Hi Liban,
That's how HTTPS inspection works. Basically, for the HTTPS traffic when the destination is supposed to be decrypted we have at least 2 transactions for the request:
1. HTTP CONNECT
2. HTTP GET (or other application-layer request)
So for the first one, you'll see the decryption policy instead of access policy since WSA decided to decrypt the traffic (that's the actual action applied for the transaction)
For the second transaction after decryption, you'll see the actual access policy applied by WSA.
So for decrypted traffic, we have 2 stages - decryption and access policy. If you check access logs for the airbnb traffic you'll see that.
Please vote for the comment if you find it helpful.