A course of action is an action taken either to prevent an attack or to respond to an attack that is in progress. Course of actions apply for STIX 2.x.

Course of actions describes technical or automated responses (applying patches, reconfiguring firewalls). It can also describe higher-level actions like employee training or policy changes.

For example, a course of action to mitigate a vulnerability could describe applying the patch that fixes it.