What kind of format does Security Analytics ingest for threat feeds?
pre 10.6.1 feeds are in csv format
10.6.1 and after you have the ability to also read STIX formatted data.
most use cases will require a script that can be crontab run from the SA head server to reach out and grab threat data from an external site then write it to the SA webserver root directory (/var/netwitness/srv/www/feedname.csv) where you can run a recurring custom feed to read from that localhost directory to pull that data into SA on a schedule (http://127.0.0.1/feedname.csv)
If you are looking for an example of how the feed should be structured this is an old post but an interesting use case to look at
Import This Malicious User-Agent String Feed
There is also the product documentation available here that describes how to create a custom feed using CSV for STIX files: Manage Custom Feeds - RSA Security Analytics Documentation
I also have this question as I'm finding while looking through the feeds that there are a LOT of false positives and looking for strategies to sort through the noise. One question I posed in another thread is about RSA feeds not publishing further meta such as threat.category or more data we can flag on.
Retrieving data ...