kql query for brute force/dictionary attack on a account in apptraces

If this is going to be a scheduled Rule, remember you can only go back 14days (not 365days)
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-custom#query-scheduling-and-alert-threshold
I would think you need a summarize and count to get the "Nth" number

Generally you should schedule these to run on the current day or interval, so lets say you configured it to run daily (once every 24hrs); you then only need to look back 1d (or whatever you prefer)

AppTraces
| where TimeGenerated > ago(1d)
| where Message contains 'has been disabled'
| extend username = extract('User with ID ([A-Za-z0-9_-]{1,20})', 1, Message)
| summarize count() by username

Personally I prefer to look back to a know point in time (first record after mid night in this example), using startofday()

AppTraces
| where TimeGenerated > startofday(ago(1d))
| where Message contains 'has been disabled'
| extend username = extract('User with ID ([A-Za-z0-9_-]{1,20})', 1, Message)
| summarize count() by username
| where count_ > 10