Hello,
There is an Out of the Box report now under reports - Device health - Microsoft Defender Antivirus Health but indeed it doesn't show you the domain.
Not sure why you are looking into DeviceFileEvents when you should be looking into DeviceTvmSecureConfigurationAssessment. Check below. You may uncomment the domain and the summarize.
let avmodetable = DeviceTvmSecureConfigurationAssessment
| where ConfigurationId == "scid-2010" and isnotnull(Context)
| extend avdata=parsejson(Context)
| extend AVMode = iif(tostring(avdata[0][0]) == '0', 'Active' , iif(tostring(avdata[0][0]) == '1', 'Passive' ,iif(tostring(avdata[0][0]) == '4', 'EDR Blocked' ,'Unknown')))
| project DeviceId, AVMode;
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId == "scid-2011" and isnotnull(Context)
| extend avdata=parsejson(Context)
| extend AVSigVersion = tostring(avdata[0][0])
| extend AVEngineVersion = tostring(avdata[0][1])
| extend AVSigLastUpdateTime = tostring(avdata[0][2])
| extend PlatformVersion = tostring(avdata[0][3])
//| where DeviceName contains "domain"
| project DeviceId, DeviceName, OSPlatform, PlatformVersion, AVSigVersion, AVEngineVersion, AVSigLastUpdateTime, IsCompliant, IsApplicable
| join avmodetable on DeviceId
| project-away DeviceId1
//| summarize dcount(DeviceName) by PlatformVersion