nexpose_ticketing 0.3.1 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5d263b9bebd36736baf337638d239978dfeccaa0
-  data.tar.gz: 696d970f7f45d6ab028eea7220d845f664accfb8
+  metadata.gz: d994e0ee3fa0a54776a378818816102c883e7e91
+  data.tar.gz: 89ee1701ef6ecbeaab92bcecc45ac3b8c06f2831
 SHA512:
-  metadata.gz: a4759ef9ceb9ab0ad2c8a98f4c3ab42aa138f26514f9ef30fd7bff14c66a8c58715858ae4979b256f96099ed0b997adfc1dfa0d88e0c160ece6c1c653a2ef805
-  data.tar.gz: faf6ca1aa7155c2edfd9477ef0ac9b9496758e743c1d85e22862fd6cedd703743587e61da38fecd35b981e9ff82e870fa2aa147016cdb6b22bf228cee668f752
+  metadata.gz: ebc7223e2c01f5b55ddc5e4c163439fdd1225ba9f90a25c45801dbc3e765c0f84cfde9ca4ae8cbe869056df07a864311a70cb9dc5d18c07cb4d9430add4d093c
+  data.tar.gz: 09aae916d5a73cf2fcf11cc9db9551773d28f3eeac6fe2bc563bae3e8f17184aa0321d9d2b0e45c9f7b7657cf56b09b1896b59c740d4e6d1fcc30ef96e557750

data/bin/nexpose_servicedesk

@@ -0,0 +1,17 @@
+#!/usr/bin/env ruby
+require 'yaml'
+require 'nexpose_ticketing'
+
+# Path to ServiceNow configuration file
+SERVICEDESK_CONFIG_PATH = File.join(File.dirname(__FILE__),
+                                   '../lib/nexpose_ticketing/config/servicedesk.config')
+
+# Read in ServiceDesk options from servicenow.config
+servicedesk_options = begin
+  YAML.load_file(SERVICEDESK_CONFIG_PATH)
+rescue ArgumentError => e
+  raise "Could not parse YAML #{SERVICEDESK_CONFIG_PATH} : #{e.message}"
+end
+
+# Initialize Nexpose Ticket Service using ServiceDesk
+NexposeTicketing.start(servicedesk_options)

data/lib/nexpose_ticketing/config/servicedesk.config

@@ -0,0 +1,19 @@
+---
+# This configuration file defines all the options necessary to support the helper.
+# Fields marked (M) are mandatory.
+#
+
+# (M) Helper class name
+:helper_name: ServiceDeskHelper
+
+# (M) REST Enpoint on the ServiceDesk instance
+:rest_uri: https://uritoservicedesk:8080/sdpapi/request
+# (M) API Key to access the ServiceDesk instance
+:api_key: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
+# (M) local ticket database path
+:ticket_db_path: /var/lib/gems/1.9.1/gems/nexpose_ticketing-0.2.3.jh/lib/nexpose_ticketing/log/servicedesk_ticketdb
+
+# (M) ServiceDesk requestor name
+:requester: nexpose
+# (M) SerivceDesk incident group
+:group: Network

data/lib/nexpose_ticketing/config/servicenow.config

@@ -7,7 +7,7 @@
 :helper_name: ServiceNowHelper
 
 # (M) ServiceNow url (currently requires using JSON)
-:servicenow_url: https://your.service-now.com/incident.do?JSON
+:servicenow_url: https://your.service-now.com/u_rpd_vulnerabilities.do?JSON
 # (M) Username for ServiceNow
 :username: admin
 # (M) Password for above username

data/lib/nexpose_ticketing/config/ticket_service.config

@@ -8,23 +8,33 @@
   :logging_enabled: true
   # Filters the reports to specific sites one per line, leave empty for no site.
   :sites:
-  - '7'
+  - '1'
   # Minimum floor severity to report on. Number between 0 and 10.
   :severity: 8
-  # (M) Name of the report historial file saved in disk.
+  # (M) Name of the report historical file saved in disk.
   :file_name: last_scan_data.csv
   # (M) Defines the ticket creation mode:
-  #   'D' Default IP *-* Vulnerability
-  #   'I' IP address -* Vulnerability
+  # 'D' Default IP *-* Vulnerability
+  # 'I' IP address -* Vulnerability
+  # 'V' Vulnerability -* IP Address (Remedy helper only)
   :ticket_mode: I
   # Timeout in seconds. The number of seconds the GEM waits for a response from Nexpose before exiting.
   :timeout: 10800
   # Ticket batching. Breaks ticket processing into groups of value size controlling resource utilisation of both systems.
   :batch_size: 300
+  # (M) For 'I' & 'V' mode. Set to 'Y' for tickets that have been fixed to be closed after update, set to 'N' for ticket to be left
+  # open for a user to manually close or change the status.
+  :close_old_tickets_on_update: Y
+  # A comma separated list of tags to scope what gets ticketed
+  :tags:
+  # A comma separated list of vulnerability categories to include
+  :vulnerabilityCategories:
+  # The asset minimum risk score to open tickets for
+  :riskScore:
 # Nexpose options.
 :nexpose_data:
   # (M) Nexpose console hostname.
-  :nxconsole: your_nexpose_install
+  :nxconsole: 127.0.0.1 
   # (M) Nexpose username.
   :nxuser: nxadmin
   # (M) Nexpose password.

data/lib/nexpose_ticketing/helpers/jira_helper.rb

@@ -33,22 +33,22 @@ class JiraHelper
   end
 
   # Prepares tickets from the CSV.
-  def prepare_create_tickets(vulnerability_list)
+  def prepare_create_tickets(vulnerability_list, site_id)
     @ticket = Hash.new(-1)
     case @options[:ticket_mode]
     # 'D' Default IP *-* Vulnerability
     when 'D'
-      prepare_tickets_default(vulnerability_list)
+      prepare_tickets_default(vulnerability_list, site_id)
     # 'I' IP address -* Vulnerability
     when 'I'
-      prepare_tickets_by_ip(vulnerability_list)
+      prepare_tickets_by_ip(vulnerability_list, site_id)
     else
         fail 'No ticketing mode selected.'
     end
   end
 
   # Prepares and creates tickets in default mode.
-  def prepare_tickets_default(vulnerability_list)
+  def prepare_tickets_default(vulnerability_list, site_id)
     tickets = []
     CSV.parse(vulnerability_list.chomp, headers: :first_row)  do |row|
       # JiraHelper doesn't like new line characters in their summaries.
@@ -69,7 +69,7 @@ class JiraHelper
   end
 
   # Prepares and creates tickets in IP mode.
-  def prepare_tickets_by_ip(vulnerability_list)
+  def prepare_tickets_by_ip(vulnerability_list, site_id)
     tickets = []
     current_ip = -1
     CSV.parse(vulnerability_list.chomp, headers: :first_row)  do |row|

data/lib/nexpose_ticketing/helpers/remedy_helper.rb

@@ -154,7 +154,7 @@ class RemedyHelper
   end
 
   # Prepare tickets from the CSV of vulnerabilities exported from Nexpose. This method determines 
-  # how to prepare the tickets (either by default or by IP address) based on config options.
+  # how to prepare the tickets (by default, by IP address or by vulnerability) based on config options.
   #
   # * *Args*    :
   #   - +vulnerability_list+ -  CSV of vulnerabilities within Nexpose.
@@ -162,19 +162,45 @@ class RemedyHelper
   # * *Returns* :
   #   - List of savon-formated (hash) tickets for creating within Remedy.
   #
-  def prepare_create_tickets(vulnerability_list)
+  def prepare_create_tickets(vulnerability_list, site_id)
     @ticket = Hash.new(-1)
     case @options[:ticket_mode]
     # 'D' Default mode: IP *-* Vulnerability
     when 'D'
-      prepare_create_tickets_default(vulnerability_list)
+      prepare_create_tickets_default(vulnerability_list, site_id)
     # 'I' IP address mode: IP address -* Vulnerability
     when 'I'
-      prepare_create_tickets_by_ip(vulnerability_list)
+      prepare_create_tickets_by_ip(vulnerability_list, site_id)
+    # 'V' Vulnerability mode: Vulnerability -* IP address
+    when 'V'
+      prepare_create_tickets_by_vulnerability(vulnerability_list, site_id)
     else
       fail 'No ticketing mode selected.'
     end
   end
+
+  # Prepare to update tickets from the CSV of vulnerabilities exported from Nexpose. This method determines
+  # how to prepare the tickets for update (by IP address or by vulnerability) based on config options.
+  #
+  # * *Args*    :
+  #   - +vulnerability_list+ -  CSV of vulnerabilities within Nexpose.
+  #
+  # * *Returns* :
+  #   - List of savon-formated (hash) tickets for creating within Remedy.
+  #
+  def prepare_update_tickets(vulnerability_list, site_id)
+    @ticket = Hash.new(-1)
+    case @options[:ticket_mode]
+      # 'I' IP address mode: IP address -* Vulnerability
+      when 'I'
+        prepare_update_tickets_by_ip(vulnerability_list, site_id)
+      # 'V' Vulnerability mode: Vulnerability -* IP address
+      when 'V'
+        prepare_update_tickets_by_vulnerability(vulnerability_list, site_id)
+      else
+        fail 'No ticketing mode selected.'
+    end
+  end
   
   # Prepares a list of vulnerabilities into a list of savon-formatted tickets (incidents) for 
   # Remedy. The preparation by default means that each vulnerability within Nexpose is a 
@@ -187,7 +213,7 @@ class RemedyHelper
   # * *Returns* :
   #   - List of savon-formated (hash) tickets for creating within Remedy.
   #
-  def prepare_create_tickets_default(vulnerability_list)
+  def prepare_create_tickets_default(vulnerability_list, site_id)
     @log.log_message("Preparing tickets by default method.")
     tickets = []
     CSV.parse(vulnerability_list.chomp, headers: :first_row)  do |row|
@@ -203,7 +229,7 @@ class RemedyHelper
         'Action' => 'CREATE',
         'Summary' => "#{row['ip_address']} => #{row['summary']}",
         'Notes' => "Summary: #{row['summary']} \n\nFix: #{row['fix']} \n\nURL: #{row['url']}
-                    \n\nNXID: #{row['asset_id']}#{row['vulnerability_id']}#{row['solution_id']}",                              
+                    \n\nNXID: #{site_id}#{row['asset_id']}#{row['vulnerability_id']}#{row['solution_id']}",
         'Urgency' => '1-Critical'
       }
       tickets.push(ticket)
@@ -222,14 +248,14 @@ class RemedyHelper
   # * *Returns* :
   #   - List of savon-formated (hash) tickets for creating within Remedy.
   #
-  def prepare_create_tickets_by_ip(vulnerability_list)
-    @log.log_message("Preparing tickets by IP address.")
+  def prepare_create_tickets_by_ip(vulnerability_list, site_id)
+    @log.log_message('Preparing tickets by IP address.')
     tickets = []
     current_ip = -1
     CSV.parse(vulnerability_list.chomp, headers: :first_row)  do |row|
       if current_ip == -1 
         current_ip = row['ip_address']
-        @log.log_message("Creating ticket with IP address: #{row['ip_address']}")
+        @log.log_message("Creating ticket with IP address: #{row['ip_address']}, Asset ID:  #{row['asset_id']} and Site ID: #{site_id}")
         @ticket = {
           'First_Name' => "#{@remedy_data[:first_name]}",
           'Impact' => '1-Extensive/Widespread',
@@ -253,18 +279,130 @@ class RemedyHelper
       end
       unless current_ip == row['ip_address']
         # NXID in the work_notes is the unique identifier used to query incidents to update them.
-        @ticket['Notes'] += "\n\nNXID: #{current_ip}"
+        @ticket['Notes'] += "\n\nNXID: #{site_id}#{current_ip}"
         tickets.push(@ticket)
         current_ip = -1
         redo
       end
     end
     # NXID in the work_notes is the unique identifier used to query incidents to update them.
-    @ticket['Notes'] += "\n\nNXID: #{current_ip}"
+    @ticket['Notes'] += "\n\nNXID: #{site_id}#{current_ip}"
     tickets.push(@ticket) unless @ticket.nil?
     tickets
   end
-  
+
+
+  # Prepares a list of vulnerabilities into a list of savon-formatted tickets (incidents) for
+  # Remedy. The preparation by vulnerability means that all IP addresses within Nexpose for one vulnerability
+  # are consolidated into a single Remedy incident. This reduces the number of incidents
+  # within ServiceNow but greatly increases the size of the work notes.
+  #
+  # * *Args*    :
+  #   - +vulnerability_list+ -  CSV of vulnerabilities within Nexpose.
+  #
+  # * *Returns* :
+  #   - List of savon-formated (hash) tickets for creating within Remedy.
+  #
+  def prepare_create_tickets_by_vulnerability(vulnerability_list, site_id)
+    @log.log_message("Preparing tickets by vulnerability.")
+    tickets = []
+    current_vuln_id = -1
+    current_solution_id = -1
+    current_asset_id = -1
+    full_summary = nil
+    vulnerability_list_header = vulnerability_list[0]
+    CSV.parse(vulnerability_list.chomp, headers: :first_row)  do |row|
+    #New vulnerability ID (the query sorting criteria).
+    if current_vuln_id == -1
+      current_vuln_id = row['vulnerability_id']
+      current_solution_id = row['solution_id']
+      current_asset_id =  row['asset_id']
+      @log.log_message("Creating ticket with vulnerability id: #{row['vulnerability_id']}, Asset ID:  #{row['asset_id']} and Site ID: #{site_id}")
+      summary = "Vulnerability: #{row['title']}"
+
+      #Remedy has a summary field max size of 100 so truncate any summaries that are larger than that and place the full summary in the notes.
+      if summary.length > 100
+        full_summary = summary += "\n\n\n"
+        summary = summary[0..96]
+        summary += '...'
+      else
+        full_summary = nil
+      end
+
+      @ticket = {
+          'First_Name' => "#{@remedy_data[:first_name]}",
+          'Impact' => '1-Extensive/Widespread',
+          'Last_Name' => "#{@remedy_data[:last_name]}",
+          'Reported_Source' => 'Other',
+          'Service_Type' => 'Infrastructure Event',
+          'Status' => 'New',
+          'Action' => 'CREATE',
+          'Summary' => summary,
+          'Full_Summary' => summary,
+          'Assets' => "++ Assets affected +++++++++++++++++++++++\n",
+          'Solutions' =>  "++ Details ++++++++++++++++++++++++++\n",
+          'Notes' => "++ Additional information ++++++++++++++++\n",
+          'Urgency' => '1-Critical'
+      }
+      @ticket['Solutions'] +=
+          "\n\n========================================== \nSummary: #{row['summary']} \nFix: #{row['fix']}"
+      @ticket['Assets'] +=
+          "#{row['ip_address']}"
+    end
+    if current_vuln_id == row['vulnerability_id']
+      #Add solutions for the now affected assets.
+      if current_solution_id != row['solution_id']
+        new_solution_text =  "\n========================================== \nSummary: #{row['summary']} \nFix: #{row['fix']}\n"
+        if  @ticket['Solutions'].include? new_solution_text
+          @log.log_message('Ignoring duplicate solution in ticket creation.')
+        else
+          @ticket['Solutions'] += new_solution_text
+          #Add any references.
+          unless row['url'].nil?
+            @ticket['Solutions'] += "\nURL: #{row['url']}"
+          end
+        end
+        current_solution_id = row['solution_id']
+      end
+
+      #Added the new asset to the list of affected systems if it is different (could have been the same asset with a different solution ID).
+      if current_asset_id != row['asset_id']
+        @ticket['Assets'] += ", #{row['ip_address']}"
+        current_asset_id = row['asset_id']
+      end
+    end
+    unless current_vuln_id == row['vulnerability_id']
+      # NXID in the work_notes is the unique identifier used to query incidents to update them.
+      @ticket['Notes'] += "\n\nNXID: #{site_id}#{current_asset_id}#{current_vuln_id}"
+      current_vuln_id = -1
+      current_solution_id = -1
+      current_asset_id = -1
+      @ticket = format_notes_by_vulnerability(@ticket, full_summary)
+      tickets.push(@ticket)
+      redo
+    end
+  end
+  # NXID in the work_notes is the unique identifier used to query incidents to update them.
+  @ticket['Notes'] += "\n\nNXID: #{site_id}#{current_asset_id}#{current_vuln_id}"
+  @ticket = format_notes_by_vulnerability(@ticket, full_summary)
+  tickets.push(@ticket) unless @ticket.nil?
+  tickets
+  end
+
+  def format_notes_by_vulnerability(ticket, prepend)
+    nxid_holder = ticket['Notes']
+    ticket['Notes'] = ''
+    ticket['Notes'] += prepend unless prepend.nil?
+    ticket['Notes'] += ticket['Assets'] += "\n\n"
+    ticket['Notes'] += ticket['Solutions'] += "\n\n"
+    ticket['Notes'] += nxid_holder
+    ticket.delete("Assets")
+    ticket.delete("Solutions")
+    ticket.delete("Full_Summary")
+    ticket
+  end
+
+
   # Prepare ticket updates from the CSV of vulnerabilities exported from Nexpose. This method 
   # currently only supports updating IP-address mode tickets in Remedy. The list of vulnerabilities 
   # are ordered by IP address and then by ticket_status, allowing the method to loop through and  
@@ -275,11 +413,11 @@ class RemedyHelper
   # * *Returns* :
   #   - List of savon-formated (hash) tickets for updating within Remedy.
   #
-  def prepare_update_tickets(vulnerability_list)
-    fail 'Ticket updates are only supported in IP-address mode.' if @options[:ticket_mode] == 'D'
+  def prepare_update_tickets_by_ip(vulnerability_list, site_id)
+    fail 'Ticket updates are only supported in IP-address mode.' if @options[:ticket_mode] != 'I'
     @ticket = Hash.new(-1)
     
-    @log.log_message("Preparing ticket updates by IP address.")
+    @log.log_message('Preparing ticket updates by IP address.')
     tickets = []
     current_ip = -1
     ticket_status = 'New'
@@ -289,70 +427,25 @@ class RemedyHelper
         ticket_status = row['comparison']
         
         # Query Remedy for the incident by unique id (generated NXID)
-        queried_incident = query_for_ticket("NXID: #{row['ip_address']}")
+        queried_incident = query_for_ticket("NXID: #{site_id}#{row['ip_address']}")
         if queried_incident.nil? || queried_incident.empty?
-          @log.log_message("No incident found for NXID: #{row['asset_id']}#{row['vulnerability_id']}#{row['solution_id']}") 
+          @log.log_message("No incident found for NXID: #{site_id}#{row['asset_id']}#{row['vulnerability_id']}#{row['solution_id']}")
         else
-          @log.log_message("Creating ticket update with IP address: #{row['ip_address']}")
+          @log.log_message("Creating ticket update with IP address: #{row['ip_address']} for site with ID: #{site_id}")
           @log.log_message("Ticket status #{ticket_status}")
           # Remedy incident updates require populating all fields.
-          @ticket = {
-            'Categorization_Tier_1' => queried_incident[:categorization_tier_1],
-            'Categorization_Tier_2' => queried_incident[:categorization_tier_2],
-            'Categorization_Tier_3' => queried_incident[:categorization_tier_3],
-            'Closure_Manufacturer' => queried_incident[:closure_manufacturer],
-            'Closure_Product_Category_Tier1' => queried_incident[:closure_product_category_tier1],
-            'Closure_Product_Category_Tier2' => queried_incident[:closure_product_category_tier2],
-            'Closure_Product_Category_Tier3' => queried_incident[:closure_product_category_tier3],
-            'Closure_Product_Model_Version' => queried_incident[:closure_product_model_version],
-            'Closure_Product_Name' => queried_incident[:closure_product_name],
-            'Company' => queried_incident[:company],
-            'Summary' => queried_incident[:summary],
-            'Notes' => "++ #{row['comparison']} Vulnerabilities +++++++++++++++++++++++++++++++++++++\n",
-            'Impact' => queried_incident[:impact],
-            'Manufacturer' => queried_incident[:manufacturer],
-            'Product_Categorization_Tier_1' => queried_incident[:product_categorization_tier_1],
-            'Product_Categorization_Tier_2' => queried_incident[:product_categorization_tier_2],
-            'Product_Categorization_Tier_3' => queried_incident[:product_categorization_tier_3],
-            'Product_Model_Version' => queried_incident[:product_model_version],
-            'Product_Name' => queried_incident[:product_name],
-            'Reported_Source' => queried_incident[:reported_source],
-            'Resolution' => queried_incident[:resolution],
-            'Resolution_Category' => queried_incident[:resolution_category],
-            'Resolution_Category_Tier_2' => queried_incident[:resolution_category_tier_2],
-            'Resolution_Category_Tier_3' => queried_incident[:resolution_category_tier_3],
-            'Resolution_Method' => queried_incident[:resolution_method],
-            'Service_Type' => queried_incident[:service_type],
-            'Status' => queried_incident[:status],
-            'Urgency' => queried_incident[:urgency],
-            'Action' => 'MODIFY',
-            'Work_Info_Summary' => queried_incident[:work_info_summary],
-            'Work_Info_Notes' => queried_incident[:work_info_notes],
-            'Work_Info_Type' => queried_incident[:work_info_type],
-            'Work_Info_Date' => queried_incident[:work_info_date],
-            'Work_Info_Source' => queried_incident[:work_info_source],
-            'Work_Info_Locked' => queried_incident[:work_info_locked],
-            'Work_Info_View_Access' => queried_incident[:work_info_view_access],
-            'Incident_Number' => queried_incident[:incident_number],
-            'Status_Reason' => queried_incident[:status_reason],
-            'ServiceCI' => queried_incident[:service_ci],
-            'ServiceCI_ReconID' => queried_incident[:service_ci_recon_id],
-            'HPD_CI' => queried_incident[:hpd_ci],
-            'HPD_CI_ReconID' => queried_incident[:hpd_ci_recon_id],
-            'HPD_CI_FormName' => queried_incident[:hpd_ci_form_name],
-            'z1D_CI_FormName' => queried_incident[:z1d_ci_form_name]
-          }
-        end
+          @ticket = extract_queried_incident(queried_incident, "++ #{row['comparison']} Vulnerabilities ++++++++++++++++++++++++++\n")
+          end
       end
       if current_ip == row['ip_address']
         # If the ticket_status is different, add a a new 'header' to signify a new block of tickets.
         unless ticket_status == row['comparison']
           @ticket['Notes'] += 
-            "\n\n\n++ #{row['comparison']} Vulnerabilities +++++++++++++++++++++++++++++++++++++\n"
+            "\n\n\n++ #{row['comparison']} Vulnerabilities ++++++++++++++++++++++++++\n"
           ticket_status = row['comparison']
         end
-        
-        @ticket['Notes'] += 
+
+        @ticket['Notes'] +=
           "\n\n========================================== \nSummary: #{row['summary']} \nFix: #{row['fix']}"
         # Only add the URL block if data exists in the row.
         unless row['url'].nil?
@@ -362,20 +455,236 @@ class RemedyHelper
       end
       unless current_ip == row['ip_address']
         # NXID in the work_notes is the unique identifier used to query incidents to update them.
-        @ticket['Notes'] += "\n\nNXID: #{current_ip}"
+        @ticket['Notes'] += "\n\nNXID: #{site_id}#{current_ip}"
         tickets.push(@ticket)
         current_ip = -1
         redo
       end
     end
     # NXID in the work_notes is the unique identifier used to query incidents to update them.
-    @ticket['Notes'] += "\n\nNXID: #{current_ip}"
-    tickets.push(@ticket) unless @ticket.nil?
+    @ticket['Notes'] += "\n\nNXID: #{site_id}#{current_ip}" unless @ticket.empty?
+    tickets.push(@ticket) unless @ticket.nil? || @ticket.empty?
     tickets
   end
-  
-  # Prepare ticket closures from the CSV of vulnerabilities exported from Nexpose. This method 
-  # currently only supports updating default mode tickets in ServiceNow.
+
+  # Prepare ticket updates from the CSV of vulnerabilities exported from Nexpose. This method
+  # currently only supports updating vulnerability mode tickets in Remedy. The list of vulnerabilities
+  # are ordered by vulnerability ID and then by ticket_status, allowing the method to loop through and
+  # display new, old, and same vulnerabilities in that order.
+  #
+  #   - +vulnerability_list+ -  CSV of vulnerabilities within Nexpose.
+  #
+  # * *Returns* :
+  #   - List of savon-formated (hash) tickets for updating within Remedy.
+  #
+  def prepare_update_tickets_by_vulnerability(vulnerability_list, site_id)
+    fail 'Ticket updates are only supported in IP-address mode.' if @options[:ticket_mode] != 'V'
+    @ticket = Hash.new(-1)
+
+    @log.log_message('Preparing ticket updates by IP address.')
+    tickets = []
+    current_vuln_id = -1
+    current_solution_id = -1
+    current_asset_id = -1
+    current_solutions_text = "\n++ Details ++++++++++++++\n"
+    ticket_status = 'New'
+    CSV.parse(vulnerability_list.chomp, headers: :first_row)  do |row|
+      if current_vuln_id == -1
+        current_solutions_text = "\n++ Details +++++++++++++++\n"
+        current_vuln_id = row['vulnerability_id']
+        ticket_status = row['comparison']
+        current_asset_id = -1
+        current_solution_id = -1
+
+        # Query Remedy for the incident by unique id (generated NXID)
+        queried_incident = query_for_ticket("NXID: #{site_id}#{row['asset_id']}#{row['vulnerability_id']}")
+        if queried_incident.nil? || queried_incident.empty?
+          @log.log_message("No incident found for NXID: #{site_id}#{row['asset_id']}#{row['vulnerability_id']}#{row['solution_id']}. Creating...")
+          new_ticket_csv = vulnerability_list.split("\n").first
+          new_ticket_csv += "\n#{row.to_s}"
+          new_ticket = prepare_create_tickets_by_vulnerability(new_ticket_csv, site_id)
+          @log.log_message('Created ticket. Sending to Remedy...')
+          create_tickets(new_ticket)
+          @log.log_message('Ticket sent. Performing update for ticket...')
+          #Now that there is a ticket for this NXID update it as if it existed this whole time...
+          current_vuln_id = -1
+          redo
+        else
+          @log.log_message("Creating ticket update for vulnerability with ID: #{row['vulnerability_id']}, Asset ID:  #{row['asset_id']} and Site ID: #{site_id}. Ticket status #{ticket_status}.")
+          # Remedy incident updates require populating all fields.
+          @ticket = extract_queried_incident(queried_incident, "++ #{row['comparison']} Assets ++++++++++++++++++++++\n")
+        end
+      end
+      if current_vuln_id == row['vulnerability_id']
+        # If the ticket_status is different, add a a new 'header' to signify a new block of tickets.
+        unless ticket_status == row['comparison']
+          @ticket['Notes'] +=
+              "\n\n\n++ #{row['comparison']} Assets +++++++++++++++++++++++\n"
+          ticket_status = row['comparison']
+        end
+
+        #Added the new asset to the list of affected systems if it is different (could have been the same asset with a different solution ID).
+        if current_asset_id != row['asset_id']
+          @ticket['Notes'] += "#{row['ip_address']}, "
+          current_asset_id = row['asset_id']
+        end
+
+        #Add solutions for the now affected assets.
+        if current_solution_id != row['solution_id']
+          new_solution_text =  "\n========================================== \nSummary: #{row['summary']} \nFix: #{row['fix']}\n"
+          if current_solutions_text.include? new_solution_text
+            @log.log_message('Ignoring duplicate solution for ticket update.')
+          else
+          current_solutions_text += new_solution_text
+            #Add any references.
+            unless row['url'].nil?
+              current_solutions_text +=
+                  "\nURL: #{row['url']}"
+            end
+          end
+          current_solution_id = row['solution_id']
+        end
+      end
+      unless current_vuln_id == row['vulnerability_id']
+        # NXID in the work_notes is the unique identifier used to query incidents to update them.
+        @ticket['Notes'] += "\n\n" + current_solutions_text
+        @ticket['Notes'] += "\n\nNXID: #{site_id}#{current_asset_id}#{current_vuln_id}"
+        tickets.push(@ticket)
+        current_vuln_id = -1
+        current_solution_id = -1
+        current_asset_id = -1
+        redo
+      end
+    end
+    # NXID in the work_notes is the unique identifier used to query incidents to update them.
+    @ticket['Notes'] += current_solutions_text
+    @ticket['Notes'] += "\n\nNXID: #{site_id}#{current_asset_id}#{current_vuln_id}" unless @ticket.empty?
+    tickets.push(@ticket) unless @ticket.nil? || @ticket.empty?
+    tickets
+  end
+
+  # Extracts from a queried Remedy incident the relevant data required for an update to be made to said incident.
+  # Creates a ticket with the extracted data.
+  #
+  #   - +queried_incident+ - The queried incident from Remedy
+  #   - +notes_header+ - The texted to be placed at the top of the Remedy 'Notes' field.
+  #
+  # * *Returns* :
+  #   - A single savon-formated (hash) ticket for updating within Remedy.
+  #
+  def extract_queried_incident(queried_incident, notes_header)
+
+    if queried_incident[0].is_a?(Hash)
+      #Hash of hashes
+      @log.log_message("More than one ticket returned from Remedy. Number of tickets returned: #{queried_incident.count}. Parsing return to check returned ticket status...")
+      @ticket = nil
+      queried_incident.count.times do |x|
+        #TODO: This should be moved to the config for the Remedy helper.
+        if ['Closed', 'Resolved', 'Cancelled'].include? queried_incident[x][:status]
+          @log.log_message("Returned ticket number <#{x}> of <#{(queried_incident.count - 1)}> is of status <#{queried_incident[x][:status]}>. Ignoring.")
+        else
+          fail 'When trying to update tickets Remedy returned multiple tickets with the same NXID and in progress status!' unless @ticket.nil?
+          @ticket = {
+              'Categorization_Tier_1' => queried_incident[x][:categorization_tier_1],
+              'Categorization_Tier_2' => queried_incident[x][:categorization_tier_2],
+              'Categorization_Tier_3' => queried_incident[x][:categorization_tier_3],
+              'Closure_Manufacturer' => queried_incident[x][:closure_manufacturer],
+              'Closure_Product_Category_Tier1' => queried_incident[x][:closure_product_category_tier1],
+              'Closure_Product_Category_Tier2' => queried_incident[x][:closure_product_category_tier2],
+              'Closure_Product_Category_Tier3' => queried_incident[x][:closure_product_category_tier3],
+              'Closure_Product_Model_Version' => queried_incident[x][:closure_product_model_version],
+              'Closure_Product_Name' => queried_incident[x][:closure_product_name],
+              'Company' => queried_incident[x][:company],
+              'Summary' => queried_incident[x][:summary],
+              'Notes' => notes_header,
+              'Impact' => queried_incident[x][:impact],
+              'Manufacturer' => queried_incident[x][:manufacturer],
+              'Product_Categorization_Tier_1' => queried_incident[x][:product_categorization_tier_1],
+              'Product_Categorization_Tier_2' => queried_incident[x][:product_categorization_tier_2],
+              'Product_Categorization_Tier_3' => queried_incident[x][:product_categorization_tier_3],
+              'Product_Model_Version' => queried_incident[x][:product_model_version],
+              'Product_Name' => queried_incident[x][:product_name],
+              'Reported_Source' => queried_incident[x][:reported_source],
+              'Resolution' => queried_incident[x][:resolution],
+              'Resolution_Category' => queried_incident[x][:resolution_category],
+              'Resolution_Category_Tier_2' => queried_incident[x][:resolution_category_tier_2],
+              'Resolution_Category_Tier_3' => queried_incident[x][:resolution_category_tier_3],
+              'Resolution_Method' => queried_incident[x][:resolution_method],
+              'Service_Type' => queried_incident[x][:service_type],
+              'Status' => queried_incident[x][:status],
+              'Urgency' => queried_incident[x][:urgency],
+              'Action' => 'MODIFY',
+              'Work_Info_Summary' => queried_incident[x][:work_info_summary],
+              'Work_Info_Notes' => queried_incident[x][:work_info_notes],
+              'Work_Info_Type' => queried_incident[x][:work_info_type],
+              'Work_Info_Date' => queried_incident[x][:work_info_date],
+              'Work_Info_Source' => queried_incident[x][:work_info_source],
+              'Work_Info_Locked' => queried_incident[x][:work_info_locked],
+              'Work_Info_View_Access' => queried_incident[x][:work_info_view_access],
+              'Incident_Number' => queried_incident[x][:incident_number],
+              'Status_Reason' => queried_incident[x][:status_reason],
+              'ServiceCI' => queried_incident[x][:service_ci],
+              'ServiceCI_ReconID' => queried_incident[x][:service_ci_recon_id],
+              'HPD_CI' => queried_incident[x][:hpd_ci],
+              'HPD_CI_ReconID' => queried_incident[x][:hpd_ci_recon_id],
+              'HPD_CI_FormName' => queried_incident[x][:hpd_ci_form_name],
+              'z1D_CI_FormName' => queried_incident[x][:z1d_ci_form_name]
+          }
+        end
+      end
+    else
+      @ticket = {
+          'Categorization_Tier_1' => queried_incident[:categorization_tier_1],
+          'Categorization_Tier_2' => queried_incident[:categorization_tier_2],
+          'Categorization_Tier_3' => queried_incident[:categorization_tier_3],
+          'Closure_Manufacturer' => queried_incident[:closure_manufacturer],
+          'Closure_Product_Category_Tier1' => queried_incident[:closure_product_category_tier1],
+          'Closure_Product_Category_Tier2' => queried_incident[:closure_product_category_tier2],
+          'Closure_Product_Category_Tier3' => queried_incident[:closure_product_category_tier3],
+          'Closure_Product_Model_Version' => queried_incident[:closure_product_model_version],
+          'Closure_Product_Name' => queried_incident[:closure_product_name],
+          'Company' => queried_incident[:company],
+          'Summary' => queried_incident[:summary],
+          'Notes' => notes_header,
+          'Impact' => queried_incident[:impact],
+          'Manufacturer' => queried_incident[:manufacturer],
+          'Product_Categorization_Tier_1' => queried_incident[:product_categorization_tier_1],
+          'Product_Categorization_Tier_2' => queried_incident[:product_categorization_tier_2],
+          'Product_Categorization_Tier_3' => queried_incident[:product_categorization_tier_3],
+          'Product_Model_Version' => queried_incident[:product_model_version],
+          'Product_Name' => queried_incident[:product_name],
+          'Reported_Source' => queried_incident[:reported_source],
+          'Resolution' => queried_incident[:resolution],
+          'Resolution_Category' => queried_incident[:resolution_category],
+          'Resolution_Category_Tier_2' => queried_incident[:resolution_category_tier_2],
+          'Resolution_Category_Tier_3' => queried_incident[:resolution_category_tier_3],
+          'Resolution_Method' => queried_incident[:resolution_method],
+          'Service_Type' => queried_incident[:service_type],
+          'Status' => queried_incident[:status],
+          'Urgency' => queried_incident[:urgency],
+          'Action' => 'MODIFY',
+          'Work_Info_Summary' => queried_incident[:work_info_summary],
+          'Work_Info_Notes' => queried_incident[:work_info_notes],
+          'Work_Info_Type' => queried_incident[:work_info_type],
+          'Work_Info_Date' => queried_incident[:work_info_date],
+          'Work_Info_Source' => queried_incident[:work_info_source],
+          'Work_Info_Locked' => queried_incident[:work_info_locked],
+          'Work_Info_View_Access' => queried_incident[:work_info_view_access],
+          'Incident_Number' => queried_incident[:incident_number],
+          'Status_Reason' => queried_incident[:status_reason],
+          'ServiceCI' => queried_incident[:service_ci],
+          'ServiceCI_ReconID' => queried_incident[:service_ci_recon_id],
+          'HPD_CI' => queried_incident[:hpd_ci],
+          'HPD_CI_ReconID' => queried_incident[:hpd_ci_recon_id],
+          'HPD_CI_FormName' => queried_incident[:hpd_ci_form_name],
+          'z1D_CI_FormName' => queried_incident[:z1d_ci_form_name]
+      }
+    end
+    @ticket
+  end
+
+
+  # Prepare ticket closures from the CSV of vulnerabilities exported from Nexpose.
   #
   # * *Args*    :
   #   - +vulnerability_list+ -  CSV of vulnerabilities within Nexpose.
@@ -383,15 +692,29 @@ class RemedyHelper
   # * *Returns* :
   #   - List of savon-formated (hash) tickets for closing within Remedy.
   #
-  def prepare_close_tickets(vulnerability_list)
+  def prepare_close_tickets(vulnerability_list, site_id)
     fail 'Ticket closures are only supported in default mode.' if @options[:ticket_mode] == 'I'
-    @log.log_message("Preparing ticket closures by default method.")
+    @log.log_message('Preparing ticket closures by default method.')
+    @nxid = nil
     tickets = []
     CSV.parse(vulnerability_list.chomp, headers: :first_row)  do |row|
+      case @options[:ticket_mode]
+        # 'D' Default mode: IP *-* Vulnerability
+        when 'D'
+          @nxid = "#{site_id}#{row['asset_id']}#{row['vulnerability_id']}#{row['solution_id']}"
+        # 'I' IP address mode: IP address -* Vulnerability
+        when 'I'
+          @nxid = "#{site_id}#{row['current_ip']}"
+        # 'V' Vulnerability mode: Vulnerability -* IP address
+        when 'V'
+          @nxid = "#{site_id}#{row['current_asset_id']}#{row['current_vuln_id']}"
+        else
+          fail 'Could not close tickets - do not understand the ticketing mode!'
+      end
       # Query Remedy for the incident by unique id (generated NXID)
-      queried_incident = query_for_ticket("NXID: #{row['asset_id']}#{row['vulnerability_id']}#{row['solution_id']}")
+      queried_incident = query_for_ticket("NXID: #{@nxid}")
       if queried_incident.nil? || queried_incident.empty?
-        @log.log_message("No incident found for NXID: #{row['asset_id']}#{row['vulnerability_id']}#{row['solution_id']}") 
+        @log.log_message("No incident found for NXID: #{@nxid}")
       else
         # Remedy incident updates require populating all fields.
         ticket = {