If this is going to be a scheduled Rule, remember you can only go back 14days (not 365days)
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-custom#query-scheduling-and-...I would think you need a summarize and count to get the "Nth" number
Generally you should schedule these to run on the current day or interval, so lets say you configured it to run daily (once every 24hrs); you then only need to look back 1d (or whatever you prefer)
AppTraces
| where TimeGenerated > ago(1d)
| where Message contains 'has been disabled'
| extend username = extract('User with ID ([A-Za-z0-9_-]{1,20})', 1, Message)
| summarize count() by username
Personally I prefer to look back to a know point in time (first record after mid night in this example), using startofday()
AppTraces
| where TimeGenerated > startofday(ago(1d))
| where Message contains 'has been disabled'
| extend username = extract('User with ID ([A-Za-z0-9_-]{1,20})', 1, Message)
| summarize count() by username
| where count_ > 10