diff --git a/CHANGES b/CHANGES
index fd4e100833..d766eb7492 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,13 @@
+5.1.0-dev.271 | 2022-07-19 12:01:41 +0200
+
+  * GH-2276: Raise smb2_file_delete for CREATE with
+    FILE_DELETE_ON_CLOSE. (Arne Welzel, Corelight)
+
+    When a CREATE request contains the FILE_DELETE_ON_CLOSE option and
+    the subsequent CREATE response indicates success, we now raise the
+    smb2_file_delete event to log a delete action in smb_files.log and
+    also give users a way to handle this scenario.
+
 5.1.0-dev.269 | 2022-07-18 08:57:32 -0700
 
   * DebugLogger: "auto const" to "const auto" (Arne Welzel, Corelight)
diff --git a/VERSION b/VERSION
index 7f45bb935e..bab36f8e6f 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-5.1.0-dev.269
+5.1.0-dev.271
diff --git a/scripts/base/protocols/smb/smb2-main.zeek b/scripts/base/protocols/smb/smb2-main.zeek
index c45a56a799..202450fcca 100644
--- a/scripts/base/protocols/smb/smb2-main.zeek
+++ b/scripts/base/protocols/smb/smb2-main.zeek
@@ -5,6 +5,10 @@ module SMB2;
 redef record SMB::CmdInfo += {
 	## Dialects offered by the client.
 	smb2_offered_dialects: index_vec &optional;
+
+	## Keep the create_options in the command for
+	## referencing later.
+	smb2_create_options: count &default=0;
 };
 
 event smb2_message(c: connection, hdr: SMB2::Header, is_orig: bool) &priority=5
@@ -127,6 +131,7 @@ event smb2_create_request(c: connection, hdr: SMB2::Header, request: SMB2::Creat
 		request$filename = "<share_root>";
 
 	c$smb_state$current_file$name = request$filename;
+	c$smb_state$current_cmd$smb2_create_options = request$create_options;
 
 	switch ( c$smb_state$current_tree$share_type )
 		{
@@ -164,6 +169,11 @@ event smb2_create_response(c: connection, hdr: SMB2::Header, response: SMB2::Cre
 	c$smb_state$fid_map[response$file_id$persistent+response$file_id$volatile] = c$smb_state$current_file;
 
 	c$smb_state$current_file = c$smb_state$fid_map[response$file_id$persistent+response$file_id$volatile];
+
+	# If the create request for this file had FILE_DELETE_ON_CLOSE set and
+	# the response status was success, raise a smb2_file_delete event.
+	if ( hdr$status == 0 && (c$smb_state$current_cmd$smb2_create_options & 0x00001000) != 0 )
+		event smb2_file_delete(c, hdr, response$file_id, T);
 	}
 
 event smb2_create_response(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse) &priority=-5
diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-create-delete-on-close/smb_cmd.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-create-delete-on-close/smb_cmd.log
new file mode 100644
index 0000000000..bf0819dd0c
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-create-delete-on-close/smb_cmd.log
@@ -0,0 +1,34 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	smb_cmd
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	command	sub_command	argument	status	rtt	version	username	tree	tree_service	referenced_file.ts	referenced_file.uid	referenced_file.id.orig_h	referenced_file.id.orig_p	referenced_file.id.resp_h	referenced_file.id.resp_p	referenced_file.fuid	referenced_file.action	referenced_file.path	referenced_file.name	referenced_file.size	referenced_file.prev_name	referenced_file.times.modified	referenced_file.times.accessed	referenced_file.times.created	referenced_file.times.changed
+#types	time	string	addr	port	addr	port	string	string	string	string	interval	string	string	string	string	time	string	addr	port	addr	port	string	enum	string	string	count	string	time	time	time	time
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	NEGOTIATE_PROTOCOL	-	-	SUCCESS	0.002119	SMB2	-	-	-	XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	-	-	-	0	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	SESSION_SETUP	-	-	SUCCESS	0.001559	SMB2	-	-	-	XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	-	-	-	0	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	TREE_CONNECT	-	-	SUCCESS	0.005032	SMB2	-	-	-	XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	-	-	-	0	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	CREATE	-	-	SUCCESS	0.000430	SMB2	-	-	-	XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	SMB::FILE_OPEN	-	test_dir	0	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	QUERY_INFO	-	-	SUCCESS	0.000131	SMB2	-	-	-	XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	-	-	-	0	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	SET_INFO	-	-	SUCCESS	0.000298	SMB2	-	-	-	XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	-	-	-	0	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	CLOSE	-	-	SUCCESS	0.000112	SMB2	-	-	-	XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	SMB::FILE_CLOSE	\\\\127.0.0.1\\tmp	test_dir	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	CREATE	-	-	FILE_IS_A_DIRECTORY	0.000163	SMB2	-	-	-	XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	SMB::FILE_OPEN	-	test_dir	0	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	CREATE	-	-	SUCCESS	0.000159	SMB2	-	-	-	XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	SMB::FILE_OPEN	-	test_dir	0	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	QUERY_DIRECTORY	-	-	SUCCESS	0.000135	SMB2	-	-	-	XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	-	-	-	0	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	CREATE	-	-	SUCCESS	0.000227	SMB2	-	-	-	XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	SMB::FILE_OPEN	-	test_dir\\test_create.dat	0	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	CLOSE	-	-	SUCCESS	0.000174	SMB2	-	-	-	XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	SMB::FILE_CLOSE	\\\\127.0.0.1\\tmp	test_dir\\test_create.dat	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	QUERY_DIRECTORY	-	-	NO_MORE_FILES	0.000038	SMB2	-	-	-	XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	-	-	-	0	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	CREATE	-	-	OBJECT_NAME_NOT_FOUND	0.000158	SMB2	-	-	-	XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	SMB::FILE_OPEN	-	test_dir\\test_create.dat	0	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	CLOSE	-	-	SUCCESS	0.000053	SMB2	-	-	-	XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	SMB::FILE_CLOSE	\\\\127.0.0.1\\tmp	test_dir	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	CREATE	-	-	SUCCESS	0.000246	SMB2	-	-	-	XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	SMB::FILE_OPEN	-	test_dir	0	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	CLOSE	-	-	SUCCESS	0.000220	SMB2	-	-	-	XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	SMB::FILE_CLOSE	\\\\127.0.0.1\\tmp	test_dir	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	CREATE	-	-	SUCCESS	0.000748	SMB2	-	-	-	XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	SMB::FILE_OPEN	-	test_dir	0	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	QUERY_INFO	-	-	SUCCESS	0.000151	SMB2	-	-	-	XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	-	-	-	0	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	SET_INFO	-	-	SUCCESS	0.000333	SMB2	-	-	-	XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	-	-	-	0	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	CLOSE	-	-	SUCCESS	0.000112	SMB2	-	-	-	XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	SMB::FILE_CLOSE	\\\\127.0.0.1\\tmp	test_dir	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	CREATE	-	-	SUCCESS	0.000622	SMB2	-	-	-	XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	SMB::FILE_OPEN	-	test_dir\\test_create.dat	0	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	CLOSE	-	-	SUCCESS	0.000141	SMB2	-	-	-	XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	SMB::FILE_CLOSE	\\\\127.0.0.1\\tmp	test_dir\\test_create.dat	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	CREATE	-	-	OBJECT_NAME_NOT_FOUND	0.000181	SMB2	-	-	-	XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	SMB::FILE_OPEN	-	test_dir\\test_create.dat	0	-	-	-	-	-
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-create-delete-on-close/smb_files.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-create-delete-on-close/smb_files.log
new file mode 100644
index 0000000000..55f6902aef
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-create-delete-on-close/smb_files.log
@@ -0,0 +1,18 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	smb_files
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	action	path	name	size	prev_name	times.modified	times.accessed	times.created	times.changed
+#types	time	string	addr	port	addr	port	string	enum	string	string	count	string	time	time	time	time
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	SMB::FILE_OPEN	\\\\127.0.0.1\\tmp	test_dir	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	SMB::FILE_OPEN	\\\\127.0.0.1\\tmp	test_dir\\test_create.dat	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	SMB::FILE_DELETE	\\\\127.0.0.1\\tmp	test_dir\\test_create.dat	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	SMB::FILE_OPEN	\\\\127.0.0.1\\tmp	test_dir	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	SMB::FILE_DELETE	\\\\127.0.0.1\\tmp	test_dir	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	SMB::FILE_OPEN	\\\\127.0.0.1\\tmp	test_dir	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	SMB::FILE_OPEN	\\\\127.0.0.1\\tmp	test_dir\\test_create.dat	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54268	127.0.0.1	445	-	SMB::FILE_DELETE	\\\\127.0.0.1\\tmp	test_dir\\test_create.dat	0	-	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Traces/smb/smb2.delete-on-close-perms-delete-existing.pcap b/testing/btest/Traces/smb/smb2.delete-on-close-perms-delete-existing.pcap
new file mode 100644
index 0000000000..f6227c7273
Binary files /dev/null and b/testing/btest/Traces/smb/smb2.delete-on-close-perms-delete-existing.pcap differ
diff --git a/testing/btest/scripts/base/protocols/smb/smb2-create-delete-on-close.zeek b/testing/btest/scripts/base/protocols/smb/smb2-create-delete-on-close.zeek
new file mode 100644
index 0000000000..47e49c71ee
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/smb/smb2-create-delete-on-close.zeek
@@ -0,0 +1,8 @@
+# @TEST-EXEC: zeek -C -r $TRACES/smb/smb2.delete-on-close-perms-delete-existing.pcap policy/protocols/smb/log-cmds
+# @TEST-EXEC: btest-diff smb_files.log
+# @TEST-EXEC: btest-diff smb_cmd.log
+
+@load base/protocols/smb
+
+redef SMB::logged_file_actions += { SMB::FILE_READ, SMB::FILE_WRITE };
+