Incidents are appearing with hundreds of protocol matches in the incident snapshot.

The cause appears to be multiple policies with identical Protocol or Endpoint Monitoring rules on them.

Find all policies with identical "Protocol or Endpoint Monitoring" rules and modify them to no longer be identical.  You don't need to change the functionality of the rule, just how it is done.  For example, you can still monitor Email, HTTP, and HTTPS but on one policy you could have all three within the same rule while the next policy has the same combination of protocols spread between two rules, etc.  Doing this has shown to eliminate the repeated protocol highlighting issue within incident snapshots.

A fix will be provided with DLP 15.5 MP1.