Anton Chuvakin (one of the leading Gartner experts in the Threat Detection space) had a recent blog post on some of the key questions one must ask while identifying the first threat Intel data source. 

Here is the list

• What is the my primary motivation for getting TI, such as better threat detection, improved alert triage or IR support?
• Where do I get my first threat intel source [likely, a network indicator feed, IP/DNS/URL]?
• How do I pick the best one(s) for me?
• Where do I put it, into what tool?
• How do I actually make sure it will be useful in that tool?
• What has to happen with the intelligence data in that tool, what correlation and analysis?
• What specifically do I match TI against, which logs, traffic, alerts?
• What you have to do with the results of such matching? Who will see them? How fast?
• How to I assure that the results of matching are legitimate and useful?
• What do I do with false or non-actionable matches?
• How do I use intel to validate alerts producted by other tools?
• Do I match TI to only current data or also to past log/traffic data? How far in the past do I go?

The post is worth a read, as he has linked his earlier posts on this topic in this blog post. Do note that the white papers he has has linked requires GTP access.