Security Analytics Threat Feeds
pre 10.6.1 feeds are in csv format
10.6.1 and after you have the ability to also read STIX formatted data.
most use cases will require a script that can be crontab run from the SA head server to reach out and grab threat data from an external site then write it to the SA webserver root directory (/var/netwitness/srv/www/feedname.csv) where you can run a recurring custom feed to read from that localhost directory to pull that data into SA on a schedule (http://127.0.0.1/feedname.csv)
I also have this question as I'm finding while looking through the feeds that there are a LOT of false positives and looking for strategies to sort through the noise. One question I posed in another thread is about RSA feeds not publishing further meta such as threat.category or more data we can flag on.