I feel ignorant even asking this, but in SEPM it was super obvious. When you modified an audit signature from something other than Log, you could pick Block or Allow. In the cloud portal this is changed to Enable or Disable, and I just want to be clear which one blocks and which one allows. I feel like Enable could be mean "Allow" or "Enable the rule for blocking" and vice versa for Disable.