Haroot,
Where to start? So, sounds like you understand some of the underbelly of enVision. This type of customization is quite dangerous.
1. RSA does have some type of support for merging custom messages into an existing (supported) device type. I've seen it work (or at least try to). I wouldn't want to rely on it if its still maintained/supported.
2. RSA does NOT support modifying the sql tables that you've found. As a matter of fact, they don't even back them up when they make changes to them! Before we proded RSA they didn't even know how the parsing ordering or messages worked! Yikes! And we were working with their experts on this subject.
3. My company implemented a custom set of messages to Unix and Oracle by modifying those Device XMLs. It was a total disaster for our SIEM in the past 4 years. Any ESU would break them, and resulted in zero changes to enVision in that time frame. We recently (last June) finally completed a long project to separate out our customizations into their own custom devices. This has finally allowed us to use the platform as a SIEM, as opposed to a glorified reporting engine for Compliance.
So in summary, customizations to built-in devices are possible, but a VERY bad idea. You are much better off implemeting a new custom device type for just the messages that you care to modify. Then implement them as multi-device (and setting the parsing order via SQL db) for the systems you want to. You can use any fields present in ANY single SQL table, but the table chosen affects where you look for the resulting messages.
