There's no getting around the on-box 500 limit today. If you want more than 500, you should contact your Palo Alto Networks SE and ask for a feature request. For more than 500, you'll need to go off-box. More on that later. You can aggregate the source-IPs in custom reporting. I don't have much in the way of brute-forcing, so my custom report query is looking for threat type scan... but you can use (threatid eq xxxxx) if there's a particular IPS signature you're interested in, or some other variable that works for you. Make a new custom report, use the Threat Summary database, make sure Selected Columns have only Source address and Count. Pick a short timeframe first (15 minutes, 1 hour, etc.) just to make sure it looks like what you're expecting. (I expanded mine to 30-days because a single day's scan traffic is underwhelming). Modify the query to your environment. As you can see, the firewall de-duplicates and then provides a count for each source address. If the 500-limit is interferring with your ability to address this requirement, I suggest looking into the free MineMeld (https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld) tool. It should be able to ingest threat syslogs from your firewall, look for certain events, populate the offender into a dynamic address object group (which is already referenced in your security policy with a "deny" action), and then remove the offender after a configurable time limit. It'll require some legwork, but probably not anywhere near as much as trying to automate the report, ingest the report, build the object group, etc. from scratch.
... View more