KQL Azure Alert only fire if other event has not been logged

Question

I have a basic azure alert where it looks at the windows logs of a VM, and determines whether it should fire an alert upon detecting a specific event ID

Event | where EventID == "500" | summarize arg_max(TimeGenerated, *) by ParameterXml | project TimeGenerated, Computer, EventID, RenderedDescription | order by TimeGenerated

The conditions are whether the event is detected once or more in the space of 5 minutes. I'm looking to have some alert logic in there where it only fires, if additional alert event "650" has not fired.

I have tried using joins to attach the additional event ID onto the query, but unsure how to parse the logic to say not fired

https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-log-query (Example 4)

Summary

Fire alert if event id 500 detected and event id 650 not detected

Answer 1

A possible solution with join leftanti:

Event
| where EventID in (500, 650)
| summarize arg_max(TimeGenerated, *) by EventID, Computer
| as T
| where EventID == 500
| join kind=leftanti (T | where EventID == 650) on Computer

Answer 2

A possible solution:

Event
| where EventID in (500, 650)
| summarize
    arg_max(iff(EventID == 500, TimeGenerated, datetime(null)), *),
    Cond= countif(EventID == 650) == 0
    by Computer
| where Cond
| project TimeGenerated, Computer, EventID, RenderedDescription
| order by TimeGenerated

The summarize line filters the newest event with ID 500 and counts the events with ID 650.