This is the tricky part Steve.  As we need two separate incidents we included severity in the message key. When clear comes in, the value of severity changes. So does the message key.

Honestly you seem to have a process issue here. There is many ways to do this but incident management really should be the one to decide when to escalate and then it should pull it from CI support group attributes. Either way this won't work unless you correlate the 2 alerts together so when the clear comes in it would cancel them both out but since you are using severity that will actually not work at all (as the message key would be changed). 

I would suggest you take a step back and remove severity from the message key and work on a better way to open up a separate incident or have the incident be re-assigned to a new team (which should be the way it works otherwise you are doubling up incident generation for no reason). 

I understand your point here but our CMDB is not mature enough to decide the assignment group based on CI and link the CI support group.

There is no other attribute that source embeds that can actually used to differentiate the event.

Note: We are transforming and escalating the same event as the severity of event escalates, I guess it's just a different process altogether. We want to rely on monitoring tool more when comes to escalation.

Want to understand more on re-assignation piece, we don't get the assignment group from Source, we compose it as part of event rules. Are you proposing to have two rules, one for warning one for critical of same order and same message key ?