Thats a great idea
I think the followng event ID's should give you the information around the On-Access Protection
On-access Scan started
On-access scan stopped
You'll need to ensure that these are being logged to the database & also amend the agent settings to make sure they get sent immediatly if required (Caution as you may get flooded with events.
On the AP side I'd love that info as well
I looked at this a few years ago, and the issue was these events would be pushed up any time a computer was rebooted (stopped when it was shut down / started when it booted up). Made it useless as a diagnostic tool.
Things may have changed of course, but extensive testing would be required.