However, no information is provided about the originating URL or application.
This article indicates how to obtain such information
CA Privileged Access Manager, all versions above 3.2.X
The information about the IP from which the suspected attacks are coming is logged in log xcd_sfpd.log inside the /var/logs folder of the appliance which has detected the attack. Lines like the following will be logged
2020-05-10 17:55:01 93741 INFO run: New connection handler. (5, 22.214.171.124:3121, 120)
2020-05-10 17:55:01 93741 INFO getTLSLowVersion: TLS low-version: support
2020-05-10 17:55:01 93741 INFO initializeSSL: SSL_CTX_load_verify_locations and SSL_CTX_set_default_verify_paths
2020-05-10 17:55:02 93741 INFO HandshakeSSL: SSL connection using AES256-SHA (TLSv1.2)
2020-05-10 17:55:02 93741 INFO run: Policy: sessionID=,sequenceNumber=,userID=,userName=,taskName=,serviceName=,serviceType=,serviceMainframeProtocol=...
2020-05-10 17:55:02 93741 INFO isXSSattempt: Preventing Cross Site Scripting Attempt From: 126.96.36.199
Thus the IP for the machine which is suspected of initiating the attack will be logged, as will be the different requests which are done from inside PAM before and afterwards, tracked by transaction number.
The xcd_spfd is part of the diagnostics files created when hitting the System Configuration button in the Diagnostics --> Download page and it is therefore not directly accessible by every user.
In help is required determining the source of the XSS attack, please download the session logs covering the time of the incident as well as the Diagnostics logs (logs.bin) which can be obtained obtain by hitting the said button, and open a case with Broadcom Support