Update vimUserManagementSentinelOne.yaml

Parsers/ASimUserManagement/Parsers/vimUserManagementSentinelOne.yaml

@@ -96,7 +96,13 @@ ParserQuery: |
       | parse description_s with * "with id=" id: string "," restOfMessage
       | lookup EventTypeLookup on activityType_d
       | extend
-          EventType = iff(activityType_d in (67, 42) and primaryDescription_s has "enabled", "UserEnabled", "UserDisabled")
+          EventType = case (
+                activityType_d in (67, 42) and primaryDescription_s has "enabled",
+                "UserEnabled",
+                activityType_d in (67, 42) and primaryDescription_s has "disabled",
+                "UserDisabled",
+                EventType
+            )
       | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))
       | extend 
           PreviousPropertyValue = case(
@@ -212,4 +218,4 @@ ParserQuery: |
       actorusername_has_any = actorusername_has_any,
       eventtype_in = eventtype_in,
       disabled = disabled
-  )
+  )