@splunk_zen, you can try the following, however, I would want to know as to why you have three lookups identities_1, identities_2 and identities_3. I have moved watchlist filter to inputlookup command itself assuming all three lookups have this field.
index=win EventCode=528 OR EventCode=4624 LogonType=2
[| inputlookup identities_1 where watchlist = "true"
| inputlookup append=true identities_2 where watchlist = "true"
| inputlookup append=true identities_3 where watchlist = "true"
| rename identity as Account_Name
| table Account_Name]