You have upgraded the DLP infrastructure to 16.0 RU1 or newer, while the Agents stay on an older build from the 16.0 branch, for example 16.0 MP2.
With this done, you see the amount of DLP Endpoint Prevent incidents drops visibly, especially for protocols such as: browser HTTPS, Outlook, Copy to Network Share, Copy to Removable Storage.
DLP servers upgraded to 16.0 RU1 or newer, DLP Agents on an older 16.0 version.
In the DLP Agent log with FINEST logging enabled, you may see the following error message for several detection requests:
[
Request Id #YY FAILURE invalid string position allow
Scan Time : XXX ms]
Check if there's an active policy that uses a Data Identifier condition "IPv6 Address". It was confirmed that in a mixed-version setup, with servers on 16.0 RU1 and newer builds, older Agents will see these errors caused by the updated definition of this DI. The definition itself was updated in 16.0 RU1.
In that situation, you have the following solutions available:
1) Temporarily disable the policy which includes a condition for that DI.
2) Or, remove only the condition from the policy but leave the rest of the policy active.
3) The most recommended long-term solution is to upgrade all DLP Agents to be running on the same version as the DLP servers.