@DP123...
Not being a SCOM guy I can't give you a solution, but I will suggest that you could check the registry and identify the the Current Definitions:
For SEP 12.1 64bit, you would look at the following: "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs", "DEFWATCH_10"
That said, you could write a script that does a check of that reg key, and if the value is greater than 7 days old (or whatever number of days works for your customer) then have the script write the event log you suggested SCOM could then monitor. The script could be called by a scheduled task so that you don't have another TSR on your customers desktop. :-)
Hope this gives you some ideas,
-Mike