Data correlation using file object cache

The invention claimed is: 1. A data management system, comprising: at least one storage device; and one or more processors in communication with the at least one storage device, the one or more processors configured to perform operations including: identifying, based at least in part on a first request to access user files in a monitored computer system, a pair value comprising a user identifier and a remote internet protocol address associated with the first request, the first request corresponding to a create event associated with the user files; mapping the pair value to a unique file object identifier; storing the unique file object identifier mapped to the pair value in a file object cache in the at least one storage device; and retrieving the unique file object identifier from the file object cache based at least in part on a second request to access the user files that is subsequent to the first request, the second request corresponding to one of a read event, a write event, or a cleanup event associated with the user files. 2. The data management system of claim 1 , wherein the unique file object identifier is used as an authorization or verification key for an event associated with the second request. 3. The data management system of claim 1 , wherein the one or more processors is further configured to remove the unique file object identifier from the file object cache at the cleanup event associated with the second request. 4. The data management system of claim 3 , wherein the cleanup event includes a closing or deletion of a file object associated with the unique file object identifier. 5. The data management system of claim 4 , wherein the one or more processors is further configured to apply a time stamp to the file object. 6. The data management system of claim 5 , wherein the one or more processors is further configured to remove the unique file object identifier and the pair value from the file object cache based at least in part on the time stamp meeting or exceeding a threshold value. 7. A computer-implemented method at a data management system, the method comprising: identifying, based at least in part on a first request to access user files in a monitored computer system, a pair value comprising a user identifier and a remote internet protocol address associated with the first request, the first request corresponding to a create event associated with the user files; mapping the pair value to a unique file object identifier; storing the unique file object identifier mapped to the pair value in a file object cache; and retrieving the unique file object identifier from the file object cache based at least in part on a second request to access the user files that is subsequent to the first request, the second request corresponding to one of a read event, a write event, or a cleanup event associated with the user files. 8. The method of claim 7 , wherein the unique file object identifier is used as an authorization or verification key for an event associated with the second request. 9. The method of claim 7 , further comprising: removing the unique file object identifier from the file object cache at the cleanup event associated with the second request. 10. The method of claim 9 , wherein the cleanup event includes a closing or deletion of a file object associated with the unique file object identifier. 11. The method of claim 10 , further comprising: applying a time stamp to the file object. 12. The method of claim 11 , further comprising: removing the unique file object identifier and the pair value from the file object cache based at least in part on the time stamp meeting or exceeding a threshold value. 13. A non-transitory, machine-readable medium storing instructions which, when read by a machine, cause the machine to perform operations comprising, at least: identifying, based at least in part on a first request to access user files in a monitored computer system, a pair value comprising a user identifier and a remote internet protocol address associated with the first request, the first request corresponding to a create event associated with the user files; mapping the pair value to a unique file object identifier; storing the unique file object identifier mapped to the pair value in a file object cache; and retrieving the unique file object identifier from the file object cache based at least in part on a second request to access the user files that is subsequent to the first request, the second request corresponding to one of a read event, a write event, or a cleanup event associated with the user files. 14. The medium of claim 13 , wherein the unique file object identifier is used as an authorization or verification key for an event associated with the second request. 15. The medium of claim 13 , wherein the instructions further cause the machine to: remove the unique file object identifier from the file object cache at the cleanup event associated with the second request. 16. The medium of claim 15 , wherein the cleanup event includes a closing or deletion of a file object associated with the unique file object identifier. 17. The medium of claim 16 , wherein the instructions further cause the machine to: apply a time stamp to the file object. 18. The medium of claim 17 , wherein the instructions further cause the machine to: remove the unique file object identifier and the pair value from the file object cache based at least in part on the time stamp meeting or exceeding a threshold value.