diff --git a/docs/1-Using-Fleet/standard-query-library/standard-query-library.yml b/docs/1-Using-Fleet/standard-query-library/standard-query-library.yml
index 6c625f272d..a7f429375e 100644
--- a/docs/1-Using-Fleet/standard-query-library/standard-query-library.yml
+++ b/docs/1-Using-Fleet/standard-query-library/standard-query-library.yml
@@ -436,3 +436,13 @@ spec:
   query: SELECT uid, username, type, groupname FROM users u JOIN groups g ON g.gid = u.gid;
   purpose: Informational
   contributors: noahtalerman
+---
+apiVersion: v1
+kind: query
+spec:
+  name: Find deleted files from disk
+  platforms: Linux, macOS, Windows
+  description: Lists all processes of which the binary which launched them no longer exists on disk. Attackers often delete files from disk after launching process to mask presence.
+  query: SELECT name, path, pid FROM processes WHERE on_disk = 0;
+  purpose: Incident response
+  contributors: alphabrevity