Systems and methods for an agent-based approach that facilitates endpoint network traffic analysis are provided. According to an embodiment, an agent running on an endpoint device associated with an enterprise network collects network communication metadata from the endpoint device responsive to receiving callbacks from a kernel-level tracing facility implemented within an OS of the endpoint device and locally stores the collected network communication metadata. Further, the agent performs time-based aggregation of the collected metadata to reduce transmission bandwidth and local storage requirements. The aggregated metadata from the endpoint device is submitted to an anomaly detection service when the endpoint device is connected to the enterprise network. The anomaly detection service uses a machine-learning based approach for detection of anomalous behavior.