Event correlation aggregates and links related events from multiple sources — a failed login (AD log) + successful login from new IP (VPN log) + file download (DLP log) = likely compromised account.
Single events are often ambiguous. Correlation across sources provides context. Example: 3 failed logins + 1 success + geographically impossible source = brute force attack with credential use. Correlation rules drive SIEM alert quality.