There are a few ways in which detectors can be written. They are called holistic and static.

The holistic detectors are based on the behaviour of the attack. For example instead of looking for a particular executable you look for particular behaviour of touching certain files, then running a script.

For the static detectors you are looking for a specific file or executable rather than an adversary behaviour.

The Security information and event management or SIEM for short is a platform that allows you to search through all the log data that comes from your company's hosts. This data allows you to see what is happening in real time which can sometimes allow you to stop an adversary before they can steal data or create persistence on the host. 

This is done by using created rules to sort through the logs and organise the information to be able to be read by an analyst. Once the SIEM detects a threat be it a hands on activity like lateral movement for malware it will then create a signal that will show on your SOC’s dashboard for investigation.