When Cloud SWG Policy Management is set to "Cloud SWG Portal" you can setup rules (on the portal) that use WSS Agent as a source.
When Cloud SWG Policy Management is set to "Management Center" (also known-as Universal Policy Enforcement / UPE) the option to setup rules that use WSS Agent as a source is not available.
In order to setup rules that use WSS Agent as a source the below CPL code should be used.
This CPL entry matches to WSS Agent traffic:
client.location.access_type=client_connector
Sample policy to deny an url/domain just for WSS Agents would look like this:
<proxy>
url.domain=example.com client.location.access_type=client_connector deny
Then, to check Cloud SWG Portal Reports for WSS Agent traffic, filter based on Agent Type needs to be done.
In the below example, first entry is for access from IPSec location, the second from WSS Agent: