diff --git a/sdk/security/azure-mgmt-security/azure/mgmt/security/models/__init__.py b/sdk/security/azure-mgmt-security/azure/mgmt/security/models/__init__.py
index 0bb7843b55d2..301c7dc4d474 100644
--- a/sdk/security/azure-mgmt-security/azure/mgmt/security/models/__init__.py
+++ b/sdk/security/azure-mgmt-security/azure/mgmt/security/models/__init__.py
@@ -53,6 +53,7 @@
     from ._models_py3 import InformationProtectionPolicy
     from ._models_py3 import InformationType
     from ._models_py3 import IoTSecurityAggregatedAlert
+    from ._models_py3 import IoTSecurityAggregatedAlertPropertiesTopDevicesListItem
     from ._models_py3 import IoTSecurityAggregatedRecommendation
     from ._models_py3 import IoTSecurityAlertedDevice
     from ._models_py3 import IoTSecurityDeviceAlert
@@ -156,6 +157,7 @@
     from ._models import InformationProtectionPolicy
     from ._models import InformationType
     from ._models import IoTSecurityAggregatedAlert
+    from ._models import IoTSecurityAggregatedAlertPropertiesTopDevicesListItem
     from ._models import IoTSecurityAggregatedRecommendation
     from ._models import IoTSecurityAlertedDevice
     from ._models import IoTSecurityDeviceAlert
@@ -309,6 +311,7 @@
     'InformationProtectionPolicy',
     'InformationType',
     'IoTSecurityAggregatedAlert',
+    'IoTSecurityAggregatedAlertPropertiesTopDevicesListItem',
     'IoTSecurityAggregatedRecommendation',
     'IoTSecurityAlertedDevice',
     'IoTSecurityDeviceAlert',
diff --git a/sdk/security/azure-mgmt-security/azure/mgmt/security/models/_models.py b/sdk/security/azure-mgmt-security/azure/mgmt/security/models/_models.py
index 9bf5f77d3cde..50fd3350b735 100644
--- a/sdk/security/azure-mgmt-security/azure/mgmt/security/models/_models.py
+++ b/sdk/security/azure-mgmt-security/azure/mgmt/security/models/_models.py
@@ -1972,6 +1972,10 @@ class IoTSecurityAggregatedAlert(Model):
     :ivar log_analytics_query: Log analytics query for getting the list of
      affected devices/alerts.
     :vartype log_analytics_query: str
+    :ivar top_devices_list: 10 devices with the highest number of occurrences
+     of this alert type, on this day.
+    :vartype top_devices_list:
+     list[~azure.mgmt.security.models.IoTSecurityAggregatedAlertPropertiesTopDevicesListItem]
     """
 
     _validation = {
@@ -1990,6 +1994,7 @@ class IoTSecurityAggregatedAlert(Model):
         'system_source': {'readonly': True},
         'action_taken': {'readonly': True},
         'log_analytics_query': {'readonly': True},
+        'top_devices_list': {'readonly': True},
     }
 
     _attribute_map = {
@@ -2009,6 +2014,7 @@ class IoTSecurityAggregatedAlert(Model):
         'system_source': {'key': 'properties.systemSource', 'type': 'str'},
         'action_taken': {'key': 'properties.actionTaken', 'type': 'str'},
         'log_analytics_query': {'key': 'properties.logAnalyticsQuery', 'type': 'str'},
+        'top_devices_list': {'key': 'properties.topDevicesList', 'type': '[IoTSecurityAggregatedAlertPropertiesTopDevicesListItem]'},
     }
 
     def __init__(self, **kwargs):
@@ -2029,6 +2035,41 @@ def __init__(self, **kwargs):
         self.system_source = None
         self.action_taken = None
         self.log_analytics_query = None
+        self.top_devices_list = None
+
+
+class IoTSecurityAggregatedAlertPropertiesTopDevicesListItem(Model):
+    """IoTSecurityAggregatedAlertPropertiesTopDevicesListItem.
+
+    Variables are only populated by the server, and will be ignored when
+    sending a request.
+
+    :ivar device_id: Name of the device.
+    :vartype device_id: str
+    :ivar alerts_count: Number of alerts raised for this device.
+    :vartype alerts_count: int
+    :ivar last_occurrence: Most recent time this alert was raised for this
+     device, on this day.
+    :vartype last_occurrence: str
+    """
+
+    _validation = {
+        'device_id': {'readonly': True},
+        'alerts_count': {'readonly': True},
+        'last_occurrence': {'readonly': True},
+    }
+
+    _attribute_map = {
+        'device_id': {'key': 'deviceId', 'type': 'str'},
+        'alerts_count': {'key': 'alertsCount', 'type': 'int'},
+        'last_occurrence': {'key': 'lastOccurrence', 'type': 'str'},
+    }
+
+    def __init__(self, **kwargs):
+        super(IoTSecurityAggregatedAlertPropertiesTopDevicesListItem, self).__init__(**kwargs)
+        self.device_id = None
+        self.alerts_count = None
+        self.last_occurrence = None
 
 
 class IoTSecurityAggregatedRecommendation(Model):
diff --git a/sdk/security/azure-mgmt-security/azure/mgmt/security/models/_models_py3.py b/sdk/security/azure-mgmt-security/azure/mgmt/security/models/_models_py3.py
index 2022af70d6df..39dbc4cf33ef 100644
--- a/sdk/security/azure-mgmt-security/azure/mgmt/security/models/_models_py3.py
+++ b/sdk/security/azure-mgmt-security/azure/mgmt/security/models/_models_py3.py
@@ -1972,6 +1972,10 @@ class IoTSecurityAggregatedAlert(Model):
     :ivar log_analytics_query: Log analytics query for getting the list of
      affected devices/alerts.
     :vartype log_analytics_query: str
+    :ivar top_devices_list: 10 devices with the highest number of occurrences
+     of this alert type, on this day.
+    :vartype top_devices_list:
+     list[~azure.mgmt.security.models.IoTSecurityAggregatedAlertPropertiesTopDevicesListItem]
     """
 
     _validation = {
@@ -1990,6 +1994,7 @@ class IoTSecurityAggregatedAlert(Model):
         'system_source': {'readonly': True},
         'action_taken': {'readonly': True},
         'log_analytics_query': {'readonly': True},
+        'top_devices_list': {'readonly': True},
     }
 
     _attribute_map = {
@@ -2009,6 +2014,7 @@ class IoTSecurityAggregatedAlert(Model):
         'system_source': {'key': 'properties.systemSource', 'type': 'str'},
         'action_taken': {'key': 'properties.actionTaken', 'type': 'str'},
         'log_analytics_query': {'key': 'properties.logAnalyticsQuery', 'type': 'str'},
+        'top_devices_list': {'key': 'properties.topDevicesList', 'type': '[IoTSecurityAggregatedAlertPropertiesTopDevicesListItem]'},
     }
 
     def __init__(self, *, tags=None, **kwargs) -> None:
@@ -2029,6 +2035,41 @@ def __init__(self, *, tags=None, **kwargs) -> None:
         self.system_source = None
         self.action_taken = None
         self.log_analytics_query = None
+        self.top_devices_list = None
+
+
+class IoTSecurityAggregatedAlertPropertiesTopDevicesListItem(Model):
+    """IoTSecurityAggregatedAlertPropertiesTopDevicesListItem.
+
+    Variables are only populated by the server, and will be ignored when
+    sending a request.
+
+    :ivar device_id: Name of the device.
+    :vartype device_id: str
+    :ivar alerts_count: Number of alerts raised for this device.
+    :vartype alerts_count: int
+    :ivar last_occurrence: Most recent time this alert was raised for this
+     device, on this day.
+    :vartype last_occurrence: str
+    """
+
+    _validation = {
+        'device_id': {'readonly': True},
+        'alerts_count': {'readonly': True},
+        'last_occurrence': {'readonly': True},
+    }
+
+    _attribute_map = {
+        'device_id': {'key': 'deviceId', 'type': 'str'},
+        'alerts_count': {'key': 'alertsCount', 'type': 'int'},
+        'last_occurrence': {'key': 'lastOccurrence', 'type': 'str'},
+    }
+
+    def __init__(self, **kwargs) -> None:
+        super(IoTSecurityAggregatedAlertPropertiesTopDevicesListItem, self).__init__(**kwargs)
+        self.device_id = None
+        self.alerts_count = None
+        self.last_occurrence = None
 
 
 class IoTSecurityAggregatedRecommendation(Model):