diff --git a/tools/sigma/backends/wdatp.py b/tools/sigma/backends/wdatp.py
index 8d5407a28..44cae5471 100644
--- a/tools/sigma/backends/wdatp.py
+++ b/tools/sigma/backends/wdatp.py
@@ -123,12 +123,17 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
     def generate(self, sigmaparser):
         self.table = None
         try:
-            self.product = sigmaparser.parsedyaml['logsource']['product']
-            self.service = sigmaparser.parsedyaml['logsource']['service']
+            self.category = sigmaparser.parsedyaml['logsource'].setdefault('category', None)
+            self.product = sigmaparser.parsedyaml['logsource'].setdefault('product', None)
+            self.service = sigmaparser.parsedyaml['logsource'].setdefault('service', None)
         except KeyError:
+            self.category = None
             self.product = None
             self.service = None
 
+        if (self.category, self.product, self.service) == ("process_creation", "windows", None):
+            self.table = "ProcessCreationEvents"
+
         return super().generate(sigmaparser)
 
     def generateBefore(self, parsed):