The Behavioral Indicators of Compromise (BIOCs) of Cortex XDR contain numerous exceptions, including global whitelists that can be abused to evade detection even when using simple and well-known TTPs.