CA Privileged Access Manager, all versions above 3.2.X
The information about the IP from which the suspected attacks are coming is logged in log xcd_spfd.log inside the /var/logs folder of the appliance which has detected the attack. Lines like the following will be logged
2020-05-10 17:55:01 93741 INFO run: New connection handler. (5, <IP Address>:3121, 120)
2020-05-10 17:55:01 93741 INFO getTLSLowVersion: TLS low-version: support
2020-05-10 17:55:01 93741 INFO initializeSSL: SSL_CTX_load_verify_locations and SSL_CTX_set_default_verify_paths
2020-05-10 17:55:02 93741 INFO HandshakeSSL: SSL connection using AES256-SHA (TLSv1.2)
2020-05-10 17:55:02 93741 INFO run: Policy: sessionID=,sequenceNumber=,userID=,userName=,taskName=,serviceName=,serviceType=,serviceMainframeProtocol=...
2020-05-10 17:55:02 93741 INFO isXSSattempt: Preventing Cross Site Scripting Attempt From: <IP Address>
2020-05-10 17:55:02 93741 INFO executeInternal: request [wget -O - --no-check-certificate 'http://localhost:8000/serviceController.php?dataEncoding=http_get&service=AuthenticationService&serviceMethod=authenticateUser&GK_IN_PROXY_MODE=1&authMethod=LOCAL_PROCESS&userName=xcd_local&userPassword=5c671b278a14b2a61f2e3ba6458e72714641b2cb']
2020-05-10 17:55:02 93741 INFO execute: request [wget -O - --no-check-certificate --header="Cookie: PHPSESSID=30f8bcec591fa59a89d2203c843d6cd9" --header='User-Agent: Java' 'http://localhost:8000/serviceController.php?dataEncoding=http_get&service=AuditService&serviceMethod=createLogByKey&deviceId=0&deviceName=&domName=&messageCode=PAM-SPFD-0018&port=0&serviceName=&sourceIP=&taskName=Http handler&transType=connection&userName=security']
2020-05-10 17:55:02 93741 INFO executeInternal: request [wget -O - --no-check-certificate --header="Cookie: PHPSESSID=30f8bcec591fa59a89d2203c843d6cd9" --header='User-Agent: Java' 'http://localhost:8000/serviceController.php?dataEncoding=http_get&service=AuthenticationService&serviceMethod=logout']
Thus the IP for the machine which is suspected of initiating the attack will be logged, as will be the different requests which are done from inside PAM before and afterwards, tracked by transaction number.
The xcd_spfd is part of the diagnostics files created when hitting the System Configuration button in the Diagnostics --> Download page and it is therefore not directly accessible by every user.
In help is required determining the source of the XSS attack, please download the session logs covering the time of the incident as well as the Diagnostics logs (logs.bin) which can be obtained obtain by hitting the said button, and open a case with Broadcom Support