It's not perfect, but the closest thing that comes to mind for me is EQL
Basically it works like this:
[ < A: the first thing that must happen > ]
[ < C: the third thing that must happen > ]
[ < B: the second thing that should not happen > ]
Basically how it works, is that it looks for A followed by C, and if B happens in between then the sequence is invalid and will not generate an alert. I'm not totally sure if this fits well with your use case, but it might be worth a shot.
One way we've used it before is like this, to watch out for pid reuse. This example query stops tracking when a termination is seen, that way it won't match across a reused process ID.
sequence by process.pid
[ process where < creation > ]
[ network where < connect > ]
[ process where <termination> ]
There might options at your disposal, and this is just what I'm most familiar with. Hope this is a start!