I recently enabled the Threat Intelligence feed on our LEM:
I've been monitoring the "Threat Events" filter on the LEM (v6.3) and am trying to figure out the what/why/how of what I'm seeing. Its supposedly logging IP traffic detected by our Meraki access points from random external source IPs to other random external destination IPs, none of which are related to our network. These source and destination IPs are different each time. If anyone could take a look at these screenshots below and has any idea what might be going on, please let me know! Thanks