I would like to habe osquery report on the status of Microsoft Defender of Endpoint AntiVirus solution. I can check if the

wdavdaemon

process is running but this will not assure that realtime protection is actually enabled. The command

mdatp health

provides status information. Any ideas for a solution?

Perhaps the realtime protection uses a System Extension? You could check

system_extensions

table in osquery