To accelerate the response to newly detected incidents and new types of threat indicators, we developed ways to express recommend actions in STIX, which can be reviewed and selected by an operator and then executed by a threat defense system. We demonstrate how our extensions provide actionable details to go along with the threat information in STIX, and point the way towards better automation.