Hi,
Since google.com traffic will automatically using HTTPS connection and in order to see the full link for this connection, the request will need to be decrypted otherwise WSA will only sees just the parent domain (www.google.com).
To decrypt the HTTPS traffic means that the HTTPS proxy will need to be enabled in WSA and use decryption policy to decrypt traffic for google.com.
Once it is decrypted, it will then go to Access Policy.
You can create a custom URL category using regular expression for this then include that new custom URL category to your access policy and set the action such as block or allow.
The regular expression in the custom URL category to identify redirect domain behaviour from google, you can use below regular expression:
url?.*\.*\q=
Hope this helps.
Regards
Handy Putra