We have seen similar previously. We raised a case with Meraki who advised if the first packet is allowed, the dashboard will report the threat as "allowed", even though all other packets are blocked and therefore the threat is actually blocked. Here are the case notes "After discussing this with the specialist and to add a bit more detail to the explanation I provided. Snort will analyse a copy of the original traffic, once it made a decision about whether the traffic is malicious or not it will look for the "original" traffic in the flow table, but if it's not there is nothing else that can happen. The 'original' traffic will be processed normally, and is subject to all the other elements. it's likely that the packet was discarded before getting to the flow table"
Did you receive a response from Meraki? This issue is a real concern for us, we see this scenario regular as ultimately, if Meraki are correct in what they are saying the Dashboard is misrepresenting the truth - surely thats not correct and a design flaw?