You can easily extract facility and severity from PRI (priority) header from syslog still if you use Raw input. But your message should contain <PRI> in the beggining of your message. You can you either regex or GROK to extract it and then use pipeline function expand_syslog_priority to extract facility and severity.
https://docs.graylog.org/en/4.1/pages/pipelines/functions.html#expand-syslog-priority
rule "Cisco FirePower priority parsing"
when
contains(to_string($message.message), "%FTD", true)
then
set_fields(grok(pattern: "<%{NONNEGINT:syslog_pri:int}>", value: to_string($message.message), only_named_captures: true));
let priority = expand_syslog_priority(to_long($message.syslog_pri));
set_fields({facility: priority.facility, level: priority.level });
end
You can expand grok to also contains more details like data time mnemonic and so on if you want.
Or if you want to have text representation of facility and priority use function expand-syslog-priority-as-string
https://docs.graylog.org/en/4.1/pages/pipelines/functions.html#expand-syslog-priority-as-string