GuardDuty detected CloudTrail being outright disabled, but did not detect if an attacker with the
necessary permissions filtered out all events from CloudTrail via PutEventSelectors, resulting in
defenders having no logs to review. AWS fixed this issue by adding a GuardDuty detection that
triggers if PutEventSelectors is used to disable all event types.
As a safety measure, set up additional detections independent of GuardDuty.