I managed to get a working solution that works in this limited test scenario.
You need to explicitly exclude the known cases in the default rule as in the example below:
<Sysmon schemaversion="4.50">
<EventFiltering>
<RuleGroup name="ProcessCreate - Include" groupRelation="or">
<ProcessCreate onmatch="include">
<Rule groupRelation="and" name="Net with user parameter">
<Image condition="is">C:\Windows\System32\net.exe</Image>
<CommandLine condition="contains"> user</CommandLine>
</Rule>
<Rule groupRelation="and" name="Net with use parameter">
<Image condition="is">C:\Windows\System32\net.exe</Image>
<CommandLine condition="contains"> use</CommandLine>
</Rule>
<Rule groupRelation="and" name="Net with session parameter">
<Image condition="is">C:\Windows\System32\net.exe</Image>
<CommandLine condition="contains"> session</CommandLine>
</Rule>
<Rule groupRelation="and" name="Default net case">
<Image condition="is">C:\Windows\System32\net.exe</Image>
<CommandLine condition="excludes any"> user; use; session</CommandLine>
</Rule>
</ProcessCreate>
</RuleGroup>
<RuleGroup name="ProcessTerminate - Include" groupRelation="or">
<ProcessTerminate onmatch="include">
<!-- Empty rule set -->
</ProcessTerminate>
</RuleGroup>
</EventFiltering>
</Sysmon>
The problem is that my real world config file is much more complicated than this...