Thank you for your answer. We are already in the process of creating the synchronization script. (If I understood it correct, that'S what XSOAR could do).

Our security enforcement for NSX-T based workload is done with tag based groups. The membership of this groups could change when a new VM with tags is deployed, a VM is decommissioned or the TAGs of VM(s) are changed. Whenever that happens we would need to run the script.

Now we where thinking about this trigger to run the script.

Option one for us was to run it when ever one of the above mentioned processes which are all automated run. The problem with this approach is that we would either create a complex script to check which groups changed due to the process or run the synchronization for all groups each time. We would although miss if someone does the above mentioned processes manually.

Option two would be to run the script periodically for all groups. That would result in a new VM not being able to communicate until the script runs the next time. 

Option three and our preferred solution would be to get the information that a group is changed from NSX-T, vRLI or vRNI and only run the script for the changed group.

But we couldn't find yet if there is an event in one of the three tools we can use as this trigger. 

Yep, you have the gist of things here already.

The trigger I'd recommend would be vRLI or your syslog agent inside of XSOAR. NSX-T Manager's audit logs:

Odd, it won't let me paste, but you can filter on either 

"display_name":"<tag>"

or the Object's UUID. I have attached an example NSGroup change.