Network Monitor in a lab environment...there's a few ways to do this. Understand that in a live environment, Network Monitor is getting traffic via a tap, which you're likely not going to be able to do in a Lab. So there's two main ways to "send" traffic to a network monitor outside of that:
(1) Drop an email file (.eml) into the drop folder on the Network Monitor. It will get picked up and processed by the server.
(2) Set up a replay of a PCAP file that you've captured off your network (if you're comfortable with loading in live traffic into you lab). This will effectively replay that packet capture indefinitely.
Start with the first method...it's the easiest way to do this.
~Keith
p.s. The answer to your question about whether it's normal to be reported as an Endpoint incident. Yes, if the incident was detected by the Endpoint Agent, which is what you have done, then it gets reported as an Endpoint Incident. You're obviously monitoring HTTP with the agent.