Hi @HPACHPANDE ,

please try something like this:

index =windows product=Windows
EventCode="4609" OR EventCode="6008" OR (EventCode="4608" AND _time<now()-300)
| table _time name host dvc EventCode severity Message

I'm not sure that it's possible to add the last condition in the main search, please try, if doesn't run, pleaase try this:

index =windows product=Windows
EventCode="4609" OR EventCode="4608" OR EventCode="6008"
| where EventCode="4608" AND _time<now()-300
| table _time name host dvc EventCode severity Message

Ciao.

Giuseppe