DomainSight-AI by Krook9d - MCP Server

DomainSight AI 🔍

Agent-orchestrated IOC investigations with web-first artifact upload and standardized tool access.

DomainSight AI is a containerized platform for investigating Indicators of Compromise (IOCs) such as domains, URLs, IPs, and file hashes. It combines multiple threat intelligence sources with browser history analysis capabilities, all orchestrated through an Agent-to-Agent (A2A) framework.

🌟 Features

Core Capabilities

Multi-Source Threat Intelligence
- 🔍 Urlscan.io: Automated URL scanning and analysis
- 🛡️ AlienVault OTX: Community-driven threat intelligence
- 🔐 OpenCTI: Advanced threat intelligence platform integration (Sprint 2)
- 🦠 VirusTotal: Optional malware and URL analysis
Browser History Analysis
- 📊 Upload and analyze browser history databases (Chrome, Edge, Firefox)
- 🕐 Time-windowed queries
- 🔎 Domain filtering and pattern matching
- 📈 Support for CrowdStrike history.db format
Agent Orchestration
- 🤖 A2A (Agent-to-Agent) gateway for intelligent task routing
- 🔀 Automatic tool selection based on investigation goals
- 📝 Structured task tracking and correlation IDs
- 🔐 Secure artifact upload with authentication

User Interface

💬 LibreChat web UI with preset workflows
🎯 Pre-configured investigation templates
🔄 Multi-model support (OpenAI, Ollama for local LLMs)

🏗️ Architecture

┌─────────────────────────────────────────┐
│  LibreChat (Web UI)                     │
│  Port: 3080                             │
└──────────────┬──────────────────────────┘
               │
┌──────────────▼──────────────────────────┐
│  A2A Gateway (Orchestrator)             │
│  Port: 9090                             │
│  - Agent registry                       │
│  - Task routing                         │
└──────────────┬──────────────────────────┘
               │
┌──────────────▼──────────────────────────┐
│  MCP Server (Python/FastMCP)            │
│  Port: 8080                             │
│  - Threat intelligence tools            │
│  - History.db ingestion/query           │
│  - /upload endpoint for artifacts       │
└──────────────┬──────────────────────────┘
               │
      External APIs & Services

🚀 Quick Start

Prerequisites

Docker & Docker Compose
API keys for threat intelligence services (see Configuration)

Installation

Clone the repository

git clone https://github.com/yourusername/DomainSight-AI.git
cd DomainSight-AI

Create environment file

# Copy the template
cp env.example .env

# Edit .env with your API keys and configuration
nano .env

Start the platform

docker compose up -d

Create your first user

Wait for all services to be ready (30-60 seconds), then create an admin user:

# Using docker compose
docker compose exec librechat npm run create-user

# Follow the prompts to enter:
# - Email address
# - Password  
# - Name

Note: Registration is disabled by default for security. Use the create-user command to add users.

Access the UI Open your browser to: http://localhost:3080

⚙️ Configuration

Required Environment Variables

Create a .env file with the following:

# Authentication (REQUIRED - change this!)
A2A_AUTH_TOKEN=your-secure-random-token-here

# LLM Configuration
OPENAI_API_KEY=sk-xxxxx
OPENAI_BASE_URL=https://api.openai.com
MODEL=openai/gpt-4o-mini

# Threat Intelligence APIs
URLSCAN_API_KEY=your-urlscan-key
OTX_API_KEY=your-otx-key

# Optional: OpenCTI (for advanced threat intel)
OPENCTI_BASE_URL=https://your-opencti-instance.com
OPENCTI_API_TOKEN=your-opencti-token

# Optional: VirusTotal
VT_API_KEY=your-virustotal-key

# Server Configuration
UPLOAD_MAX_MB=200
LOG_LEVEL=INFO
CACHE_TTL_SECONDS=1800

Getting API Keys

Urlscan.io: Register at https://urlscan.io/
AlienVault OTX: Sign up at https://otx.alienvault.com/
VirusTotal: Get key at https://www.virustotal.com/gui/join-us
OpenCTI: Deploy your own or use a managed instance

📖 Usage Examples

1. Domain Investigation

Investigate domain evil.example.com using all available sources

The system will automatically:

Submit to Urlscan for live analysis
Query OTX for threat intelligence
Check VirusTotal (if configured)
Aggregate and present findings

2. Browser History Analysis

Step 1: Upload history.db

curl -X POST http://localhost:8080/upload \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -F "file=@history_export.zip"

Step 2: Query in LibreChat

List all visited banking sites between 2025-09-14T08:00Z and 2025-09-14T18:00Z

3. IOC Batch Investigation

Investigate these domains: suspicious1.com, suspicious2.com, suspicious3.com

🛠️ Development

Project Structure

DomainSight-AI/
├── server/              # MCP Server (Python/FastMCP)
│   ├── app/
│   │   ├── tools/      # Threat intelligence integrations
│   │   ├── history/    # History.db processing
│   │   ├── run.py      # Application entry point
│   │   └── upload.py   # File upload handler
│   ├── Dockerfile
│   └── requirements.txt
│
├── a2a-gateway/        # A2A Gateway (Node.js/TypeScript)
│   ├── src/
│   │   ├── index.ts    # Main server
│   │   ├── router.ts   # Task routing logic
│   │   └── registry.ts # Agent registry
│   ├── Dockerfile
│   └── package.json
│
├── librechat/          # LibreChat configuration
│   └── librechat.yaml
│
├── docker-compose.yml
└── .env.template

Running Tests

# MCP Server tests
cd server
python -m pytest tests/

# A2A Gateway tests
cd a2a-gateway
npm test

Local Development

MCP Server:

cd server
python -m venv venv
source venv/bin/activate  # or venv\Scripts\activate on Windows
pip install -r requirements.txt
python -m app.run

A2A Gateway:

cd a2a-gateway
npm install
npm run dev

🔒 Security Considerations

Authentication: All endpoints require Bearer token authentication
Upload Limits: File uploads capped at 200MB by default
Read-Only Database Access: History databases opened in read-only mode
Token Rotation: Regular rotation of A2A_AUTH_TOKEN recommended
API Key Security: Store API keys securely, never commit to git

🗺️ Roadmap

✅ Sprint 1 - MVP (Current)

MCP server with Urlscan and OTX integration
History.db upload and query
A2A Gateway with basic routing
LibreChat integration

🚧 Sprint 2 - Enrichment (Next)

OpenCTI GraphQL integration
Multi-browser schema support (Firefox, Safari)
Enhanced error handling and retries
CSV/JSON export functionality

📋 Sprint 3 - Advanced Orchestration

Full MCP protocol support
Resource endpoints (history://summary, scans://last)
Prompt templates and investigation playbooks
Timeline aggregation

🔐 Sprint 4 - Production Hardening

RBAC (Role-Based Access Control)
JWT tokens with expiration
Metrics and observability (Prometheus/Grafana)
Comprehensive documentation
Docker image publishing

📊 API Reference

A2A Gateway Endpoints

POST /tasks - Submit investigation task

{
  "agent": "domainsight-investigator",
  "goal": "Investigate domain example.com",
  "inputs": {
    "domain": "example.com"
  },
  "context": {}
}

GET /agents - List available agents

GET /healthz - Health check

MCP Server Endpoints

POST /upload - Upload artifact

Requires: Authorization: Bearer <token>
Form data: file (multipart)

GET /healthz - Health check

MCP Tools

urlscan_submit(url, public, tags) - Submit URL for scanning
urlscan_search(query, size, from_) - Search previous scans
otx_lookup(ioc) - Query AlienVault OTX
vt_lookup(ioc) - Query VirusTotal (optional)
opencti_lookup(ioc) - Query OpenCTI (Sprint 2)
history_ingest(file_id) - Ingest history database
history_query(start, end, domain_like, limit) - Query history

🤝 Contributing

Contributions are welcome! Please:

Fork the repository
Create a feature branch (git checkout -b feature/amazing-feature)
Commit your changes (git commit -m 'Add amazing feature')
Push to the branch (git push origin feature/amazing-feature)
Open a Pull Request

📝 License

This project is licensed under the MIT License - see the file for details.

🙏 Acknowledgments

MCP (Model Context Protocol) by Anthropic
LibreChat by Danny Avila
Threat intelligence communities: Urlscan.io, AlienVault OTX, OpenCTI

📧 Support

📖 Documentation:
🐛 Issues: GitHub Issues
💬 Discussions: GitHub Discussions

Built with ❤️ for the cybersecurity community