You are running Network Discover scans on Exchange mailboxes and are using Kerberos as the authentication mechanism, as described in the documentation:
Setting up Exchange scans to use Kerberos authentication
The Kerberos KDC is configured to issue Kerberos authentication tokens which will be valid for a limited amount of time.
What you may see is that if the Discover scans of mailboxes are running for a time that is longer than the Kerberos token expiration period, around the time of the token expiration they will fail due to authorization expiry. As a result, the scan is unable to complete.
In the Discover scan logs, you will see a pattern similar to the below:
"<timestamp>","INFO","<Scan name and date>","STARTED_SEGMENT","<scan path>","0","","","",""
...
"<timestamp>","WARNING","<Scan name and date>,"FAILED_ITEM","<scan item path>","0","Failed to scan item, Unauthorized","","",""
The Network Discover does not currently have a built-in reauthentication mechanism where it would request a new Kerberos token upon the expiration of the original one. As a result, the detection server is no longer authenticated to Exchange and fails on the next item due to not being authorized to access it. It will only request one Kerberos token, at the start of the scan.
At the moment this is not part of the DLP functionality. There is an Enhancement Request created to add this in a future version of DLP - ISFR-3535.
Temporary workaround is to increase the Kerberos token expiration period to a time long enough to allow the Discover scan of Exchange mailboxes to complete, or to reduce the scope of the scan by using the target definitions and scan filters (include/exclude, dates of items). See below documentation link for more details:
Configuring Exchange Server scans
Another option is to configure the Network Discover server to authenticate directly with Exchange, not using Kerberos.