Stuck looking up a watchlist value

Hiya,

I get stuck working with watchlists sometimes.

In this example, I'm wanting to focus on account activity from a list of UPNs.

If I split the elements up, I get the individual results, but can't seem to pull it all together.

=====================================================

In its entirety, the query returns zero results:

let ServiceAccounts=(_GetWatchlist('ServiceAccounts_Monitoring'))| project SearchKey;

let OpName = dynamic(['Reset password (self-service)','Reset User Password','Change user password','User reset password','User started password reset','Enable Account','Change password (self-service)','Update PasswordProfile','Self-service password reset flow activity progress']);

AuditLogs

| where OperationName has_any (OpName)

| extend upn = TargetResources.[0].userPrincipalName

| where upn in (ServiceAccounts) //<=This is where I think I'm wrong

| project upn

=====================================================

This line on its own, returns the user on the list:

let ServiceAccounts=(_GetWatchlist('ServiceAccounts_Monitoring'))| project SearchKey;

=====================================================

This section on its own, returns all the activity

let OpName = dynamic(['Reset password (self-service)','Reset User Password','Change user password','User reset password','User started password reset','Enable Account','Change password (self-service)','Update PasswordProfile','Self-service password reset flow activity progress']);

AuditLogs

| where OperationName has_any (OpName)

| extend upn = TargetResources.[0].userPrincipalName

| where upn contains "username" //This is the name on the watchlistlist - so I know the activity exists)

====================================================

I'm doing something wrong when I'm trying to use the watchlist cache (I think)

Any help\guidance or wisdom would be greatly appreciated!

Many thanks