Hi @HPACHPANDE ,
please try something like this:
index =windows product=Windows
EventCode="4609" OR EventCode="6008" OR (EventCode="4608" AND _time<now()-300)
| table _time name host dvc EventCode severity Message
I'm not sure that it's possible to add the last condition in the main search, please try, if doesn't run, pleaase try this:
index =windows product=Windows
EventCode="4609" OR EventCode="4608" OR EventCode="6008"
| where EventCode="4608" AND _time<now()-300
| table _time name host dvc EventCode severity Message
Ciao.
Giuseppe
