Perhaps the Meraki is parsing packets destined for its own MAC address at layer 2, but at layer 3 the IP's are intentionally wrong/changed? Not sure how else the packet would make it to the Meraki interface.
The link below has a little info about Threat Intelligence Feed, and it also has 2 links at the bottom to more details on TIF. It's a daily updated list of known bad public IP's and the video shows how to use the built-in monitor filter to see more info on recent incidents, such as the public IP that was blocked. Since this info is updated daily and volatile, it may not be feasible to track down why each IP was blocked, but it may be a good idea to cross reference the internal IP's on your network that were affected and make sure you don't have any open tickets internally that might indicate a need to quickly remove that node from your network!
LEM 6.2 threat intelligence feed data - SolarWinds Worldwide, LLC. Help and Support
Here's another link on how to enable it and when it updates...
Using the Threat Intelligence Feed in LEM - SolarWinds Worldwide, LLC. Help and Support