I don't have anything on automating feeds but there is a very good post by Scott Taschler which descibes using Watchlists for emerging threats - http://mcaf.ee/3uek1
Sites such as dshield supply good information such as block lists (http://dshield.org/block.txt) which could be easlily added to a watchlist
There is of course McAfee GTI which is automated and available withing SIEM. If you are interested in getting a subscription for that you would need to talk to your sales representative
Like Chris metioned, watchlists are great to use, also another option is data enrichment (but only if you can get a set format and find a key field that can be linked to a parsed field for any events)
Yes, it is very good to use McAfee GTI with ESM, but there is a small problem: what we can tell to customers buying small system (like combo)? Please compare the small combo price with the minimal price of GTI...
I recommend that you talk with your McAfee Sales Representative to see if they can offer any suggestions on the pricing.
As far as I know, minimum number of GTI licenses has been changed in the latest price book. Things should be a bit easier for us to deliver GTI with McAfee SIEM.
yes - you have the right - it is very good news
In this year there is possible to buy GTI only for 1000 nodes - not for 10000.
So I am getting back to this after letting it flounder for a while. I set up an automated process where my linux server pulls about 5 threat feeds in from various sites. Nitro then grabs these flat files. The problem I have is that the data becomes stale very quickly. It would be nice if Nitro could purge the log before it pulls a new file, since the threat feed services are clearing certain IP's and no longer an issue, I don't want to be chasing a bunch of false positives.