Would it be easier to use a custom phantom playbook to Add a user to a specific AD group from an event trigger, instead of creating a custom App in splunk using the App builder?
"Easier depends on experience in each platform and available resources. If you have phantom and you are already using it for other automation, then yes, it is likely to be simpler. I wouldn't recommend setting up a phantom instance for this single case. And if your experience in phantom is limited, it may be much faster to go the splunk app route. Phantom introduces more moving parts to your process so adding phantom for adding a user to an AD group doesn't make sense but using phantom that is already operational and part of your porcess anyway could very much make the job easier.