This rule detects Terms of Service (ToS) events within Databricks audit logs to support compliance and governance. It focuses on lifecycle events related to ToS, notably acceptance (actionName: acceptTos) and distribution/sending (actionName: sendTos) logged under the accounts service. The rule captures key fields such as userIdentity (email), timestamp, source IP, and HTTP response status when available, enabling traceability of who accepted or was sent ToS and when. It is designed for audit baselines and policy-change verification over a rolling period (the runbook suggests reviewing the past 90 days), and it cross-checks ToS events against onboarding timelines and policy updates. The Tests section provides representative scenarios: confirming a ToS acceptance by a new user, confirming a ToS distribution event by an administrator, and ensuring non-ToS actions (e.g., login) do not falsely trip the rule. Operationally, the rule supports investigators and compliance teams in verifying ToS adherence, detecting deviations, and maintaining governance over service usage. The runbook guides investigators to establish baselines, align ToS events with expected governance milestones, and assemble a historical ToS events ledger per user for compliance history. The rule is labeled Experimental with Info severity and is tied to Databricks Audit log data, suitable for governance, risk, and compliance workflows.