This query will indicate the time it took between a computer shutdown and a computer powering back on. Typically found in restarts and shutdowns. This would not occur during a hard-reset or loss of power.

sourcetype=WinEventLog:System (EventCode=6005 OR EventCode=6006) | transaction host startswith="EventCode=6006" endswith="EventCode=6005" | eval restart_duration=tostring(duration,"duration") | eval Date=strftime(_time, "%Y/%m/%d")| where duration > 480 | table host index Date restart_duration | sort - Date | rename restart_duration as "Restart Duration"