DETAILED ACTION
This office action is in reply to applicant communication filed on October 03, 2022.
 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claims 1-20 have been amended.
Claims 1-20 are pending. 

Response to Argument
Applicant’s arguments filed on October 03, 2022 with respect to the 35 USC 102/103 rejections of independent claims have been fully considered but are moot in view of new ground(s) of rejection.

Applicant’s arguments filed on October 03, 2022 with respect to the double patenting rejection have been fully considered and withdrawn in view of the terminal disclaimer filed and approved by the office.

Applicant’s argues that the prior arts on record, Dickgiesser (US Pub. No. 2012/0110330), fails to teach the limitation of independent claims, “… determining, prior to execution of the course of action by the incident service computing system, that execution of a step of the course of action requires user of credentials; and obtaining the credentials prior to execution of the course of action”. Examiner respectfully disagrees.

A review of the prior arts of the record (Dickgiesser), corresponding to the above argued claim limitation reveals that the argued limitation is disclosed by Dickgiesser’s reference as, (paragraph 26 of Dickgiesser, the help desk application 204 (i.e., the claimed incident service computing system) receives and saves 212 the incident, such as in a database. The help desk application then processes 214 reported 210 incident. In some embodiments, the processing 214 may include workflow routing of the request to initial support personnel that may attempt to resolve the reported incident through use of an existing knowledge base and diagnostic processes and resource … when the processing 214 fails to resolve the incident, the method 200 may forward the incident to another support resource with at least one of advanced knowledge, experience, help desk access credentials, and assigned responsibility for reproducing reported 210 incidents in customer applications. In such instances, the support resource or an automated process, in some embodiments, will generate and submit 216 a credentials request over the network 206 to the customer application 202 (i.e., the claimed determining that a particular step associated with a credential requirement prior to execution of the particular step)) and (paragraph 32 of Dickgiesser, the support resource may then utilize the credentials to process 228 the incident. Processing 228 of the reported 210 incident typically includes logging into the customer application 202 over the network 206 and reproducing the reported 210 incidents. The support resource may then determine how to best resolve the incident 230 and provide input indicating as such to the help desk application 204. The help desk application 204 may then report 232 the incident as resolved to the customer application 202). 

Examiner would point out that the claimed “determining, prior to execution of the course of action by the incident service computing system, that execution of a step of the course of action requires user of credentials” is disclosed by Dickgiesser’s reference as, (paragraph 26 of Dickgiesser, … the processing 214 may include workflow routing of the request to initial support personnel that may attempt to resolve the reported incident through use of an existing knowledge base and diagnostic processes and resource … when the processing 214 fails to resolve the incident, the method 200 may forward the incident to another support resource with at least one of advanced knowledge, experience, help desk access credentials, and assigned responsibility for reproducing reported 210 incidents in customer applications). At the process 214 of Dickgiesser, the initial support personnel may attempt to resolve the reported incident using the existing knowledge base and diagnostic process and resource. This is not the process of resolving the incidents (i.e., Course of Action). According to Dickgiesser, resolving the incidents happens at the step 228, which is after requesting and receiving the credentials from customer application. Also, Dickgiesser disclosed the claimed “obtaining the credentials prior to execution of the course of action” in step 226 of fig. 2.

Applicant’s argues that the prior arts on record fails to teach the amended limitation of the independent claims, “…. Wherein the course of action is identified from a plurality of course of action”. However, upon further consideration a new ground(s) of rejection is made using newly discovered prior art to Mayer (US 8,132,260).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1, 4-11, and 14-20 are rejected under 35 U.S.C. 103 as being unpatentable over Dickgiesser (US Pub. No. 2012/0110330) in view of Mayer (US 8,132,260).

	As per claim 1 Dickgiesser discloses:
A computer-implemented method performed by an incident service computing system, the method comprising: obtaining, by the incident service computing system, an indication of an incident in an information technology (IT) environment; (paragraph 25 of Dickgiesser, the method 200 begins in the customer application by the reporting 210 of an incident over the network 206 to the help desk application 204).
Identifying a course of action to respond to the incident; (paragraph 26 of Dickgiesser, the help desk application then processes 214 reported 210 incident. In some embodiments, the processing 214 may include workflow routing of the request to initial support personnel that may attempt to resolve the reported incident through use of an existing knowledge base and diagnostic processes and resource).
Determining, prior to execution of the course of action by the incident service computing system, that execution of a step of the course of action requires use of credentials; (paragraph 27 of Dickgiesser, in embodiments where the support resource generates and submits 216 the credentials request to the customer application 202, the remote resource may fill out a form presented on a display device of a computing device, such as a personal computer, tablet computer, smart phone, or other device).
Obtaining the credentials prior to execution of the course of action; (paragraph 32 of Dickgiesser, the credentials, after being sent 224, are received 226 at the help desk application 204).
Executing the course of action to remediate the incident, wherein executing the course of action comprises using the credentials to perform an operation associated with the step upon encountering the step. (Paragraph 321 of Dickgiesser, the support resource may then utilize the credentials to process 228 the incident. Processing 228 of the reported 210 incident typically includes logging into the customer application 202 over the network 206 and reproducing the reported 210 incident. The support resource may then determine how to best resolve the incident 230 and provide input indicating as such to the help desk application 204. The help desk application 204 may then report 232 the incident as resolved to the customer application 202).
Dickgiesser teaches the method of identifying a course of action to respond to the incident (see paragraph 26 of Dickgiesser) but fails to disclose:
Wherein the course of action is identified from a plurality of course of action.
However, in the same field of endeavor, Mayer teaches this limitation as, (column 3, line 50-65 of Mayer, A computer program product may include code that directs the computer system to receive a network topology for at least a portion of the network, wherein the network indicates a first server location and a threat server at a threat server location in the network, code that directs the computer system to determine a security risk value associated with the first host location with respect to the vulnerability in response to the plurality of vulnerability attributes, and code that directs the computer system to determine a plurality of remediation actions in response to the vulnerability, wherein the plurality of remediation actions comprise a first remediation action and a second remediation action).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Dickgiesser and include the above limitation using the teaching of Mayer in order to enhance the security of computing system and resolve the network incident based on the type of vulnerability/incident (see claim 9 of Mayer).

Claims 11 and 17 are rejected under the same reason set forth in rejection of claim 1:

As per claim 4 Dickgiesser discloses:
The computer-implemented method of claim 1, wherein determining that execution of the step of the course of action requires use of credentials is based on at least one of: a threat level associated with the IT environment, a criticality rating of a computing asset affected by the step of the course of action, or determining whether execution of the course of action will include execution of the step. (paragraph 26 of Dickgiesser, when the processing 214 fails to resolve the incident, the method 200 may forward the incident to another support resource with at least one of advanced knowledge, experience, help desk access credentials, and assigned responsibility for reproducing reported 210 incidents in customer applications. In such instances, the support resource or an automated process, in some embodiments, will generate and submit 216 a credentials request over the network 206 to the customer application 202),

Claims 14 and 18 are rejected under the same reason set forth in rejection of claim 4:

As per claim 5 Dickgiesser discloses:
The computer-implemented method of claim 1, wherein the credentials include at least one of: a username, a password, or an access key. (Paragraph 12 of Dickgiesser, to login to the customer software instance, the support resource typically needs login credentials. To obtain the login credentials, the support resource may submit a request to the customer software instance or associated credentialing processes, such as over a network. The request in some embodiments may be sent as a chat or other text-based message).

As per claim 6 Dickgiesser discloses:
The computer-implemented method of claim 1, wherein the credentials are used to authenticate a user at a computing asset in the IT environment or authorize an action to be performed at the computing asset in the IT environment. (Paragraph 12 of Dickgiesser, to login to the customer software instance, the support resource typically needs login credentials. To obtain the login credentials, the support resource may submit a request to the customer software instance or associated credentialing processes, such as over a network. The request in some embodiments may be sent as a chat or other text-based message).

As per claim 7 Dickgiesser discloses:
The computer-implemented method of claim 1, wherein the credentials are used to authenticate a user at a service external to the incident service or authorize an action to be performed by the service external to the incident service. (Paragraph 12 of Dickgiesser, to login to the customer software instance, the support resource typically needs login credentials. To obtain the login credentials, the support resource may submit a request to the customer software instance or associated credentialing processes, such as over a network. The request in some embodiments may be sent as a chat or other text-based message).

As per claim 8 Dickgiesser discloses:
The computer-implemented method of claim 1, wherein the credentials are used to authenticate a user at the incident service or authorize execution of the course of action by the incident service. (Paragraph 12 of Dickgiesser, to login to the customer software instance, the support resource typically needs login credentials. To obtain the login credentials, the support resource may submit a request to the customer software instance or associated credentialing processes, such as over a network. The request in some embodiments may be sent as a chat or other text-based message).

As per claim 9 Dickgiesser discloses:
The computer-implemented method of claim 1, further comprising: storing the credentials in a data store; and using the credentials stored in the data store for a subsequent execution of the course of action. (Paragraph 50 of Dickgiesser, the encrypted credentials may be sent in an XML container that is received and stored in the second computing environment without revealing the credentials to any users. The credentials in such embodiments may be stored in secure database tables, objects, or other data storage containers. The secure database tables, objects, or other data storage containers may store the credentials in an encrypted form. Regardless of the particular secure data storage container in such embodiments, the particular administrative user that is to utilize the credentials may select, within the second computing environment, a user interface element to access the first computing environment without having to manually provide user credentials. The credentials will then be retrieved by a process within the second computing environment, be decrypted, and provided to the first computing environment to log the particular administrative user into the first computing environment to analyze and resolve the incident).

As per claim 10 Dickgiesser discloses:
The computer-implemented method of claim 1, further comprising: determining that the credentials are not stored in a data store that stores credentials; obtaining the credentials in part by generating a request to obtain the credentials from a user; and storing the credentials in the data store that stores credentials. (Paragraph 49 of Dickgiesser, the received 502 credentials request includes an identifier of a user within the second computing environment that submitted the credentials request. In another embodiment of the method 500, receiving 500 the credentials request from the second computing environment includes receiving a user identifier of a first computing environment user that submitted the incident to the second computing environment).

Claims 16 and 20 are rejected under the same reason set forth in rejection of claim 10:

As per claim 15 Dickgiesser discloses:
The system of claim 11, wherein the credentials are used to authenticate a user or authorize one or more of an action to be performed at a computing asset in the IT environment, an action to be performed by a service external to the incident service, or the execution of the course of action by the incident service. (Paragraph 12 of Dickgiesser, to login to the customer software instance, the support resource typically needs login credentials. To obtain the login credentials, the support resource may submit a request to the customer software instance or associated credentialing processes, such as over a network. The request in some embodiments may be sent as a chat or other text-based message) and (see fig. 2 of Dickgiesser)

Claim 19 is rejected under the same reason set forth in rejection of claim 15:

Claims 2 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Dickgiesser (US Pub. No. 2012/0110330) in view of Satish (US Pub. No. 2016/0164909).

As per claim 2:
Dickgiesser teaches the method of requesting a credential for remout incident support of a computer applications (see abstract of Dickgiesser) but fails to disclose:
The computer-implemented method of claim 1, wherein identifying the course of action comprises receiving user input selecting the course of action.
However, in the same field of endeavor, Satish teaches this limitation as, (paragraph 43 of Satish, advisement system 530 identifies and implements actions against old incidents 521-522 that are identified within the computing environment. These actions may include default actions that are identified based on the enrichment information and a rule set for the incident, or may include user defined actions that were implemented based on user selected actions).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Dickgiesser and include the above limitation using the teaching of Satish in order to resolve the network incident based on the user preference of resolving the incident (see paragraph 43 of Satish).

Claim 12 is rejected under the same reason set forth in rejection of claim 2:

Claims 3 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Dickgiesser (US Pub. No. 2012/0110330) in view of Dicato (US Pub. No. 2015/0007250).

As per claim 3:
Dickgiesser teaches the method of requesting a credential for remote incident support of a computer applications (see abstract of Dickgiesser) but fails to disclose:
The computer-implemented method of claim 1, wherein identifying the course of action comprises automatically selecting the course of action based on one or more characteristics of the incident.
However, in the same field of endeavor, Dicato teaches this limitation as, (paragraph 23 of Dicato, a network defender has the ability to learn from the characteristics of the malware and the behavior of adversary 130 in order to produce improved operational response to adversarial actions in real-time).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Dickgiesser and include the above limitation using the teaching of Dicato in order to learn the characteristics of the incident and response to the incident in a real-time (see paragraph 23 of Dicato).

Claim 13 is rejected under the same reason set forth in rejection of claim 3: 

Conclusion
The prior art made or record and not relied upon is considered pertinent to applicant’s disclosure is Jakobsson (US Pub. No. 2014/0047544). Jakobsson discloses the methods and systems for detecting malware on a plurality of networked unit from a server-side system. 

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to TESHOME HAILU whose telephone number is (571)270-3159. The examiner can normally be reached M-F 8 a.m. - 5 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571) 272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/TESHOME HAILU/Primary Examiner, Art Unit 2434