By "normal", we mean the usual things that users (admins included) do with their endpoints.
What are typical use-cases that lead to client-side infiltration? E.g. email, web browsing...
Setup OpenEDR backend. See https://github.com/jymcheong/OpenEDR#getting-started
Studying "normal" (based on what student established with first goal), with a Windows VM & OpenEDR data-set visualisation
Learn how to use Sysmon events to observe the various process behaviours, particularly related to Payload Delivery & Code-Execution (as highlighted under Tactics column above)