A related function in Cisco FTD is described here: Firepower Management Center Configuration Guide, Version 6.2 From link: "When the system identifies a possible intrusion, it generates an intrusion event, which is a record of the date, time, the type of exploit, and contextual information about the source of the attack and its target. For packet-based events, a copy of the packet or packets that triggered the event is also recorded." This what we need in Meraki MX too - the last part about a copy of matching packets.
... View more