Hey JR- one way to do that is to do a statistical count of destination ports and destination IPs that have been denied, then chart a sum by the destination ports and destination IPs as they apply.
sourcetype="firewall" action=deny | stats count by dst dst_port | chart sum(count) by dst dst_port. the fields will depend on your extracted fields, but give that a shot, it should do the trick.
Any idea on how to use the output of that report but limit the number of IP's to say 5-10 and list them along the bottom?