@Gary Bushey - thx for the rely

So I now have the following query:

let watchlist = (_GetWatchlist('VIP') | project 'User Principal Name');
SecurityAlert
| extend ['User Principal Name'] = tostring(parse_json(ExtendedProperties).["User Account"])
| where 'User Principal Name' in (watchlist)
| project TimeGenerated, ['User Principal Name']

But when I run the query, I still see user names that aren't part of the VIP list

Thx 

@Gary Bushey 

I went back to the Watchlist documentation (https://docs.microsoft.com/en-us/azure/sentinel/watchlists) and saw this:

With that, I went back and rewrote the query to as follows:

SecurityAlert
| lookup kind=leftouter _GetWatchlist('VIP') 
on $left.CompromisedEntity == $right.SearchKey
| project TimeGenerated, CompromisedEntity, AlertName, AlertSeverity, Description

and I'm still seeing the same issue in which I see users who aren't on the VIP list

@Gary Bushey 

Thx again for the reply.

I used this statement to alias User_Acccount_ to "User Account"

| extend User_Account_ = tostring(parse_json(ExtendedProperties).["User Account"])

and my final working KQL queries look like this:

let watchlist = (_GetWatchlist('VIP') | project 'User Principal Name');
SecurityAlert
| extend User_Account_ = tostring(parse_json(ExtendedProperties).["User Account"])
| where 'User Principal Name' in (watchlist)

and

//Watchlist as a variable
let watchlist = (_GetWatchlist('VIP') | project 'User Principal Name');
SigninLogs
| where 'User Principal Name' in (watchlist)
| where isnotempty(ResultDescription)
| project TimeGenerated, UserPrincipalName, ResultDescription, Identity, Location, AppDisplayName