The purposes of the rule is the following one: if a User Group related to a Databases is changed by a remote user, the rule must trigger.
Here, some addictional data;
For change we mean that a user is added or removed to a group and/or an entire Database user group is deleted.
We are not focusing on a specific data base product; the fact that the host involved is a database is get by checking 2 lookup table where the database IP and ports are putted.
If possible, we had to use Datamodel instead of sourcetype; for this, I checked both Database and Authentication data model but I see that, in the ready field, we are able to extract only data about users, not groups.