I'm stuck!

Logically, I'm not sure how\if I can do this.

I want to monitor for EntraID Group additions - I can get this to work for a single entry using this:

AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName == "Add member to group"
| where TargetResources[0].type == "User"
| extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
| where GroupName == "NameOfGroup" <-- This returns the single entry
| extend User = tostring(TargetResources[0].userPrincipalName)
| summarize ['Count of Users Added']=dcount(User), ['List of Users Added']=make_set(User) by GroupName
| sort by GroupName asc

However, I have a list of 20 Priv groups that I need to monitor.  I can do this using:

let PrivGroups = dynamic[('name1','name2','name3'});

and then call that like this:

blahblah

| where TargetResources[0].type == "User"
| extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
| where GroupName has_any (PrivGroup) 

But that's a bit dirty to update - I wanted to call a watchlist.  I've tried defining with:

let PrivGroup = (_GetWatchlist('TestList'));

and tried calling like:

blahblah

| where TargetResources[0].type == "User"
| extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
| where GroupName has_any ('PrivGroup')

I've tried dropping the let and attempted to lookup the watchlist directly:

| where GroupName has_any (_GetWatchlist('TestList'))

The query runs but doesn't return any results (Obvs I know the result exists) - How do I lookup that extracted value on a Watchlist.

Any ideas or pointers why I'm wrong would be appreciated!

Many thanks