I don't have anything on automating feeds but there is a very good post by Scott Taschler which descibes using Watchlists for emerging threats - http://mcaf.ee/3uek1
Sites such as dshield supply good information such as block lists (http://dshield.org/block.txt) which could be easlily added to a watchlist
There is of course McAfee GTI which is automated and available withing SIEM. If you are interested in getting a subscription for that you would need to talk to your sales representative
Yes, it is very good to use McAfee GTI with ESM, but there is a small problem: what we can tell to customers buying small system (like combo)? Please compare the small combo price with the minimal price of GTI...
As far as I know, minimum number of GTI licenses has been changed in the latest price book. Things should be a bit easier for us to deliver GTI with McAfee SIEM.
So I am getting back to this after letting it flounder for a while. I set up an automated process where my linux server pulls about 5 threat feeds in from various sites. Nitro then grabs these flat files. The problem I have is that the data becomes stale very quickly. It would be nice if Nitro could purge the log before it pulls a new file, since the threat feed services are clearing certain IP's and no longer an issue, I don't want to be chasing a bunch of false positives.
Like Chris metioned, watchlists are great to use, also another option is data enrichment (but only if you can get a set format and find a key field that can be linked to a parsed field for any events)