Correlating user information to a tracked event

What is claimed is: 1 . An apparatus for correlating user information to a tracked event, said apparatus comprising: a processor; and a memory on which is stored machine readable instructions that are to cause processor to: access an event log that lists an event item corresponding to an event that occurred at a network appliance; determine that the event item matches an item listed in a user log that lists records of user information and a plurality of items, wherein the records correspond to user events in a network; identify the user information corresponding to the matching item; determine a confidence level that the identified user information corresponds to the event item; determine whether the confidence level exceeds a certain threshold value; in response to a determination that the confidence level exceeds the certain threshold, correlate the user information to the event item; and insert an entry into a database that the user information corresponds to the event item. 2 . The apparatus according to claim 1 , wherein the instructions are further to cause the processor to: perform an operation on data packets communicated to the network appliance by a user corresponding to the user information. 3 . The apparatus according to claim 1 , wherein the user log is an Identity Management system that records user logins to a domain in the network. 4 . The apparatus according to claim 1 , wherein instructions are further to cause processor to: organize the records of user information and items into a plurality of time bins, wherein each of the plurality of time bins includes records of user information and items corresponding to user events in the network that occurred during a predefined time frame; and for each of the plurality of time bins, identify which of the user information corresponds to which of the items. 5 . The apparatus according to claim 4 , wherein the instructions are further to cause the processor to: determine that the event item matches an item of a record included in a certain time bin of the plurality of time bins; determine a number of user information that corresponds to the item in the certain time bin; and determine whether the confidence level exceeds the certain threshold based upon the determined number of user information. 6 . The apparatus according to claim 5 , wherein the instructions are further to cause the processor to: determine that the confidence level exceeds the certain threshold in response to the determined number of user information falling below a predefined number; and determine that the confidence level falls below the certain threshold in response to the determined number of user information exceeding the predefined number. 7 . The apparatus according to claim 5 , wherein the event log additionally lists a time-stamp of a time at which the event at the network appliance occurred, and wherein the instructions are further to cause the processor to: identify within which of the predefined time frames of the plurality of time bins that the time-stamp of the time at which the event at the network appliance occurred falls; and determine the match between the event item and the item of the record in the certain time bin corresponding to the identified predefined time frame. 8 . The apparatus according to claim 4 , wherein the event log additionally lists a time-stamp of a time at which the event at the network appliance occurred, and wherein the instructions are further to cause the processor to: determine that the event item matches an item of a record included in a certain time bin of the plurality of time bins; determine a difference in time between the time-stamp and the predefined time frame of the certain time bin; and determine whether the confidence level exceeds the certain threshold based upon the determined difference in time. 9 . The apparatus according to claim 8 , wherein the instructions are further to cause the processor to: determine that the confidence level exceeds the certain threshold in response to the determined difference in time falling below a predefined time period; and determine that the confidence level falls below the certain threshold in response to the determined difference in time exceeding the predefined time period. 10 . A method for correlating information in an event log with information in a user log, said method comprising: accessing an event log that lists an event item corresponding to an event that occurred at the network appliance; determining whether the event item matches a first item of a plurality of first items listed in a user log that lists records of second items and first items corresponding to user events in a network; in response to a determination that the event item matches the first item of the plurality of first items, identifying the second item corresponding to the matching first item; determining, by a processor, a confidence level that the identified second item corresponds to the event item; determining, by the processor, whether the confidence level exceeds a certain threshold value; in response to a determination that the confidence level exceeds the certain threshold, correlating, by the processor, the second item to the first event information; and inserting, by the processor, an entry into a database that the second item corresponds to the event item. 11 . The method according to claim 10 , wherein the second item comprises a user name, the method further comprising: executing a policy on data packets communicated to the network appliance by a user corresponding to the second item. 12 . The method according to claim 10 , further comprising: organizing the records of the second items and the first items corresponding to user events in a network into a plurality of time bins, wherein each of the plurality of time bins includes records of the second items and the first items corresponding to user events in the network that occurred during a predefined time frame; and for each of the plurality of time bins, identifying which of the second items corresponds to which of the first item. 13 . The method according to claim 12 , further comprising: determining that the event item matches a first item of a record included in a certain time bin of the plurality of time bins; determining a number of second items that corresponds to the first item in the certain time bin; determining whether the determined number of second items exceeds a predefined number; in response to a determination that the determined number of second items falls below the predefined number, determining that the confidence level exceeds the certain threshold; and in response to a determination that the determined number of second items exceeds the predefined number, determining that the confidence level falls below the certain threshold. 14 . The method according to claim 10 , wherein the event log additionally lists a time-stamp of a time at which the event at the network appliance occurred, the method further comprising: determining that the event items matches a first item of a record included in a certain time bin of the plurality of time bins; determining a difference in time between the time-stamp and the predefined time frame of the certain time bin; and determining whether the confidence level exceeds the certain threshold based upon the determined difference in time. 15 . The method according to claim 14 , further comprising: determining that the confidence level exceeds the certain threshold in response to the determined difference in time fallin