Advanced　Persistent　Threats　(APTs)　employ　sophisticated　and　covert　tactics　to　infiltrate　target　systems,　leading　to　increased　vulnerability　and　an　elevated　risk　of　exposure.　Consequently,　it　is　essential　for　us　to　proactively　create　an　extensive　and　clearly　outlined　attack　chain　for　APTs　in　order　to　effectively　combat　these　threats.　Unlike　traditional　malware　or　application　threats,　APTs　can　sidestep　cyber　security　efforts　and　cause　severe　damage　to　organizations　or　even　state　security.　Nonetheless,　earlier　methods　struggle　to　accurately　track　APTs　and　may　face　a　dependency　explosion　issue,　as　identifying　the　intricate　and　complex　unknown　malicious　activities　within　APTs　proves　to　be　challenging.　In　this　paper,　we　propose　and　build　an　approach,　T-trace,　which　constructs　the　events　provenance　graphs　by　analyzing　the　correlations　among　logs.　The　approach　precisely　finds　the　log　communities　with　tensor　decomposition　and　calculates　significance　scores　to　extract　the　events.　The　APTs　can　be　inferred　by　discovering　the　event　communities　and　constructing　the　provenance　graph　with　log　correlation.　In　the　experiment,　we　used　DARPA　data　sets　and　launched　four　current　practical　APTs.　Compared　with　current　approaches,　the　results　show　that　T-trace　can　efficiently　reduce　time　cost　by　90%　and　achieve　a　92%　accuracy　rate　in　constructing　the　provenance　graph,　which　can　be　practically　applied　in　APTs　provenance.　©　2004-2012　IEEE.