That's correct, correlations are real-time and based on hitting a threshold. We've considered adding more historical/behavioral thresholds as well and/or the ability to alert from a search which would accomplish the same goal, which we don't have right now.
The best we could do is:
Event A exists (even 2 of them)
Event B does not exist
within 5 minutes
Fire trap/send email.
That basically says if you see Event A (or a # of event As) but you don't see event B within 5 minutes of Event A, something is wrong and you should send an email. It's really the number of SAME alerts that's the problem with what you're trying to do, we don't have a way to distinguish them the way it's modeled.