Are you wanting to look backwards in time, or from now forward?
If wanting to do query for past data, you will need to create a reporting engine rule to
"select" ip.src,ip.dst,country.dst,city.dst,domain.dst,action
where country.dst = 'Albania','Armenia','Azerbaijan','Belarus','Cambodia','Cote D ivoire','Cuba','Georgia','Iran','Iraq','isle of man','Kazakhstan','Kyrgyzstan','Libya','Liechtenstein','Moldova','Mongolia','Myanmar','Seychelles','Sudan','Tajikistan','Turkmenistan','Ukraine','Uzbekistan','Venezuela'
and add that rule to a report, and run the report for a specified window in time and send the output the the SEIM by syslog or whatever method you prefer.
(Note that the comma separated list is the same as your long OR statement)
If looking forward in time (real-time alerting) then first create an application rule for the country.dst
monitored_countries country.dst = 'Albania','Armenia','Azerbaijan','Belarus','Cambodia','Cote D ivoire','Cuba','Georgia','Iran','Iraq','isle of man','Kazakhstan','Kyrgyzstan','Libya','Liechtenstein','Moldova','Mongolia','Myanmar','Seychelles','Sudan','Tajikistan','Turkmenistan','Ukraine','Uzbekistan','Venezuela' and set alert to the "alert" meta key.
Then create a Reporting engine rule OR ESA rule that triggers on (alert = 'monitored_countries') and selects the meta keys listed for output to the SIEM via syslog or other format.
