impacted infrastructure elements; and identify a list of additional potentially impacted users unidentified in the incident ticket associated with the issue from the set of known users that are potentially impacted by the issue.
Chen et al., from analogous art, teaches wherein the at least one memory and the computer program code is configured to, with the at least one processor, further cause the at least one processor to: analyze the infrastructure data, including a set of known users associated with at least one infrastructure component from the set of potentially impacted infrastructure elements; and identify a list of additional potentially impacted users unidentified in the incident ticket associated with the issue from the set of known users that are potentially impacted by the issue (See ¶¶ [0035], [0031], Teaches that all impacted entities (e.g., users, admins, technicians, etc.) are determined based on relationship maps 36 at S7, and at S8 the impacted entities are notified. Relationship manager 26 (FIG. 1) has two primary functions, to generate and maintain relationship maps 36 and to implement a correlation engine. Relationship maps 36 link objects within the topology, such as relationships between VMs, users, hardware, services, etc. The relationship maps 36 map be generated based on the topology 32, VM data, user data, etc. For example, illustrative maps may determine which VMs are associated with which hosts, which VMs are associated with which network bridges, which VMs are associated with which users, etc. For example, a first VM (VM1) may have relationships with a host (HOST2), network bridge (BR1), and a set of users (USER1, USER5, USER7). Over time, relationship manager 26 may utilize information from the monitoring module 24 to implement real-time updates to the relationship maps 36. For example, if a server is added to the cloud 40, the topology 32 and associated relationship map 36 will be updated. In this manner, cloud users can be linked to components in the cloud 40, and different components can be linked.).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Chen et al. into the combination of Balasubramanian et al. and Chen et al. to efficiently identify and notify relevant users and responsible administrators of cloud-based incidents.
One of ordinary skill in the art would have been motivated because it allows one  to efficiently identify and notify relevant users and responsible administrators of cloud-based incidents (See Chen et al. ¶ [0001]).

As to claim 8, Balasubramanian et al. teaches a computerized method for predicting impact on infrastructure elements based on incident ticket data, the method comprising: identifying, by an extraction component, impact data associated with at least one issue based on incident-related data obtained from a selected incident ticket, the impact data including an impact time-period (See ¶¶ [0038], [0041], [0044], Teaches that community extractor 302 uses the number of communities identified by corpus sigma calculator 300 and further extracts additional communities present in the data (e.g., from historical incident alert data 110). In some embodiments, determining an affinity score may also include determining parent and child relationships between sources of incident alerts. An incident alert submitted for a child node or network element may be caused by a problem associated with a parent node or network element. attribute strapping 308 includes attaching attributes obtained in the previous stages, including attributes from corpus sigma calculator 300, community extractor 302, semantic analyzer 304, and/or dynamic clustering 306, as well as additional attributes obtained from historical incident alert data 110 to each cluster. For example, attribute strapping 308 may include attaching information about time ranges, affinity score delta, number of sources (e.g., nodes or network elements), parent-child relationship factors, and/or resolution/close notes associated with incident alerts to each of the clusters obtained or generated by dynamic clustering 306);
generating, by a prediction component, predicted impact data including additional data describing a set of potentially impacted infrastructure elements, the set of potentially impacted infrastructure elements comprising at least one set of potentially impacted infrastructure components based on analysis of the impact data with infrastructure data and monitor data associated with a set of infrastructure components (See ¶¶ [0057], [0066], Teaches that a sequencer 312 is configured to identify the relationship sequence between cause and effect for incident alerts to predict which incident alert has to be acted upon before another incident alert. For example, a single cause of a problem in the infrastructure space of an enterprise environment can lead to many effects and, therefore, many incident alerts. Sequencer 312 may use information associated with incident alerts, including, but not limited to: category, time, source of the incident, incident location, description, parent/child relationship, assignment groups, etc., to determine an order for acting upon incident alerts). 
However, it does not expressly teach the set of potentially impacted infrastructure elements comprising at least one of a set of potential impacted users; and creating, by an update component, a labeled incident ticket associated with the issue, the labeled incident ticket including data that provides a solution to the issue.
Chen et al., from analogous art, teaches the set of potentially impacted infrastructure elements comprising at least one of a set of potential impacted users (See ¶¶ [0035], [0031], Teaches that all impacted entities (e.g., users, admins, technicians, etc.) are determined based on relationship maps 36 at S7, and at S8 the impacted entities are notified. Cloud users can be linked to components in the cloud 40, and different components can be linked).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Chen et al. into Balasubramanian et al. to efficiently identify and notify relevant users and responsible administrators of cloud-based incidents.
One of ordinary skill in the art would have been motivated because it allows one  to efficiently identify and notify relevant users and responsible administrators of cloud-based incidents (See Chen et al. ¶ [0001]).
However, it does not expressly teach creating, by an update component, a labeled incident ticket associated with the issue, the labeled incident ticket including data that provides a solution to the issue.
Scachan et al., from analogous art, teaches creating, by an update component, a labeled incident ticket associated with the issue, the labeled incident ticket including data that provides a solution to the issue (See ¶¶ [0097]-[0104] and Fig. 6, Teaches that matching historical incident data may be obtained from the data store using the key phrases (for the incident under analysis) obtained at block 600. At block 604, a determination may be made as to whether historical incidents are found. At block 606, a hyperlink may be created for an incident number to browse the incident. At block 608, a confidence score of high, medium, and low may be created based on incident match percentage, for example, to the incident under analysis. At block 610, an individual incident response may be generated using the incident hyperlink, confidence score, short description, and closing notes. At block 612, the individual incident response may be added to the final incident resolution recommendation 126 response. At block 614, a determination may be made as to whether additional matching historical incidents are present. At block 616, the incident resolution recommendation 126 may be provided back to the caller (e.g., the user or another entity that requested this information). The incident resolution recommendation 126 may include relevant historical incidents determined at blocks 606-612.).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Scachan et al. into the combination of Balasubramanian et al. and Chen et al. to generate an incident ticket associated with the incident, and determine support personnel selected from a plurality of support personnel to resolve the incident ticket and provide recommendations that include an incident nature recommendation, an incident resolution recommendation, and an incident knowledge base article recommendation for the selected support personnel.
One of ordinary skill in the art would have been motivated because it allows one  to generate an incident ticket associated with the incident, and determine support personnel selected from a plurality of support personnel to resolve the incident ticket and provide recommendations that include an incident nature recommendation, an incident resolution recommendation, and an incident knowledge base article recommendation for the selected support personnel (See Scachan et al. ¶ [0023]).

As to claim 10, the combination of Balasubramanian et al. and Chen et al. and Scachan et al. teaches the method according to claim 8 above. Balasubramanian et al. further teaches further comprising: training an impact model, by a ticket manager component, using training data, including the labeled incident ticket (See ¶¶ [0033], [0023] Teaches that after the rules knowledge base has been initially populated as part of training phase 200, incident avoidance system 120 may implement a reinforcement learning phase 210. Reinforcement learning phase 210 includes use of a machine learning algorithm that enables refinement and adjustment of the rules in the rules knowledge base through trial and error with feedback. For example, as described above, in some embodiments, a second subset of historical incident alert data 110 may be used by reinforcement engine module 124 to obtain positive and/or negative feedback on the rules in the rules knowledge base during reinforcement learning phase 210. In some cases, user input 212 may be received during reinforcement learning phase 210 to assist reinforcement engine module 124 with refining the rules in the rules knowledge base. User input 212 may be in the form of positive or negative feedback, as well as confirming or denying whether or not a particular incident alert is a dead-end ticket. Incident alert system 106 may be an information technology help desk or other resource for assisting users and troubleshooting system, software, and/or hardware problems within the enterprise network). 

As to claim 11, the combination of Balasubramanian et al. and Chen et al. and Scachan et al. teaches the method according to claim 8 above. Balasubramanian et al. further teaches further comprising: analyzing infrastructure data, including a set of known infrastructure components identifying at least one of hardware components and software components from the set of potentially impacted infrastructure elements; and identifying a list of potentially impacted infrastructure components unidentified in the incident ticket associated with the issue from the set of known infrastructure components (See ¶¶ [0041], [0057], [0066], Teaches that determining an affinity score may also include determining parent and child relationships between sources of incident alerts. An incident alert submitted for a child node or network element may be caused by a problem associated with a parent node or network element. For example, in an enterprise network, multiple incident alerts about problems with wireless network access submitted for different devices (i.e., child nodes) may be related to an incident alert about a problem with a wireless access point (i.e., parent node) serving those devices. In such cases, incident alerts for one or more child nodes are related to the incident alert for the parent node. As a result, a resolution of the problem associated with the incident alert for the parent node may be sufficient to resolve the problems detailed in the incident alerts for the child node or nodes. In some embodiments, determining a parent and child relationship between two or more nodes in the enterprise environment may be obtained by analyzing the relationships between the sources (i.e., nodes) included in the incident alerts in historical incident alert data 110. These parent-child relationships may then be used as part of the rules for the prescriptive avoidance rule set. A sequencer 312 is configured to identify the relationship sequence between cause and effect for incident alerts to predict which incident alert has to be acted upon before another incident alert. For example, a single cause of a problem in the infrastructure space of an enterprise environment can lead to many effects and, therefore, many incident alerts. Sequencer 312 may use information associated with incident alerts, including, but not limited to: category, time, source of the incident, incident location, description, parent/child relationship, assignment groups, etc., to determine an order for acting upon incident alerts). 

As to claim 12, the combination of Balasubramanian et al. and Chen et al. and Scachan et al. teaches the method according to claim 8 above. However, it does not expressly teach wherein the selected incident ticket comprises an incident ticket received from a user currently facing the at least one issue.
Scachan et al., from analogous art, wherein the selected incident ticket comprises an incident ticket received from a user currently facing the at least one issue (See ¶¶ [0056]-[057], and [0101]-[104], Teaches that the incident ticket router 112 may generate a new incident ticket. At block 210, new incidents may be analyzed, and at block 212, each time an incident ticket is created on a problem management tool, for example, Service NOW, this information may be stored in a relational database. At block 610, an individual incident response may be generated using the incident hyperlink, confidence score, short description, and closing notes. At block 612, the individual incident response may be added to the final incident resolution recommendation 126 response. At block 614, a determination may be made as to whether additional matching historical incidents are present. At block 616, the incident resolution recommendation 126 may be provided back to the caller (e.g., the user or another entity that requested this information). The incident resolution recommendation 126 may include relevant historical incidents determined at blocks 606-612.).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Scachan et al. into the combination of Balasubramanian et al. and Chen et al. and Scachan et al. to generate an incident ticket associated with the incident, and determine support personnel selected from a plurality of support personnel to resolve the incident ticket and provide recommendations that include an incident nature recommendation, an incident resolution recommendation, and an incident knowledge base article recommendation for the selected support personnel.
One of ordinary skill in the art would have been motivated because it allows one  to generate an incident ticket associated with the incident, and determine support personnel selected from a plurality of support personnel to resolve the incident ticket and provide recommendations that include an incident nature recommendation, an incident resolution recommendation, and an incident knowledge base article recommendation for the selected support personnel (See Scachan et al. ¶ [0023]).

As to claim 14, the combination of Balasubramanian et al. and Chen et al. and Scachan et al. teaches the method according to claim 8 above. Balasubramanian et al. further teaches wherein the set of potentially impacted infrastructure elements comprises at least one of a set of potentially impacted infrastructure components and an updated time-period based on analysis of the impact data with infrastructure data and monitor data associated with a set of infrastructure components (See ¶¶ [0057], [0066], [0044], Teaches that a sequencer 312 is configured to identify the relationship sequence between cause and effect for incident alerts to predict which incident alert has to be acted upon before another incident alert. For example, a single cause of a problem in the infrastructure space of an enterprise environment can lead to many effects and, therefore, many incident alerts. Sequencer 312 may use information associated with incident alerts, including, but not limited to: category, time, source of the incident, incident location, description, parent/child relationship, assignment groups, etc., to determine an order for acting upon incident alerts. For example, attribute strapping 308 may include attaching information about time ranges, affinity score delta, number of sources (e.g., nodes or network elements), parent-child relationship factors, and/or resolution/close notes associated with incident alerts to each of the clusters obtained or generated by dynamic clustering 306.).
However, it does not expressly teach wherein the set of potentially impacted infrastructure elements comprises at least one of a set of potential impacted users.
Chen et al., from analogous art, teaches wherein the set of potentially impacted infrastructure elements comprises at least one of a set of potential impacted users (See ¶¶ [0035], [0031], Teaches that all impacted entities (e.g., users, admins, technicians, etc.) are determined based on relationship maps 36 at S7, and at S8 the impacted entities are notified. Cloud users can be linked to components in the cloud 40, and different components can be linked).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Chen et al. into Balasubramanian et al. to efficiently identify and notify relevant users and responsible administrators of cloud-based incidents.
One of ordinary skill in the art would have been motivated because it allows one  to efficiently identify and notify relevant users and responsible administrators of cloud-based incidents (See Chen et al. ¶ [0001]).

Claims 2 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Balasubramanian et al. (US 20200285697 A1) and Chen et al. (US 20180324062 A1) and Scachan et al. (US 20200293946 A1) and further in view of Cai et al. (US 20190347282 A1).

As to claim 2, the combination of Balasubramanian et al. and Chen et al. and Scachan et al. teaches the system according to claim 1 above. However, it does not expressly teach wherein the at least one memory and the computer program code is configured to, with the at least one processor, further cause the at least one processor to: analyze, by an analysis component, the monitor data during the impact time-period or an updated impact time-period to identify a set of anomalous data utilized to generate the set of labeled incident tickets, the set of anomalous data comprising at least one of anomalous event data and anomalous metric data.
Cai et al., from analogous art, teaches wherein the at least one memory and the computer program code is configured to, with the at least one processor, further cause the at least one processor to: analyze, by an analysis component, the monitor data during the impact time-period or an updated impact time-period to identify a set of anomalous data utilized to generate the set of labeled incident tickets, the set of anomalous data comprising at least one of anomalous event data and anomalous metric data (See ¶¶ [0150], Teaches that The visual navigator of infrastructure components allows for real-time detection and prediction of vulnerabilities. The virtual agent 180 can display condensed summaries of a large amount of data and can link the summaries to predictive models 126 and operational risk models 124 to identify risk events and provide summaries of those events.).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Cai et al. into the combination of Balasubramanian et al. and Chen et al. and Scachan et al. to computationally analyze request strings in historical IT incident tickets to identify estimated recommendations representative of solutions based on the competition analysis.
One of ordinary skill in the art would have been motivated because it allows one to computationally analyze request strings in historical IT incident tickets to identify estimated recommendations representative of solutions based on the competition analysis (See Cai et al. ¶ [0065]).

As to claim 9, the combination of Balasubramanian et al. and Chen et al. and Scachan et al. teaches the method according to claim 8 above. However, it does not expressly teach further comprising: analyzing, by an analysis component, monitor data during the impact time-period or an updated time-period to identify a set of anomalous data, wherein the set of anomalous data is utilized to generate the labeled incident ticket, the set of anomalous data comprising at least one of anomalous event data and anomalous metric data.
Cai et al., from analogous art, teaches further comprising: analyzing, by an analysis component, monitor data during the impact time-period or an updated time-period to identify a set of anomalous data, wherein the set of anomalous data is utilized to generate the labeled incident ticket, the set of anomalous data comprising at least one of anomalous event data and anomalous metric data (See ¶¶ [0150], Teaches that The visual navigator of infrastructure components allows for real-time detection and prediction of vulnerabilities. The virtual agent 180 can display condensed summaries of a large amount of data and can link the summaries to predictive models 126 and operational risk models 124 to identify risk events and provide summaries of those events.).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Cai et al. into the combination of Balasubramanian et al. and Chen et al. and Scachan et al. to computationally analyze request strings in historical IT incident tickets to identify estimated recommendations representative of solutions based on the competition analysis.
One of ordinary skill in the art would have been motivated because it allows one to computationally analyze request strings in historical IT incident tickets to identify estimated recommendations representative of solutions based on the competition analysis (See Cai et al. ¶ [0065]).

Claims 7 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Balasubramanian et al. (US 20200285697 A1) and Chen et al. (US 20180324062 A1) and Scachan et al. (US 20200293946 A1) and further in view of Gschwind et al. (US 20130179736 A1) and Margalit et al. (US 20190036797 A1).

As to claim 7, the combination of Balasubramanian et al. and Chen et al. and Scachan et al. teaches the system according to claim 1 above. However, it does not expressly teach wherein the at least one memory and the computer program code is configured to, with the at least one processor, further cause the at least one processor to: analyze the monitor data and the infrastructure data to determine whether to expand the impact time-period to include infrastructure components not identified in the incident ticket and impacted by the issue; and based on the determination, expand the impact time-period to include an earlier start time and later end time.
Gschwind et al., from analogous art, teaches wherein the at least one memory and the computer program code is configured to, with the at least one processor, further cause the at least one processor to: analyze the monitor data and the infrastructure data to determine whether to expand the impact time-period to include infrastructure components not identified in the incident ticket and impacted by the issue; and based on the determination, expand the impact time-period to include an earlier start time (See ¶¶ [0029]-[0030], [0042], Teaches that if it is determined that an entry exists in the problem reports table associated with the same or substantially the same problem as in the detected problem report, the time stamp on that entry is checked to determine at 212 whether the time stamp of the entry is within a sensitivity time window for ticket correlation. The sensitivity time window is a threshold specifying a time window, a time range or period. The sensitivity time window is configurable and/or programmable in one embodiment. If there is an existing entry with the same symptom recorded in the problem reports table, and its time stamp is within the sensitivity time frame, then the detected problem report is consolidated with the existing entry as shown at 214 and 216. At 214, the existing entry in the problem reports table is updated with the new time stamp (the time stamp of the detected problem report). In one embodiment, the priority of the problem report (ticket) is raised or increased to have higher priority, and the ticket having the consolidated information becomes a “master ticket” for multiple problems. In another embodiment, a new entry to the table may be added with the new ticket ID number, and containing the information about the “master ticket” with the same problem and in the sensitivity time window. Similarly, a reference to the “master ticket” may be added to all related individual tickets for reporting and customer support. In at least one problem resolution flow, when a master ticket exists, problem resolution actions will be directly attributed to master tickets, but may later be assessed to multiple underlying tickets or VMs for billing purposes. At 216, in one embodiment, information that more than one problem report associated with this particular problem is added to the “master” problem ticket and its priority is increased to escalate existing “master ticket”. In another embodiment, when a new ticket is created for every new problem report, information about previously generated “master” problem ticket is added to said newly created ticket. The problem ticket is placed into a ticket reporting and handling system. A “time stamp” can for example represent one of (but not limited to) the time the reported problem occurred (start time).).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Gschwind et al. into the combination of Balasubramanian et al. and Chen et al. and Scachan et al. to consolidate problem tickets caused by the same failure in a compute environment, for instance, to save unnecessary work of system administrators.
One of ordinary skill in the art would have been motivated because it allows one to consolidate problem tickets caused by the same failure in a compute environment, for instance, to save unnecessary work of system administrators (See Gschwind et al. ¶ [0003]).
However, it does not expressly teach later end time.
Margalit et al., from analogous art, teaches later end time (See ¶ [0078] and Fig. 15, Teaches that temporal table 718 includes fields indicative of the valid time for alerts, such as a valid time start time indicative of a time at which the alert becomes valid and a valid time end time indicative of a time at which the alert ceases to be valid. In an implementation, the valid time start time for an alert can be represented by a timestamp recorded at the time the alert is identified. In an implementation, the valid time end time for the alert can be represented by a timestamp indicative of an impact calculation operation performed based on the alert. In an implementation, the valid time end time for the alert can be represented by a timestamp recorded at the time an update to or replacement for the alert is identified. For example, where the alert indicates a medium severity for a database, its valid time end time may be the time at which a new alert indicating a cleared severity for the database is identified).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Margalit et al. into the combination of Balasubramanian et al. and Chen et al. and Scachan et al. and Gschwind et al. to identify alerts, each alert having a timestamp indicative of a first time at which it was identified, perform an impact calculation to generate the impact data based on alerts valid as of a second time proximate to an impact calculation start time, and generate the graphical display region including impact data valid as of a display time and alert data indicative of the alerts valid as of the second time.
One of ordinary skill in the art would have been motivated because it allows one to identify alerts, each alert having a timestamp indicative of a first time at which it was identified, perform an impact calculation to generate the impact data based on alerts valid as of a second time proximate to an impact calculation start time, and generate the graphical display region including impact data valid as of a display time and alert data indicative of the alerts valid as of the second time (See Margalit et al. ¶ [0004]).

As to claim 13, the combination of Balasubramanian et al. and Chen et al. and Scachan et al. teaches the method according to claim 8 above. However, it does not expressly teach further comprising: analyzing monitor data and infrastructure data to determine whether to expand the impact time-period to include infrastructure components not identified in the incident ticket and impacted by the issue; and based on the determination, expanding the impact time-period to include at an earlier start time and a later end time.
Gschwind et al., from analogous art, teaches further comprising: analyzing monitor data and infrastructure data to determine whether to expand the impact time-period to include infrastructure components not identified in the incident ticket and impacted by the issue; and based on the determination, expanding the impact time-period to include at an earlier start time (See ¶¶ [0029]-[0030], [0042], Teaches that if it is determined that an entry exists in the problem reports table associated with the same or substantially the same problem as in the detected problem report, the time stamp on that entry is checked to determine at 212 whether the time stamp of the entry is within a sensitivity time window for ticket correlation. The sensitivity time window is a threshold specifying a time window, a time range or period. The sensitivity time window is configurable and/or programmable in one embodiment. If there is an existing entry with the same symptom recorded in the problem reports table, and its time stamp is within the sensitivity time frame, then the detected problem report is consolidated with the existing entry as shown at 214 and 216. At 214, the existing entry in the problem reports table is updated with the new time stamp (the time stamp of the detected problem report). In one embodiment, the priority of the problem report (ticket) is raised or increased to have higher priority, and the ticket having the consolidated information becomes a “master ticket” for multiple problems. In another embodiment, a new entry to the table may be added with the new ticket ID number, and containing the information about the “master ticket” with the same problem and in the sensitivity time window. Similarly, a reference to the “master ticket” may be added to all related individual tickets for reporting and customer support. In at least one problem resolution flow, when a master ticket exists, problem resolution actions will be directly attributed to master tickets, but may later be assessed to multiple underlying tickets or VMs for billing purposes. At 216, in one embodiment, information that more than one problem report associated with this particular problem is added to the “master” problem ticket and its priority is increased to escalate existing “master ticket”. In another embodiment, when a new ticket is created for every new problem report, information about previously generated “master” problem ticket is added to said newly created ticket. The problem ticket is placed into a ticket reporting and handling system. A “time stamp” can for example represent one of (but not limited to) the time the reported problem occurred (start time).).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Gschwind et al. into the combination of Balasubramanian et al. and Chen et al. and Scachan et al. to consolidate problem tickets caused by the same failure in a compute environment, for instance, to save unnecessary work of system administrators.
One of ordinary skill in the art would have been motivated because it allows one to consolidate problem tickets caused by the same failure in a compute environment, for instance, to save unnecessary work of system administrators (See Gschwind et al. ¶ [0003]).
However, it does not expressly teach a later end time.
Margalit et al., from analogous art, teaches a later end time (See ¶ [0078] and Fig. 15, Teaches that temporal table 718 includes fields indicative of the valid time for alerts, such as a valid time start time indicative of a time at which the alert becomes valid and a valid time end time indicative of a time at which the alert ceases to be valid. In an implementation, the valid time start time for an alert can be represented by a timestamp recorded at the time the alert is identified. In an implementation, the valid time end time for the alert can be represented by a timestamp indicative of an impact calculation operation performed based on the alert. In an implementation, the valid time end time for the alert can be represented by a timestamp recorded at the time an update to or replacement for the alert is identified. For example, where the alert indicates a medium severity for a database, its valid time end time may be the time at which a new alert indicating a cleared severity for the database is identified).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Margalit et al. into the combination of Balasubramanian et al. and Chen et al. and Scachan et al. and Gschwind et al. to identify alerts, each alert having a timestamp indicative of a first time at which it was identified, perform an impact calculation to generate the impact data based on alerts valid as of a second time proximate to an impact calculation start time, and generate the graphical display region including impact data valid as of a display time and alert data indicative of the alerts valid as of the second time.
One of ordinary skill in the art would have been motivated because it allows one to identify alerts, each alert having a timestamp indicative of a first time at which it was identified, perform an impact calculation to generate the impact data based on alerts valid as of a second time proximate to an impact calculation start time, and generate the graphical display region including impact data valid as of a display time and alert data indicative of the alerts valid as of the second time (See Margalit et al. ¶ [0004]).

Claims 15 and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Balasubramanian et al. (US 20200285697 A1) and further in view of Chen et al. (US 20180324062 A1) and Margalit et al. (US 20190036797 A1) and Scachan et al. (US 20200293946 A1).

As to claim 15, Balasubramanian et al. teaches one or more non-transitory computer storage media having computer- executable instructions for a ticket manager component predicting impact on infrastructure elements based on incident ticket data that, upon execution by a processor, cause the processor to at least: identify, by an extraction component, impact data associated with at least one issue based on incident-related data obtained from a selected incident ticket, the impact data including an impact time-period (See ¶¶ [0038], [0041], [0044], Teaches that community extractor 302 uses the number of communities identified by corpus sigma calculator 300 and further extracts additional communities present in the data (e.g., from historical incident alert data 110). In some embodiments, determining an affinity score may also include determining parent and child relationships between sources of incident alerts. An incident alert submitted for a child node or network element may be caused by a problem associated with a parent node or network element. attribute strapping 308 includes attaching attributes obtained in the previous stages, including attributes from corpus sigma calculator 300, community extractor 302, semantic analyzer 304, and/or dynamic clustering 306, as well as additional attributes obtained from historical incident alert data 110 to each cluster. For example, attribute strapping 308 may include attaching information about time ranges, affinity score delta, number of sources (e.g., nodes or network elements), parent-child relationship factors, and/or resolution/close notes associated with incident alerts to each of the clusters obtained or generated by dynamic clustering 306);
generate, by a prediction component, predicted impact data including additional data describing a set of potentially impacted infrastructure elements, the set of potentially impacted infrastructure elements comprising at least one of a set of potentially impacted infrastructure components (See ¶¶ [0057], [0066], Teaches that a sequencer 312 is configured to identify the relationship sequence between cause and effect for incident alerts to predict which incident alert has to be acted upon before another incident alert. For example, a single cause of a problem in the infrastructure space of an enterprise environment can lead to many effects and, therefore, many incident alerts. Sequencer 312 may use information associated with incident alerts, including, but not limited to: category, time, source of the incident, incident location, description, parent/child relationship, assignment groups, etc., to determine an order for acting upon incident alerts). 
However, it does not expressly teach the set of potentially impacted infrastructure elements comprising at least one of a set of potential impacted users and an updated time-period based on analysis of the impact data with infrastructure data and monitor data associated with a set of infrastructure components; and create, by an update component, at least one labeled incident ticket associated with the issue, the at least one labeled incident ticket including data that provides a solution to the issue.
Chen et al., from analogous art, teaches the set of potentially impacted infrastructure elements comprising at least one of a set of potential impacted users (See ¶¶ [0035], [0031], Teaches that all impacted entities (e.g., users, admins, technicians, etc.) are determined based on relationship maps 36 at S7, and at S8 the impacted entities are notified. Cloud users can be linked to components in the cloud 40, and different components can be linked).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Chen et al. into Balasubramanian et al. to efficiently identify and notify relevant users and responsible administrators of cloud-based incidents.
One of ordinary skill in the art would have been motivated because it allows one  to efficiently identify and notify relevant users and responsible administrators of cloud-based incidents (See Chen et al. ¶ [0001]).
However, it does not expressly teach an updated time-period based on analysis of the impact data with infrastructure data and real-time monitor data associated with a set of infrastructure components; and create, by an update component, at least one labeled incident ticket associated with the issue, the at least one labeled incident ticket including data that provides a solution to the issue.
Margalit et al., from analogous art, teaches an updated time-period based on analysis of the impact data with infrastructure data and real-time monitor data associated with a set of infrastructure components (See ¶ [0078] and Fig. 15, Teaches that temporal table 718 includes fields indicative of the valid time for alerts, such as a valid time start time indicative of a time at which the alert becomes valid and a valid time end time indicative of a time at which the alert ceases to be valid. In an implementation, the valid time start time for an alert can be represented by a timestamp recorded at the time the alert is identified. In an implementation, the valid time end time for the alert can be represented by a timestamp indicative of an impact calculation operation performed based on the alert. In an implementation, the valid time end time for the alert can be represented by a timestamp recorded at the time an update to or replacement for the alert is identified. For example, where the alert indicates a medium severity for a database, its valid time end time may be the time at which a new alert indicating a cleared severity for the database is identified).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Margalit et al. into the combination of Balasubramanian et al. and Chen et al. to identify alerts, each alert having a timestamp indicative of a first time at which it was identified, perform an impact calculation to generate the impact data based on alerts valid as of a second time proximate to an impact calculation start time, and generate the graphical display region including impact data valid as of a display time and alert data indicative of the alerts valid as of the second time.
One of ordinary skill in the art would have been motivated because it allows one to identify alerts, each alert having a timestamp indicative of a first time at which it was identified, perform an impact calculation to generate the impact data based on alerts valid as of a second time proximate to an impact calculation start time, and generate the graphical display region including impact data valid as of a display time and alert data indicative of the alerts valid as of the second time (See Margalit et al. ¶ [0004]). 
However, it does not expressly teach create, by an update component, at least one labeled incident ticket associated with the issue, the at least one labeled incident ticket including data that provides a solution to the issue.
Scachan et al., from analogous art, teaches create, by an update component, at least one labeled incident ticket associated with the issue, the at least one labeled incident ticket including data that provides a solution to the issue (See ¶¶ [0097]-[0104] and Fig. 6, Teaches that matching historical incident data may be obtained from the data store using the key phrases (for the incident under analysis) obtained at block 600. At block 604, a determination may be made as to whether historical incidents are found. At block 606, a hyperlink may be created for an incident number to browse the incident. At block 608, a confidence score of high, medium, and low may be created based on incident match percentage, for example, to the incident under analysis. At block 610, an individual incident response may be generated using the incident hyperlink, confidence score, short description, and closing notes. At block 612, the individual incident response may be added to the final incident resolution recommendation 126 response. At block 614, a determination may be made as to whether additional matching historical incidents are present. At block 616, the incident resolution recommendation 126 may be provided back to the caller (e.g., the user or another entity that requested this information). The incident resolution recommendation 126 may include relevant historical incidents determined at blocks 606-612.).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Scachan et al. into the combination of Balasubramanian et al. and Chen et al. and Margalit et al. to generate an incident ticket associated with the incident, and determine support personnel selected from a plurality of support personnel to resolve the incident ticket and provide recommendations that include an incident nature recommendation, an incident resolution recommendation, and an incident knowledge base article recommendation for the selected support personnel.
One of ordinary skill in the art would have been motivated because it allows one  to generate an incident ticket associated with the incident, and determine support personnel selected from a plurality of support personnel to resolve the incident ticket and provide recommendations that include an incident nature recommendation, an incident resolution recommendation, and an incident knowledge base article recommendation for the selected support personnel (See Scachan et al. ¶ [0023]).

As to claim 17, the combination of Balasubramanian et al. and Chen et al. and Margalit et al. and Scachan et al. teaches the one or more non-transitory computer storage media according to claim 15 above. Balasubramanian et al. further teaches wherein the ticket manager component further comprises an impact model utilizing machine learning, wherein the computer-executable instructions, upon execution by a processor, further cause the processor to at least: train the impact model using training data, including the at least one labeled incident ticket (See ¶ [0033], Teaches that after the rules knowledge base has been initially populated as part of training phase 200, incident avoidance system 120 may implement a reinforcement learning phase 210. Reinforcement learning phase 210 includes use of a machine learning algorithm that enables refinement and adjustment of the rules in the rules knowledge base through trial and error with feedback. For example, as described above, in some embodiments, a second subset of historical incident alert data 110 may be used by reinforcement engine module 124 to obtain positive and/or negative feedback on the rules in the rules knowledge base during reinforcement learning phase 210. In some cases, user input 212 may be received during reinforcement learning phase 210 to assist reinforcement engine module 124 with refining the rules in the rules knowledge base. User input 212 may be in the form of positive or negative feedback, as well as confirming or denying whether or not a particular incident alert is a dead-end ticket). 

As to claim 18, the combination of Balasubramanian et al. and Chen et al. and Margalit et al. and Scachan et al. teaches the one or more non-transitory computer storage media according to claim 15 above. Balasubramanian et al. further teaches wherein the computer- executable instructions, upon execution by a processor, further cause the processor to at least: analyze the infrastructure data, including a set of known infrastructure components identifying at least one of hardware components and software components from the set of potentially impacted infrastructure elements; and identify a list of potentially impacted infrastructure components unidentified in the incident ticket associated with the issue from the set of known infrastructure components (See ¶¶ [0041], [0057], [0066], Teaches that determining an affinity score may also include determining parent and child relationships between sources of incident alerts. An incident alert submitted for a child node or network element may be caused by a problem associated with a parent node or network element. For example, in an enterprise network, multiple incident alerts about problems with wireless network access submitted for different devices (i.e., child nodes) may be related to an incident alert about a problem with a wireless access point (i.e., parent node) serving those devices. In such cases, incident alerts for one or more child nodes are related to the incident alert for the parent node. As a result, a resolution of the problem associated with the incident alert for the parent node may be sufficient to resolve the problems detailed in the incident alerts for the child node or nodes. In some embodiments, determining a parent and child relationship between two or more nodes in the enterprise environment may be obtained by analyzing the relationships between the sources (i.e., nodes) included in the incident alerts in historical incident alert data 110. These parent-child relationships may then be used as part of the rules for the prescriptive avoidance rule set. A sequencer 312 is configured to identify the relationship sequence between cause and effect for incident alerts to predict which incident alert has to be acted upon before another incident alert. For example, a single cause of a problem in the infrastructure space of an enterprise environment can lead to many effects and, therefore, many incident alerts. Sequencer 312 may use information associated with incident alerts, including, but not limited to: category, time, source of the incident, incident location, description, parent/child relationship, assignment groups, etc., to determine an order for acting upon incident alerts). 

As to claim 19, the combination of Balasubramanian et al. and Chen et al. and Margalit et al. and Scachan et al. teaches the one or more non-transitory computer storage media according to claim 15 above. However, it does not expressly teach wherein the computer- executable instructions, upon execution by a processor, further cause the processor to at least: analyze the infrastructure data, including a set of known users associated with at least one infrastructure component from the set of potentially impacted infrastructure elements; and identify a list of additional potentially impacted users unidentified in the incident ticket associated with the issue from the set of known users potentially impacted by the issue.
Chen et al., from analogous art, teaches wherein the computer- executable instructions, upon execution by a processor, further cause the processor to at least: analyze the infrastructure data, including a set of known users associated with at least one infrastructure component from the set of potentially impacted infrastructure elements; and identify a list of additional potentially impacted users unidentified in the incident ticket associated with the issue from the set of known users potentially impacted by the issue (See ¶¶ [0035], [0031], Teaches that all impacted entities (e.g., users, admins, technicians, etc.) are determined based on relationship maps 36 at S7, and at S8 the impacted entities are notified. Relationship manager 26 (FIG. 1) has two primary functions, to generate and maintain relationship maps 36 and to implement a correlation engine. Relationship maps 36 link objects within the topology, such as relationships between VMs, users, hardware, services, etc. The relationship maps 36 map be generated based on the topology 32, VM data, user data, etc. For example, illustrative maps may determine which VMs are associated with which hosts, which VMs are associated with which network bridges, which VMs are associated with which users, etc. For example, a first VM (VM1) may have relationships with a host (HOST2), network bridge (BR1), and a set of users (USER1, USER5, USER7). Over time, relationship manager 26 may utilize information from the monitoring module 24 to implement real-time updates to the relationship maps 36. For example, if a server is added to the cloud 40, the topology 32 and associated relationship map 36 will be updated. In this manner, cloud users can be linked to components in the cloud 40, and different components can be linked.).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Chen et al. into the combination of Balasubramanian et al. and Chen et al. and Margalit et al. and Scachan et al. to efficiently identify and notify relevant users and responsible administrators of cloud-based incidents.
One of ordinary skill in the art would have been motivated because it allows one  to efficiently identify and notify relevant users and responsible administrators of cloud-based incidents (See Chen et al. ¶ [0001]).

Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Balasubramanian et al. (US 20200285697 A1) and further in view of Chen et al. (US 20180324062 A1) and Margalit et al. (US 20190036797 A1) and Scachan et al. (US 20200293946 A1) and further in view of Cai et al. (US 20190347282 A1).

As to claim 16, the combination of Balasubramanian et al. and Chen et al. and Margalit et al. and Scachan et al. teaches the one or more non-transitory computer storage media according to claim 15 above. However, it does not expressly teach wherein the computer- executable instructions, upon execution by a processor, further cause the processor to at least: analyze, by an analysis component, the monitor data during the updated time-period to identify a set of anomalous data, wherein the set of anomalous data is utilized to generate the at least one labeled incident ticket, wherein the set of anomalous data comprises at least one of anomalous event data and anomalous metric data.
Cai et al., from analogous art, teaches wherein the computer- executable instructions, upon execution by a processor, further cause the processor to at least: analyze, by an analysis component, the monitor data during the updated time-period to identify a set of anomalous data, wherein the set of anomalous data is utilized to generate the at least one labeled incident ticket, wherein the set of anomalous data comprises at least one of anomalous event data and anomalous metric data (See ¶¶ [0150], Teaches that The visual navigator of infrastructure components allows for real-time detection and prediction of vulnerabilities. The virtual agent 180 can display condensed summaries of a large amount of data and can link the summaries to predictive models 126 and operational risk models 124 to identify risk events and provide summaries of those events.).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the combination of Balasubramanian et al. and Chen et al. and Margalit et al. and Scachan et al. to computationally analyze request strings in historical IT incident tickets to identify estimated recommendations representative of solutions based on the competition analysis.
One of ordinary skill in the art would have been motivated because it allows one to computationally analyze request strings in historical IT incident tickets to identify estimated recommendations representative of solutions based on the competition analysis (See Cai et al. ¶ [0065]).

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Balasubramanian et al. (US 20200285697 A1) and Chen et al. (US 20180324062 A1) and Margalit et al. (US 20190036797 A1) and Scachan et al. (US 20200293946 A1)and further in view of Gschwind et al. (US 20130179736 A1).

As to claim 20, the combination of Balasubramanian et al. and Chen et al. and Margalit et al. and Scachan et al. teaches the one or more non-transitory computer storage media according to claim 15 above. However, it does not expressly teach wherein the computer-executable instructions, upon execution by a processor, further cause the processor to at least: analyze the monitor data and the infrastructure data to determine whether to expand the impact time-period to include infrastructure components not identified in the incident ticket and impacted by the issue, and based on the determination, generating the expanded time-period that includes an earlier start time and a later end time.
Gschwind et al., from analogous art, teaches wherein the computer-executable instructions, upon execution by a processor, further cause the processor to at least: analyze the monitor data and the infrastructure data to determine whether to expand the impact time-period to include infrastructure components not identified in the incident ticket and impacted by the issue, and based on the determination, generating the expanded time-period that includes an earlier start time (See ¶¶ [0029]-[0030], [0042], Teaches that if it is determined that an entry exists in the problem reports table associated with the same or substantially the same problem as in the detected problem report, the time stamp on that entry is checked to determine at 212 whether the time stamp of the entry is within a sensitivity time window for ticket correlation. The sensitivity time window is a threshold specifying a time window, a time range or period. The sensitivity time window is configurable and/or programmable in one embodiment. If there is an existing entry with the same symptom recorded in the problem reports table, and its time stamp is within the sensitivity time frame, then the detected problem report is consolidated with the existing entry as shown at 214 and 216. At 214, the existing entry in the problem reports table is updated with the new time stamp (the time stamp of the detected problem report). In one embodiment, the priority of the problem report (ticket) is raised or increased to have higher priority, and the ticket having the consolidated information becomes a “master ticket” for multiple problems. In another embodiment, a new entry to the table may be added with the new ticket ID number, and containing the information about the “master ticket” with the same problem and in the sensitivity time window. Similarly, a reference to the “master ticket” may be added to all related individual tickets for reporting and customer support. In at least one problem resolution flow, when a master ticket exists, problem resolution actions will be directly attributed to master tickets, but may later be assessed to multiple underlying tickets or VMs for billing purposes. At 216, in one embodiment, information that more than one problem report associated with this particular problem is added to the “master” problem ticket and its priority is increased to escalate existing “master ticket”. In another embodiment, when a new ticket is created for every new problem report, information about previously generated “master” problem ticket is added to said newly created ticket. The problem ticket is placed into a ticket reporting and handling system. A “time stamp” can for example represent one of (but not limited to) the time the reported problem occurred (start time).).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Gschwind et al. into the combination of Balasubramanian et al. and Chen et al. and Margalit et al. and Scachan et al. to consolidate problem tickets caused by the same failure in a compute environment, for instance, to save unnecessary work of system administrators.
One of ordinary skill in the art would have been motivated because it allows one to consolidate problem tickets caused by the same failure in a compute environment, for instance, to save unnecessary work of system administrators (See Gschwind et al. ¶ [0003]).
However, it does not expressly teach a later end time.
Margalit et al., from analogous art, teaches a later end time (See ¶ [0078] and Fig. 15, Teaches that temporal table 718 includes fields indicative of the valid time for alerts, such as a valid time start time indicative of a time at which the alert becomes valid and a valid time end time indicative of a time at which the alert ceases to be valid. In an implementation, the valid time start time for an alert can be represented by a timestamp recorded at the time the alert is identified. In an implementation, the valid time end time for the alert can be represented by a timestamp indicative of an impact calculation operation performed based on the alert. In an implementation, the valid time end time for the alert can be represented by a timestamp recorded at the time an update to or replacement for the alert is identified. For example, where the alert indicates a medium severity for a database, its valid time end time may be the time at which a new alert indicating a cleared severity for the database is identified).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Margalit et al. into the combination of Balasubramanian et al. and Chen et al. and Margalit et al. and Scachan et al. and Gschwind et al. to identify alerts, each alert having a timestamp indicative of a first time at which it was identified, perform an impact calculation to generate the impact data based on alerts valid as of a second time proximate to an impact calculation start time, and generate the graphical display region including impact data valid as of a display time and alert data indicative of the alerts valid as of the second time.
One of ordinary skill in the art would have been motivated because it allows one to identify alerts, each alert having a timestamp indicative of a first time at which it was identified, perform an impact calculation to generate the impact data based on alerts valid as of a second time proximate to an impact calculation start time, and generate the graphical display region including impact data valid as of a display time and alert data indicative of the alerts valid as of the second time (See Margalit et al. ¶ [0004]).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to James R Hollister whose telephone number is (571)270-3152. The examiner can normally be reached Mon - Fri 7:30 am - 4:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached on (571) 270-3037. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





James Hollister
/J.R.H./Examiner, Art Unit 2456                                                                                                                                                                                                        11/10/22

/UMAR CHEEMA/Supervisory Patent Examiner, Art Unit 2456