A system to optimize required resources at an endpoint needed to monitor a user behavior for abnormalities with the endpoint includes a processor processing a plurality of agents running at the endpoint to intercept network traffic metrics, intercept device access metrics, intercept app-specific user-mode metrics, parse intercepted data, and submit the intercepted data to a backend component at a server to collect the intercepted data from the endpoint, predict deviation from a normal profile, in which the backend component assesses available characteristics of a particular endpoint, calculates an endpoint user profile, calculates a degree of variance (DoV) between the user profile and the normal profile, compares the calculated DoV to a predetermined Variance Threshold (VT), and predicts, based on machine learning algorithms, a movement of a trend of the DoV within the VT, creates an adjusted metrics list, and distributes adjusted metrics to a related endpoint.