Network devices deployed in organizations (Firewall, IDS, routers, antivirus, servers, etc.) logs users' activity as events. Based on these events users' behavioral profiles can be derived in order to detect anomalies, indicating potential attacks. The identifier of a user in most cases is the user's organizational username. While events are always logged with the source IP address they are not always logged with the relevant username and therefore, many of the collected events are not directly linked with the appropriate user. In this paper we describe a method for associating an IP address with an actual username based on a set of logged events. This is crucial precondition for generating an accurate user's profile. The proposed method was evaluated using real large datasets (logs) and showed 88% accuracy in the identification of usernames.