Microsoft 365 compliance center: Microsoft 365 data loss prevention on-premises scanner (US Government clouds)
Microsoft 365 DLP on-premises scanner relies on a full implementation of the Azure Information Protection (AIP) scanner to monitor, label, and protect sensitive items. It crawls on-premises data-at-rest in file shares and SharePoint document libraries and folders for sensitive items that, if leaked, would pose a risk to your organization, or pose a risk of compliance policy violation. This gives you the visibility and control you need to ensure that sensitive items are used and protected properly, and to help prevent risky behavior that might compromise them. The information about what the users are doing with sensitive items is made visible in Activity explorer and you can enforce protective actions on those items via DLP policies.
More info: https://docs.microsoft.com/en-us/microsoft-365/compliance/dlp-on-premises-scanner-learn?view=o365-worldwide