You want to:
Cloud Secure Web Gateway (Cloud SWG)
Broadcom Cloud SWG does not support domain wildcards.
You should include only the top-level domain. The policy will match all subdomains.
Tip: You can use rule ordering logic to ensure other subdomains apply a different policy
#Rule 1
test.example.com DENY
#Rule 2
example.com ALLOW
This will result in example.com being allowed but test.example.com still being blocked.
The same concept also works with Top Level domains, for instance
#Rule 1
com BLOCK
Will result in google.com being blocked