Event Log Correlation for Multi‐Step Attack Detection

Event log correlation (ELC) is central to detecting multi-step attacks (MSAD) that unfold across heterogeneous systems and long time horizons. This review synthesises ELC families—mining/sequence, graph learning, provenance/causal correlation, and hybrid LLM-assisted approaches—through an MSAD-first lens that ties methods to attack stages and datasets. We report operational metrics (false-alarm reduction, detection time, throughput/storage) and classifier metrics (Accuracy/F1) as the authors present them, enabling fair comparison across 2025 works. Compared with prior surveys, we contribute a challenge mitigation map (false positives, latency/throughput, heterogeneity), a 2025-only section covering NDSS/USENIX/Neurocomputing studies and a recent Graph Convolutional Network (GCN) article (Multi dataset, Multi-family detection pipeline), and a roadmap spanning mining, graph, provenance/causal, and LLM-assisted correlation for scalable, real-time deployments. We also provide an attack-coverage matrix and a machine-readable extraction (8 papers 15+ fields) to support reproducible synthesis and practitioner adoption.