SAT provides the following optional control functions which enable the volume of data that is dealt with on each specific system to be reduced and which allow appropriate targeting of the execution of evaluations:

1. SAT support setting

   This setting, which is made with /MODIFY-SAT-SUPPORT-PARAMETERS, makes it possible to include or exclude events triggered by certain products for logging (and alerting). Currently, this product-specific specification is only available for events triggered by the POSIX product.

   • If SAT support is deactivated for a product then none of the events triggered by this product are logged (and also no SAT alarms are triggered for them). Consequently, steps 2 to 5 below have no effect on the logging of these events.

   • If SAT support is deactivated for a product then steps 2 to 5 below apply without restriction to events triggered by it.

2. Preselection – this entails the selection in advance of security-relevant events in SATCP in order to keep the set of events that need to be logged to a minimum.

3. A filter mechanism for refined preselection

4. A system exit, by means of which special cases can be processed selectively.

5. Postselection – this entails postprocessing of the saved data with the evaluation routine SATUT for the purpose of selective evaluation and archiving of security-relevant events.
   The results of the evaluation can be output either in replacement files or in analysis files. Replacement files essentially serve the purpose of archiving security-relevant information from the input files, and are therefore capable of replacing the input files. In contrast, analysis files are mainly intended for the decentralized analysis of security-relevant audit records. Both types of file can be used as input files in a subsequent evaluation run.
   In addition, edited records can be placed into temporary storage in work files (0 - 9) so that they can be subjected to further processing in the same editing run.

The figure below illustrates the interaction of the control functions 2 to 5 in reducing the possible data volume.
In this case an “event” symbolizes an auditable event that is logged and evaluated by SAT in accordance with the specified selection criteria and rules.