Ingesting sysmon logs

Anyone know how to ingest sysmon logs in a way to get the SIEM functions of ES 7.7.1 to function? We are testing ROCK against a dataset provided by https://mordordatasets.com/hackathons/apt29.html in order to test the SIEM functionality. The host logs are json formatted. We have set up filebeat to read and ship the logs, but this results in a funky index which is less usable than live data shipped in real time.

Any help will be appreciated.

Tom