Given that onion sites require six hops and that the Tor team keeps watch for suspicious node behavior, and that there is no “exit node” where you can more closely observe outgoing traffic, onion connections are actually very tough to correlate. It requires a large number of compromised nodes plus cooperation with ISPs and backbone providers, as seen in the arrest of the onion site operator a few years ago. There were some good writeups at the time. You basically need to use DDoS techniques combined with targeted disconnections to narrow down the list of potential targets, even while owning many nodes. And onions have seen some DDoS hardening since this time.

Clearnet traffic via exit node is a bit different. With only three hops it might be possible to correlate targeted traffic by owning a huge number of nodes, but even then, unless you also control the server being connected (or it barely receives any traffic) then it may not give you anything actionable. (Using Tor is not a crime.) Unless you can see what is being done on the server by the unmasked user, or you can establish a pattern of behavior, or you see something like a large data transfer whose size matches a known event of interest, then all you know is someone accessed the server over Tor. And even then, owning both the entry and exit isn’t sufficient if the user is masking their traffic with decoy and/or relay traffic.